Privacy Check: Is It Safe to Use Facebook or Google to Log Into Other Sites?
There are pros and cons for using Oauth, which stands for open standard for authorization (sometimes referred to as SSO, an acronym for single sign-on). Photo: 10'000 Hours/Getty Images
Stop me if this sounds familiar: you’re browsing the web and land on a news site or cooking blog you’re interested in, and you’re prompted to create an account.
Usually, this requires you to come up with yet another username and password you need to remember, and often an email address for them to send a confirmation (to prove you’re a real person and not an automated “bot”).
Instead, you see an option that lets you easily log in with your Facebook or Google account with one click or tap, for immediate access to the content you want to consume. Facebook or Google then quickly sends a security token back to the site that essentially confirms “Yes, this person is who they say they are. Go ahead.”
Easy peasy, right? Well, yes, and no.
There are pros and cons for using Oauth, which stands for open standard for authorization (sometimes referred to as SSO, an acronym for single sign-on).
Here’s what you need to know to decide if it’s for you — and how to change it if you already signed up with your Facebook or Google ID.
Signing into a site with your Facebook or Google is safe for the most part, yes.
That is, it’s likely safer than creating a new account with this website and trusting it takes cybersecurity seriously.
And you should know that while you may be signing into a new website with your Facebook or Google ID, it never has access to your password for Facebook or Google. That’s still between you and those services.
A related consideration in favour of Oauth: it’s one less password for you to remember. Unless you use a password manager to handle creating strong and unique passwords and logging into online accounts, you probably don’t want to come up with a new password since you likely have several already. Again, the website you’re trusting your password with is likely more vulnerable to a breach or hack than Facebook or Google, which have both invested heavily into security on the backend.
(Nothing is 100 per cent, of course. Lest we forget Facebook’s massive data breach that became big news in the fall of 2018, which impacted at least 50 million of its users.)
By the way, it’s not just websites that leverage this Oauth sign-in option, but many apps, too. And for those who play games, you may be asked to sign in with your Facebook or Google ID as a means to save your progress and synchronize it between multiple devices. For example, you can start playing a puzzle game on a smartphone and perhaps continue on your computer at a later time.
OK, so using Oauth is fast, convenient and safe. What’s the big deal, then?
In most cases, the website you just signed into with your Facebook or Google ID now has access to some aspects of your accounts.
At a minimum, that news site or cooking blog can now access your Facebook public profile or your email address (which may invite spammed marketing messages).
In some cases, these sites may get much more than that, such as access to your contact/friends list, the ability to post to your wall, and perhaps seeing what kinds of posts you “like” in your circle of friends.
And Facebook and Google benefit, too, as everything you likely do at this new website is sent back to them. That’s why if you read an article about hotels and resorts in Jamaica or the Dominican Republic, you start seeing Caribbean travel ads afterward on Facebook or after performing a Google search.
Make no mistake: Facebook and Google track you in some fashion anyway, unless you’ve opted out of it (as prompted now on iPhone, iPad and Apple TV) or make a few tweaks to your settings.
How to Stop Facebook Tracking
As the old adage goes, nothing is truly free, and so Facebook monetizes its “free” social media platform by selling target advertisements.
If you want to review which sites you’ve used your Facebook ID to sign into over the years, the good news is you can do it quickly and easily by following these steps.
On your computer:
- Log in, then click the downward arrow in the top right corner
- Click Settings & Privacy> Select Settings
- Click Apps and Websites in the left side menu
- Now tap the site, app or game on the list and click View and Edit, or Remove
On an iPhone/iPad:
- Open the Facebook app and tap the Menu tab (three horizontal lines) in the lower right corner
- Select Settings & Privacy> Settings
- Scroll down to the Permissions section, then tap Apps and Websites
- Tap each site, app or game on the list and click View and Edit, or Remove
On an Android device:
- Open the Facebook app, then tap the three-line menu (top right)
- Select Settings & Privacy> Settings
- Scroll down to Security, then tap Apps and Websites
- Select Logged in with Facebook
Manage Google Access, Too
You can also see any connected services to your Google account. It’s good to review them one by one.
The first thing to do is access your Linked Accounts page while signed in to your Google Account.
Just like with Facebook, you can remove access by selecting the site or app and then tapping or clicking Unlink.
If you are having any issues, such as some apps that won’t let you unlink, you may need to go to the website or open the app itself and visit its Settings to see how to unlink your Google ID.
On a related note, you can also see which sites, apps and services have access to other parts of your Google account, such as your Gmail inbox, calendar, and more.
Visit myaccount.google.com/security and under Third-party apps with account access, select Manage third-party access. Now tap/click an app or service to see what it can access. Select Remove Access if you want.
Speaking of Google, you may have heard the world’s biggest search engine now lets you apply to have all your information deleted by the company. You need to submit an official request and Google will send you a conformation via email. Examples of content you may want removed include: personal contact information (email address, phone number, mailing address); content that can lead to identity theft (such as credit card and bank account numbers or images of your signature); login IDs and passwords; search results with non-consensual explicit images and/or pornography; medical records and other confidential info; photos of minors.
To get going, go to this Google page and in the search bar, start typing “remove select personally identifiable info” and click or tap on the first option that appears. Then follow the onscreen prompts.
Another consideration is using a VPN (virtual private network), which lets you remain anonymous while browsing the web.
That is, without a VPN your activity is visible to your internet service provider (ISP), search engines, government agencies, social media sites and other websites you visit. Even in “private” or “incognito” mode, these parties can still see your IP address, which provides your approximate geographical whereabouts.
This small piece of software is a smarter way to use the internet because it conceals your online identity. It does this by using encryption technology to secure your connection. Encryption scrambles your data, making it unreadable to anyone who tries to access it, thereby protecting you from snoopers who want to know what you’re doing and what sites you visit on the web, as well as hackers and other cybercriminals.
Your ISP may know that you’re using a VPN, but it cannot see or track your activity while using it.
As an analogy, think of a VPN as an underground tunnel, as opposed to the open and visible roads above it (the “super information highway”), where everyone can see all the information flowing across the various lanes of traffic on the internet.
There are many VPNs to choose from. Look for a highly rated one (by critics and customers alike), with many fast servers to choose from, and with a “no log” policy to confirm they don’t keep any records of your internet activity.
A version of this story was published on May 3, 2022