Our previous article on privacy issues regarding Facebook quizzes drew a lot of attention from readers concerned about what private information they’re giving up when they authorize an app with Facebook. The issue raises some questions: Should you be logging in to apps and services on the web using Facebook at all? What about the other social media login options? Do they fare any better?
Four out of five internet users dislike traditional registration forms, and 73 percent prefer to log in with their social media accounts, says LoginRadius. As of the beginning of 2015, Facebook leads the social login race with 61 percent market share, according to Gigya. It’s followed by Google+, Twitter, and LinkedIn, in that order. Yahoo is also in the lineup alongside Twitter, but appears to be tanking fast. Apple’s Touch ID, a newcomer in the social login battle, looks like it could potentially disrupt the market but is still in a nascent stage.
People tend to prefer social login options because they don’t have to fill out a registration form or memorize another password. But which social network offers the most private login, and which gives users the most control over their apps and permissions?
OAuth and OpenID
To begin, understand that almost all social login mechanisms use the same open source protocols: OAuth, OpenID, or a combination of the two. OpenID is used for authentication while OAuth is used for authorization. It’s easy to mix the two up (I know I do), so here are a couple examples.
OpenID is used for logging in and creating accounts on external websites. I don’t want to fill out a registration form or memorize another password to post a comment on a blog post. OpenID allows me to bypass traditional registration and authenticate my identity with login credentials from another website that I’m already registered on, such as Google+ and Facebook. In short, authentication means one website telling another website, “He is who he says he is.”
OAuth goes a bit deeper and is used to grant third-party websites and apps permission to access information on another social network or website. Whenever you sign up for a messaging app, it may ask permission to retrieve your Facebook friends to help you connect with more people. This is often authorized through OAuth. OAuth typically requires authentication prior to authorization, so it’s frequently used in tandem with OpenID. One website tells the other, “He is who he says he is, and here’s the info you asked for.”
All four of the major social networks we examined use some combination of OAuth and OpenID, so the underlying protocol for each is pretty much the same. Privacy then comes down to what data third-party apps and websites can access, who can see that data, and how well you the user can control those apps and websites. We took a deeper look into Facebook, Twitter, Google+ and LinkedIn social logins to find out which offers the best privacy.
On Google+, click on settings, then find the link that says “switch to classic Google+.” For some reason, app permissions are missing from the newer version. Now scroll down to “manage apps & activity” and click the link that says “Manage apps and +1’s on posts.” Here you’ll find a list of apps logged in with Google+. Some may have a status saying they are disconnected, which means you’ve either deleted the app or it no longer exists. Hit edit to see visibility and disconnect apps. If you just want to change the permissions, i.e. who can view it, you must disconnect the app then reconnect it in the app itself.
In Twitter, click on your profile image on the top right and go to Settings. Scroll down to the apps tab. Here you can revoke access to authenticated apps, as well as view permissions and the date authorized. If you’ve forgotten what an app does, Twitter gives a quick description.
For LinkedIn, click on your photo in the top right corner and hit “Manage” next to “Privacy and Settings.” Next click on the tab that says “Groups, Companies, and Applications.” There you will find a link that reads “View your applications.” Like Google+, LinkedIn only gives you the option to remove apps, not edit permissions, and you can’t even see what the listed apps are capable of viewing. Check the ones you don’t want or use anymore and hit the Remove button.
Even though we’re hard on Facebook, it gives the greatest amount of control and detail when it comes to sharing data with third-party apps. It allows users to edit both permissions and visibility. Ranked from best to worse in this category: Facebook, Twitter, Google+, LinkedIn.
When an app uses Facebook authorization, it can ask for up to 40 different permissions, ranging from access to photos to timeline posts to friends’ lists and much more. It’s up to the developer to decide which ones are required for a particular app, and which ones are optional. Of the 40, 38 require review by Facebook before the app can go public. This is how Facebook polices apps and makes sure they aren’t doing anything illegal or dishonest with user data. Facebook has also published a security checklist of minimum techical requirements for all apps, but these are not enforced in as stringent a manner as permissions.
The standard authorization for Google Plus includes a much smaller list of permissions than Facebook: public profile, age range, circled people (friend’s list), and the ability to read and write to the user’s public feed. That last one is probably the most disconcerting because, if you’re like me, you don’t check your Google+ feed that often. Apps could be posting behind your back. Developers can also request further permissions in larger “scopes,” such as email addresses, Gmail contacts, and Google Calendar. Google recently added Facebook-like flexibility for users to pick and choose permissions when authorizing a new app.
Twitter app permissions include reading your tweets, seeing who you follow, updating your profile, posting tweets on your behalf, following new people, and accessing direct messages. Twitter differs from the other three in that the entire network is entirely public. Anyone can find you and see anything you post, so there’s not much to hide that an app developer couldn’t otherwise get at. For apps that have over 1 million users, Twitter is more strict with how user data is handled. Less than that, and an app may be monitored, but it probably won’t undergo any rigorous inspection.
Basic profiles, location, and positions are available to all developers that use LinkedIn-authorized logins. Everything else–full profile, contact info, education, recommendations, and more–require developers to apply and get approved by the LinkedIn program. That should hopefully prevent any abuse of user data.
LinkedIn seems to be the most privacy-minded when it comes to developers accessing user data. Ranked from best to worst in this category: LinkedIn, Facebook, Twitter, Google.
Why not just register with an email and password?
You can absolutely just register with an email and password, but it’s not necessarily more secure or private. Yes, the app in question can’t access your social media profile. But giving up an email address can make you a target for spam and phishing. It also depends on who you trust more to keep your data safe: the company your registering with or the social network. A social network probably has more robust security, but also a lot more attackers. Not to mention, social logins are just more convenient.
Facebook puts apps that require most permissions through a review process, which will prevent most developers from abusing user data. Facebook also offers the highest level of granularity when it comes to customizing permissions and privacy. The other side of that coin is that most users don’t delve too deep into their Facebook security settings. It’s easy to set your profile to “just friends” and think your safe, but actually locking down an account requires a bit more digging than that. You must also consider that the average user will post more private (and I use that word lightly) information on Facebook than other social networks, so in cases of abuse, much more is at risk despite the great controls and stern policies for developers. Note that Facebook has been criticized in the past for making unannounced changes that undo previous protections, so keep an eye out.
Google Plus is a bit of a mixed bag. If you don’t use Google+ much and an app is using the basic permissions scope, it’s not a bad option. The inability to alter an app’s permissions after the initial authentication without completely disconnecting it and re-authenticating from the app itself is a definite sore point, though. Google’s review and enforcement process for apps makers may be lacking, as well. We’ve contacted Google for more information on their app review process and will update this article if and when it responds.
LinkedIn looks to be the most security-minded when it comes to dealing with app makers. For the end user, however, controlling permissions and seeing what apps have access to are pretty much non-existent features. Revoke the app completely or keep it, there’s no middle ground, and you can’t review what data a particular app is using.
Twitter doesn’t have the granularity of Facebook controls or strict requirements for developers like LinkedIn. Then again, there’s nothing much to hide on Twitter. Anyone can see almost anything on your Twitter account just by signing up, so there’s not much more data an app can glean from you logging in with Twitter–it just makes it easier. This “nothing to lose” asset makes Twitter my personal preference for social logins, but it’s not as widely used as Facebook and Google+.