We're all used to seeing "Log in with Facebook" or "Log in with Google" at sites around the Internet — or less frequently, an offer to log in with Twitter, LinkedIn or Pinterest. It's a common option at news sites like CNN.com and the UK's Guardian newspaper, music streaming services such as Spotify and tens of thousands of other online retailers, apps and games.
Logging in with a main account whose credentials you easily remember saves you the trouble of going through yet another laborious account creation and memorizing dozens of passwords. It allows you to easily post about something you've just read or bought.
But what exactly are you signing up for?
Requesting your data
Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you. Facebook and LinkedIn have quite a lot of data available for request: your birthday, friends list, email address, employment, colleges attended, photos and information that your friends have posted about you (for example, tagged photos). Other services like Twitter don't possess the same level of personal data about its users and aren't able to turn over as much information.
The exact data that the website is requesting pops up in a window asking for permission. Saying yes to that request adds one more tiny bridge between the virtual islands of your online self.
This seemingly small agreement can carry larger repercussions. Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you. Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
Facebook and Google are by far the two most frequently used services for logging in to other sites. Facebook snared 42% of all social log-ins across the tens of thousands of sites that support it; Google is used 38% of the time according to MarketingCharts.com.
“Using a social log-in elevates social platforms to the status of trusted source for verifying our identities,” says Jacqui Taylor, CEO of web science company Flying Binary.
Yet social networks don't inherently have value as a trusted source of identity. Privacy is not the main concern of a social network; like any for-profit company, its focus is on monetizing its product.
“We are the products that these free services monetize,” Taylor says. Take Facebook; it can command $300,000 for a month-long international targeted ad campaign built using personal information posted by its users. In the first quarter of 2014, Facebook reported over $2 billion in advertising revenue and Google over $14 billion.
What happens to your data
The data held by social platforms and service providers like Google covers your habits and preferences. Facebook Like buttons littered throughout the Internet bounce back data about products or articles you've liked, while the Facebook Open Graph platform for other sites comes with plug-ins that collect data such as which of your friends already use a particular website or what you do while on the site.
Perhaps in response to growing privacy concerns, Facebook recently announced the Anonymous Login, which allows you to log in to third-party apps without having to give permission to share personal details like your name, email, birthday and so forth. Anonymous Login is currently in testing and is expected to be rolled out to more developers in the coming months.
Google tracks your online habits through search queries, its Chrome browser and more, building demographic profiles it then sells to companies who want to buy advertising on Google products, from Gmail sidebar ads to sponsored search results.
“The more data ecosystems these companies connect, the more they know about us and the more we continue be their product, helping to maximize profits,” Taylor says.
The social log-in is another way of adding data ecosystems to the company's reach. Down the line, it could cue an era of increasingly uncanny ad targeting, in line with the infamous example of Target analyzing a teenager's purchasing habits to deduce she was pregnant.
As for those Terms of Service agreements that detail what will and won't happen to your personal data: “How many privacy changes on Facebook have you agreed to without understanding what they're changing?” Taylor says. “The terms of services are changing as platforms themselves evolve.”
Signing into several sites with the one log-in can leave accounts as vulnerable as the one with the lowest security. So-called daisy-chained accounts can also make identity theft easier for would-be scammers. Wired shares a harrowing account of how writer Mat Honan's Amazon, Apple, Gmail and Twitter accounts were taken over.
If a trusted source of your identity is less secure — whether that's Facebook, Google or another account — "they risk becoming the weak link in the chain that gets targeted by attackers," says Marc Rogers, Lookout's principal security researcher.
There's also the possibility that less scrupulous sites may do something else with your data than what you agreed to — for example, selling it to a third or fourth company that you do not want holding any aspect of your online identity. Before you sign into a site with your existing social account, make sure your trust the third-party site.
Moving away from Facebook
Social log-ins may have greased the wheels for a more heavyweight verification system that even governments can use. In the United States, the government is running trials for a federated online ID system called the National Strategy for Trusted Identities in Cyberspace.
Originally devised to prevent fraud by getting a group of companies to authenticate online transactions, NSTIC is now all about the universal log-in, a single online ID that could be used at various places on the internet. The idea is that as more financial and government institutions move the bulk of their services online, they need more heavily regulated means to prove who we are online.
“A strong, well-built network of federated services designed with privacy in mind could be a significant advantage to users,” Rogers says. It would be simpler, for example, to reduce the number of links in the chain for attackers to target. “Second, and perhaps even more significantly, it could allow security spend to be focused on keeping the identity providers secure rather than spread out trying to keep everything secure.”
NSTIC is currently designed to be opt-in and non-mandatory. Yet in the Wikileaks era of mass surveillance by national agencies, the benefits of a government-approved “one ID” system may not outweigh concerns that Uncle Sam could end up using the data to track its citizens, though the NSTIC does at the moment explicitly forbid tracking — or that allowing several different companies to verify our identity will build too many connections between disparate data sets, eroding online anonymity.
The rules of logging in
"We use a social log-in because we want a frictionless journey through the internet,” Taylor says. The benefits of sailing smoothly past log-ins and account registrations often mean we're happy to trade away some data privacy.
- Be aware that if you choose to log in with a social account, your data will be shared between the social network and the third-party app. Stay updated on your social networks' privacy policies, and use the social log-in accordingly at sites you feel comfortable sharing data with.
- Don't use your main account to log in to a site whose security you don't trust.
- Don't link a social profile to sensitive info like your Social Security number or financial details. In these cases, a separate account and password is your safest bet.
The most secure use of social log-ins is with closely related sites, says Lookout's Rogers. For example, Twitter's log-in works well with services it's integrated with its own ecosystem or where there's a benefit to being able to cross-post — say, between Wordpress and Twitter. "Likewise, Facebook is arguably best placed to [be your log-in] for services such as Facebook Apps or other third-party services that plug in to the Facebook platform,” Rogers says.
Updated 5/29/2014 to include NSTIC policy that forbids tracking