13 December, 2013

Who or what has access to your Google account and how to revoke that access

Like Facebook, one of the conveniences that Google offers is that it allows you to use your Google account in order to login to different websites. In IT circles this is known as a SSO (Single Sign On) functionality. It's another way of saying, that you don't need to create an account for every single site on the internet. Instead you create one with a well know and (hopefully) trusted provider and use that everywhere. One of the ideas behind this is that you can now have one fairly strong password, which would further secure your online identity. On any site that supports this, you will then have an option to create a local account, or to use your Google login instead.

I can just hear you asking now: "But wait. Doesn't that mean that all those sites will now know my Google login credentials?"
Thankfully, the answer to that is: "No, they won't." :-)

The way how this works (in fairly simplified form) is that other sites have decided to trust Google (or Facebook) to provide the authentication services instead of them. When you come to a www.tripit.com or www.linkedin.com and use your Google login, these sites will essentially ask Google if it can verify that you are, who you say you are. Google will say "yes" and with that the site will let you in. Your password will not be seen by these sites.
That's the good part of the story.

What about the bad?

There are actually a few, potentially, bad sides. And you have to weigh each one on its own to see if convenience outweighs the risks, as far as you are concerned.

  • Google knows (sinister music)
Since your Google account to login to the other sites, Google will know which sites you're visiting. So if you're keen on protecting where on the net you go, this may be an issue for you.
  • Sites know (sinister music)
Depending on the site, there may be a substantial level of information that they will get from Google about you, when you use Google authentication. On the upside, the site where you're logging in with your Google account will always let you know what level of information they want from you, before you allow them to actually access that information. Major problem here is that, often, there is no way of reducing requested privilege level and still be able to use Google login with that particular site.
Here is a bit of information, regarding the access levels and what they mean.
  • You forget that others know (no music)

In my opinion one of the hidden risks with this is that it's maybe too convenient. Lots of sites today use this capability. In some cases you may want to try out a particular site or a service that they offer and you then forget you did so. However the site in question still retains visibility in your personal data.

For the first two things there is no tool. You have to use your head. Unfortunately :-)
For the last thing, however, there is a nice page on google.com, that allows you to check all the sites and services that are at this time allowed to access some or most of your information. It also allows you to easily revoke access to any and all such linked sites and services.
Ha, actually, just as I was re-checking the facts about this functionality, I came across an updated and nicer version of the page, which serves the same function. :-)

I'm willing to bet that most of you, will be slightly amazed, when you see all the connected sites and services, when you visit these pages for the first time.

Have a nice Friday the 13th and enjoy,