Sign in with Google or Facebook? Just say no

You've probably seen it on lots of apps and websites: buttons urging you to sign in with your Google or Facebook account. Sometimes it's to let you share files, photos or emails. Other times it's to use Google or Facebook as a quick way to log in somewhere new.

My rule of thumb is to just say no.

There are too many ways using these buttons can leak personal information or help Big Tech track you. There are some exceptions when it's useful — but you might be surprised, and a little regretful, if you saw how many random sites have access to your Google or Facebook data.

What could go wrong?

This month, Facebook warned a million Facebook users their accounts might have been compromised by 400 malicious apps that were designed to trick them into handing over their Facebook log-in information. Criminals were making fake log-in buttons.

And I'd like to share a doozy of a cautionary tale: A Washington Post reader wrote to me recently about a Google log-in button on a job portal called iCIMS designed — at least in theory — to help people upload their résumés. Turns out, using it inadvertently grants the site access to your entire collection of digital files. You agreed to what?

You might not know the name iCIMS, but many people applying for jobs do: It has 2.4 million users and is used for recruitment by companies including Microsoft, Uber, UPS, Target and IBM. The iCIMS job application site offered The Post reader's daughter the ability to upload her résumé directly from Google Drive, the online storage service.

Sounds convenient, but when she clicked on the Google Drive button, a message popped up: "This will allow iCIMS to: See and download all your Google Drive files."

Wait, all of them? Google Drive is a popular cloud storage service for not only documents but also people's photos, family videos, tax returns and more. Others have complained about the same privacy breach on Reddit and Google's own support forums — and I confirmed the details by applying for a job myself.

iCIMS told me it is not currently rummaging through the other files of job applicants uploading résumés. "iCIMS does not access, transfer, store or otherwise process any additional information from the candidate's Google Drive account, other than the file they select to upload to the iCIMS platform," emailed Al Smith, the company's chief technology officer.

But the problem is that iCIMS is still asking you to grant it permission to access all your Google files. Smith said this is a "standard connection managed by Google" and was the only way to share Drive files when iCIMS created its website.

A Google spokesman told me users have "choice and control" and have to click their consent to data sharing specifics on an "access permission" screen. But how many people spend time reading and digesting that fine print?

Google says users can report naughty apps to it — but that's not the same as vetting them in advance.

When is it okay to use log-in buttons?

Log-in buttons aren't necessarily bad. "If it is a legitimate site or service, then you don't have too much to worry about," said Bogdan Botezatu, the director of threat research and reporting at security company Bitdefender.

For example, some people log in to Google to grant the Zoom video conferencing app access to their calendar, making calls pop up automatically.

But there's another thorny problem: "How do you know when it is legit and when it is not?" said Jen Caltrider, who leads the Privacy Not Included project at nonprofit Mozilla. "I am a privacy researcher and sometimes I'm not 100% sure." Many companies today hide that they're actually in the business of vacuuming up people's data.

Google has a long history of enabling questionable oversharing and Facebook has an even more tortured history of this. Facebook had to pay a $5 billion fine in 2019 after the Federal Trade Commission investigated how it allowed a company called Cambridge Analytica to access users' personal data.

There's a second popular use for log-in buttons: allowing your existing Google or Facebook account to serve as a convenient replacement log-in somewhere else. You might choose this instead of creating yet another username and password for a new website or app.

Facebook tells me this could be safer than creating a log-in with a bad password, or reusing one that you've already chosen for a different app. The No. 1 security mistake people make online is reusing passwords across apps and websites.

Yet I still rarely choose to log in with Google or Facebook.

A better idea to simplify your password headache is to use a password manager.