By: Brian Barrett for Wired Security
April 24, 2017
The pitch has plenty of appeal: Sign up for our service, and we’ll automatically unsubscribe you from all those pesky email lists. For free! Except, not quite; as it turns out, you end up paying in privacy.
That’s just one revelation from a bombshell New York Times look at Uber, which showed how Unroll.me, the service described above, scans the email accounts of its users for information as granular as Lyft receipts to anonymize, package, and sell on the lucrative data market. Unroll.me CEO Jojo Hedaya issued something like an apology, though he mostly seemed sorry that no one bothered to read the terms of service closely enough.
But while Unroll.me has taken plenty of well-deserved flack for the unexpected disclosure, it’s hardly the only service that taps into your Gmail, or your other Google services, or for that matter your Facebook account. You’re probably given that access away freely, without even realizing it—or the full scope of its implications—in exchange for a little added convenience, whether that’s getting Bed Bath & Beyond’s digital marketers off your back, or simply using your Google account to sign in to a range of apps and sites across the internet.
Not all of these interactions and permissions are grody, or even all that objectionable. Your Withings App wants to tap into Google Fit? Sure, makes sense. Your email client needs Gmail access? Of course! Otherwise it would be a nothing client.
Often, though the adage holds true: If it’s free, you’re the product. Or more specifically, your browsing habits and social graph are, both of which advertisers crave.
That makes now as good a time as any to audit who’s tapping into your Google and Facebook services, and for what reason. You may have other go-to services you want to check as well, but these two are both the biggest, and the most commonly used for OAuth, an open standard that lets you use those accounts as your sign-in across the web.
Fortunately, taking stock takes no time at all. Neither does clearing out unwelcome interactions. Here’s how.
To see what apps and services you’ve given Google permissions to, just head here. That’s where you’ll find Unroll.me, for instance, along with anywhere else that has asked for your info. You might be surprised by what you find! (A personal example: At some point, I apparently agreed to let Target know my email address, approximate age, prefered language, and basic account details. Whoops?)
Not every connected entity has the same level of privileges. To see what they can tap into, just click, and the view will expand for a helpfully detailed rundown.
You can’t adjust the level of access from here, but if you want to cut something out of your Google goodies altogether, just click Remove, and then OK when a pop-up asks you if you’re absolutely sure.
Confusingly, Google also lets you parse your Connected Accounts here. These are accounts you voluntarily linked to your Google account, like say if in a fit of optimism you linked your Google Plus and your Twitter so that all your Google Plus friends could read your tweets. There’s not likely to be much in there, but check it just in case.
The Facebook case isn’t quite the same as Google. But Facebook also integrates with all kinds of third-parties, and if you’re auditing one you might as well take a look at the other. Especially given that, if anything, it’s even easier to purge. If you want to nuke any app, website, or plugin interactions with Facebook, just go to Settings, click Apps, then hit Edit under Apps, Websites and Plugins, and click Disable Platform.
For a more targeted strike, look at the top of that same Settings page and see what you’ve linked up with. Go ahead and ditch any you don’t use anymore, or don’t need Facebook to tap into. Also to be clear,
And while you’re at it, go to Apps Others Use, and click Edit, and clear out all of those categories, so that your info doesn’t get spread around just because your friends are still playing FarmVille for some reason.
There’s a whole other world of Facebook privacy settings to explore, but in terms integrating your account with other services, this should about cover you.
Again, not all use cases are bad! It makes sense for your Fitbit to tap into your health data. And OAuth can be a genuine convenience that doesn’t necessarily mean that those companies use your data inappropriately. (WIRED, for instance, lets you log in with your Facebook account.) There are plenty of permissions you’ll want to keep in place.
Besides which, none of this stops Google and Facebook from using your info for highly targeted ads. But at least this way you’ll know who’s got their hooks into your accounts, and why. And, more importantly, you can kick them out.