The insta-obsession over“Pokémon Go” hasn’t just forced gamers to leave their homes and explore the outside world, it’s also yielded a teachable moment about privacy.
AfterNiantic’s smartphone game took off, Adam Reeve, principal architect at the Baltimore security-analytics firmRed Owl, saw something squirrelly in its iOS version. His Google settings showed that signing into “Pokémon Go” with his Google account had giventhe game access to almost all of his Google account’s information, from his e-mail to his photos.
Other security researchers, such asTrail of Bits’ Dan Guido, looked into this and confirmed that the game sought far more info than needed to verify a player’s identity.
That developer did the right thing commendably fast. But other companies with apps that invite or require you to sign in via your Google or other social media account might not – and at worst could wind up being able to peek at parts of your online persona you want private. Don’t take a new app’s word for it; check what parts of your accounts it can see and, if necessary, cut off that access. Here’s how.
Google: a series of on/off switches
To check which sites can see your Google account information, sign into your account from a desktop browser, click the avatar for your account in the top-right corner, then select “My Account”.
Apps that can see“basic account info” only have access to parameters,“like your name, email, gender, or country”;as long as you remember granting that access and still use them, they should be fine. But carefully consider apps that can see more information than that — especially if they claim “full access.”
That kind of access allows applications to, “see and modify nearly all information in your Google Account.” Though as Google points out, full access doesn’t give apps the ability to, “change your password, delete your account, or pay with Google Wallet on your behalf.”
Unfortunately, you can’t partially revoke an app’s permissions asyou can in Android. For example, you can’t stop an app from reading your Google+ profile if it can write to it now. It’s an all or nothing proposition — you either accept the app permissions the developer requires, or you don’t use the app.
Facebook: more control
When logged into the social network in a desktop browser,click the upside-down triangle in the top right corner of screen and select “Settings.”
Pegoraro Facebook Tips 1
Next, click “Apps” in the toolbar to the left.
Pegoraro Facebook Tip 2
You’ll see all the apps and sites tapped into your account under “Logged in with Facebook.” Click each app to see what data they can access and who can see your interaction with it — and, more importantly, limit who can see your interactions with apps so that only a subset of your friends or just yourself (“Only Me”) can see which American Express offers you’ve claimed.
Pegoraro Facebook Tips 3
Twitter: read versus write
Visit Twitter in a desktop browser and click your account icon in the top-right corner of the screen and choose “Settings” from the drop-down menu.
Pegoraro Twitter Tips 1
Select the“Apps” heading on the left side of the screen.
Pegoraro Twitter Tips 2
The key thing to look for here is apps that have “write” access, versus only being able to read your tweets and see your followers. The only apps that can post tweets and get at your direct messages should be those you’ve installed to use Twitter.
Pegoraro Twitter Tips 3
You can’t take away some of an app’s permissions, so your sole recourse if one somewhat irks you is the“Revoke access” button.
LinkedIn: you may have to guess
Click your photo in the top-right corner and select “Manage” to the right of the “Privacy & Settings” heading.
Pegoraro LinkedIn Tips 1
Next, choose “Third parties” on the left side of the screen to see which outside sites can view your profile.
Pegoraro LinkedIn Tips 2
Unfortunately, this page provides nearly no information about these sites—not even their web address. But if you know one of the sites listed is no good, yank its access by clicking the blue “Remove” button.
As annoyingly obscure as it can be to plumb permissions, these rules-based systems do have the advantage of making third-party apps state their intentions in a phone-screen-sized dialog.
Privacy policies and terms-of-service documents, meanwhile, remain a suffocating swamp of legalese. Most companies can’t be bothered tomake them intelligible to humans without a law degree, and so most normal humans skip or skim them.
How many? Astudy posted last week (hat tip,Ars Technica) found that students at an unnamed U.S. university spent an average of 73 seconds digesting the 7,977-word privacy policy of a fictitious “NameDrop” professional social network. Researchers Jonathan A. Obar of York University and Anne Oeldorf-Hirsch of the University of Connecticut also observed that these students devoted an average of 51 seconds to NameDrop’s 4,316-word terms of service.
So of course only 1.7 percent of the test subjects thought to object to a clause in the terms declaring that they “agree to immediately assign their first-born child to NameDrop, Inc.”
