Hello, Crown Clients and Friends!
When using Google’s or Facebook’s platforms, it may be useful to enable third-party apps or accounts to extend their functionality. However, this always comes at the cost of security. While other sectors of the tech world move on to models like the zero-trust model (where you can use a service without exposing any data to that service), some apps and platforms allow you to share information with a third-party to enable features. In this post, we’ll consider whether or not this is a good idea in the first place and also walk through how to effectively manage Google and Facebook third-party apps if you choose to use them.
Third-Parties and Your Data Privacy
Third-party apps are developed by someone other than the service you are using. For example, you can extend the functionality of Gmail to integrate your Zoom meetings by “installing”–something more like granting access to–Zoom for GSuite or Gmail. This makes it so that Zoom can access your Google Calendar and Gmail information, and do things like read your Gmail account for meeting invitations and write its entries in your Calendar. This functionality may be very useful to you, but it comes at the cost of allowing Zoom to read your emails (so that it can find invitations) and possibly store information from them.
These kinds of privacy concerns are usually questions of trusting a company with your personal information, but in the case of third-party apps, it’s more like giving them a copy of the data in your account or profile. It isn’t too paranoid to think that sharing this information may be a bad idea altogether, since personal data breaches happen all of the time. Enabling a third-party app means that you are trusting that developer to keep and use your information responsibly in addition to the primary service. If the third-party is successfully attacked, the attacker ends up with your data. Even worse, in the past there have been problems with apps that are no longer being maintained, making them more vulnerable to being controlled by a malicious actor.
Managing Third-Party Apps and Accounts
Luckily, most platforms make it easy to manage third-party apps if you decide to use them. The information and control given by the platforms has gotten a lot better over the past few years even if there is still a lot to be concerned about. We’ll look at Google and Facebook’s settings, but other platforms and services may have similar settings you can look for.
On Facebook, third-party apps are often ones that can post on your behalf, or apps that find your Friends on Facebook to extend their social component. The level of control in these settings is really impressive: they show you what apps are linked and what information you are sharing with that app (and even give you the ability to turn off certain types of information sharing, if available), but it also lets you know if the link is active or expired and when it was linked.
Here’s an example of what you will find in the App and Websites privacy settings: I have my Duolingo app linked with my Facebook profile, which I linked so that I could compete with and taunt my Facebook friends with my progress. When I check the information that I share with them, it lets me know that I am sharing public information with Duolingo (my name and profile picture) as well as my Friends List, which is private information. Since the functionality I want from this app includes knowing my Friends, then I am comfortable with this setting (but I am also comfortable with this information being public).
Removing the apps that you don’t use anymore can be helpful to make sure that you don’t accidentally re-link them when it isn’t necessary. However, unlinking an app won’t delete the data that you shared with those apps in the past.
With Google accounts, you can find the third-party apps in your account’s security settings under “Third-party apps with account access.”
Here, you’ll see the list of third-party apps and what part of your Google Account they have access to. If you click on them, you’ll see a more detailed list of permissions that they have for interacting with your Google data. Seeing these detailed permissions can help you make a more informed decision about who has access to your personal data. For instance, I saw here that Slack has access to my Google Drive, but I also remembered that I have never actually used this functionality (a robot in Slack that messages me when someone shares a file with me). There’s no point in Slack having access to my files or even a list of them, so I chose to unlink it.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team