How to see if your apps know too much about you

apps privacy
IMAGE: JASON HOWIE

The insta-obsession over “Pokémon Go” hasn’t just forced gamers to leave their homes and explore the outside world, it’s also yielded a teachable moment about privacy.

After Niantic’s smartphone game took off, Adam Reeve, principal architect at the Baltimore security-analytics firm Red Owl, saw something squirrelly in its iOS version. His Google settings showed that signing into “Pokémon Go” with his Google account had given the game access to almost all of his Google account’s information, from his e-mail to his photos.

Other security researchers, such as Trail of Bits’ Dan Guido, looked into this and confirmed that the game sought far more info than needed to verify a player’s identity.

Niantic said it wasn’t reading anything more than Google usernames and e-mail addresses and quickly shipped an update to curb its access.

That developer did the right thing commendably fast. But other companies with apps that invite or require you to sign in via your Google or other social media account might not – and at worst could wind up being able to peek at parts of your online persona you want private. Don’t take a new app’s word for it; check what parts of your accounts it can see and, if necessary, cut off that access. Here’s how.

Google: a series of on/off switches

To check which sites can see your Google account information, sign into your account from a desktop browser, click the avatar for your account in the top-right corner, then select “My Account”.

Pegoraro Google tips 1
Pegoraro Google tips 1

Next, choose “Connected apps & sites” to see which apps link to your account.

Pegoraro Google tips 2
Pegoraro Google tips 2

Apps that can see “basic account info” only have access to parameters, “like your name, email, gender, or country”; as long as you remember granting that access and still use them, they should be fine. But carefully consider apps that can see more information than that — especially if they claim “full access.”

That kind of access allows applications to, “see and modify nearly all information in your Google Account.” Though as Google points out, full access doesn’t give apps the ability to, “change your password, delete your account, or pay with Google Wallet on your behalf.”

Unfortunately, you can’t partially revoke an app’s permissions as you can in Android. For example, you can’t stop an app from reading your Google+ profile if it can write to it now. It’s an all or nothing proposition — you either accept the app permissions the developer requires, or you don’t use the app.

Facebook: more control

When logged into the social network in a desktop browser, click the upside-down triangle in the top right corner of screen and select “Settings.”

Pegoraro Facebook Tips 1
Pegoraro Facebook Tips 1

Next, click “Apps” in the toolbar to the left.

Pegoraro Facebook Tip 2
Pegoraro Facebook Tip 2

You’ll see all the apps and sites tapped into your account under “Logged in with Facebook.” Click each app to see what data they can access and who can see your interaction with it — and, more importantly, limit who can see your interactions with apps so that only a subset of your friends or just yourself (“Only Me”) can see which American Express offers you’ve claimed.

Pegoraro Facebook Tips 3
Pegoraro Facebook Tips 3

Twitter: read versus write

Visit Twitter in a desktop browser and click your account icon in the top-right corner of the screen and choose “Settings” from the drop-down menu.

Pegoraro Twitter Tips 1
Pegoraro Twitter Tips 1

Select the “Apps” heading on the left side of the screen.

Pegoraro Twitter Tips 2
Pegoraro Twitter Tips 2

The key thing to look for here is apps that have “write” access, versus only being able to read your tweets and see your followers. The only apps that can post tweets and get at your direct messages should be those you’ve installed to use Twitter.

Pegoraro Twitter Tips 3
Pegoraro Twitter Tips 3

You can’t take away some of an app’s permissions, so your sole recourse if one somewhat irks you is the “Revoke access” button.

LinkedIn: you may have to guess

Click your photo in the top-right corner and select “Manage” to the right of the “Privacy & Settings” heading.

Pegoraro LinkedIn Tips 1
Pegoraro LinkedIn Tips 1

Next, choose “Third parties” on the left side of the screen to see which outside sites can view your profile.

Pegoraro LinkedIn Tips 2
Pegoraro LinkedIn Tips 2

Unfortunately, this page provides nearly no information about these sites—not even their web address. But if you know one of the sites listed is no good, yank its access by clicking the blue “Remove” button.

(LinkedIn’s own help provided little guidance on this. You’re welcome.)

The terrible TOS

As annoyingly obscure as it can be to plumb permissions, these rules-based systems do have the advantage of making third-party apps state their intentions in a phone-screen-sized dialog.

Privacy policies and terms-of-service documents, meanwhile, remain a suffocating swamp of legalese. Most companies can’t be bothered to make them intelligible to humans without a law degree, and so most normal humans skip or skim them.

How many? A study posted last week (hat tip, Ars Technica) found that students at an unnamed U.S. university spent an average of 73 seconds digesting the 7,977-word privacy policy of a fictitious “NameDrop” professional social network. Researchers Jonathan A. Obar of York University and Anne Oeldorf-Hirsch of the University of Connecticut also observed that these students devoted an average of 51 seconds to NameDrop’s 4,316-word terms of service.

So of course only 1.7 percent of the test subjects thought to object to a clause in the terms declaring that they “agree to immediately assign their first-born child to NameDrop, Inc.”

Laugh all you want, but for a lot of startups privacy isn’t part of the minimum viable product. “Pokémon Go” players, count yourselves lucky that the developer admitted and fixed its error so quickly before you resume hunting for Pokémon outside… and please remember to give the game a rest in the likes of the Holocaust Museum and Arlington National Cemetery.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.