Understanding Security and Privacy in Google Plus

Print Friendly

Understanding-Security-and-Privacy-in-Google-Plus-V2 copy

I don’t use Google+, why should I care?

In my first column, I said that one challenge with social media from a security and privacy point of view is that “[i]t’s an axiom in security that you can only secure that which you can understand. It’s also the nature of new technology that it’s not known, certainly not to a level most security people are comfortable with.”

Except maybe for Pinterest, these days this statement can best apply to Google+. It is been with us for just about one year now. While a year is a long-time in the social media universe, it is still the youngest and least understood of the major social media platforms out there.

And while the jury is out on the long-term adoption of G+, a couple of things are clear that make it important to understand the security and privacy aspects of it.

First, while Google has tried and retired other social media platforms (like “Buzz”), G+ isn’t so much a social media platform as the social enablement of it’s services (the “plus” in “Google+”).

Second, it is moving to consolidate and streamline their disparate services into a more cohesive, unified offering.

Taken together, these mean that Google+ isn’t likely going to simply disappear like Buzz did. Instead, it’s going to be ever more a part of the user experience. Using their services and taking advantage of the social enablement they’re offering in a smart way in terms of security and privacy means understanding G+’s security and privacy capabilities.

Because Google+ isn’t a separate platform the way that Facebook or Pinterest are, it makes the social extension quality more transparent. From a usability point of view, this is a good thing (and what they are striving for). You don’t go into a separate application to share your pictures with everyone: instead the ability to share your pictures is built right into what used to be Picasa. What is potentially scary though is that very transparency can make it feel like you have less control or that the risks of inadvertently sharing information farther and more widely than you intended are greater. From a user’s point of view, there’s a certain clarity in the “hard break” that a separate application can give.

To their credit, to support G+, they have put into place one of the simplest and clearest privacy paradigms out there. If you understand that paradigm you can use the social enablement features with a greater sense of confidence. And also to their credit, they have put in place some very solid account security features to protect your Google account and all of the services that relies on it. Finally, for businesses and organizations,they have taken a page out of the Facebook playbook and created “Pages” which utilize the Google+ privacy controls and the Google account security features.

Account Security and Privacy

One way that the integration of Google+ into Google services is most apparent is there is no such thing as a “Google+ account”. Instead, you have a account that has G+ enabled on it. This means that your account security is really “Google account security”. In recent columns I’ve talked about the importance of protecting access to your social media accounts. For your G+ presence, you protect access by protecting your Google account.

As I’ve noted before, these days, account security really focuses on two areas:

  • Two Factor Authentication for login (called “2-step verification” in Google)
  • Account recovery options

They’ve made account security and privacy management fairly centralized and streamlined. You enable and configure both these options in one place: the security page of your account settings (located at the time of this writing at https://www.google.com/settings/security). On this page you can (and should) enable 2-step verification, which will require you to enter a one-time code sent to your mobile device when you login from a new system or device.

When you configure 2-step verification, you will need to use one-time passwords for applications that can’t support 2-step verification (you’ll know this especially if you get errors from these applications after turning this on). Use the “Authorizing applications and sites” button to configure one-time passwords for applications.

When you configure account recovery options, you can choose to use a mobile device to speed-up the recovery process. If possible, you should enable this capability as well. If you legitimately forget a password or someone tries to take control of your account, this option will help speed your recovery significantly. You should also set up an additional email address (preferably with a completely different username and password and on a different mail system) here as well. You’ll also want to configure a security question: remember to not use a question and answer combination that someone can learn publicly. If you list your High School on your LinkedIn profile, don’t use that information as part of your security question.

While circles forms the core of privacy controls for sharing information through G+ they only manage the information you share and who you share it with. The rest of what we would consider to be “privacy” is managed as part of your Google account (along with all your other services). To control your public visibility and other privacy options, go to the privacy panel: https://www.google.com/settings/privacy. One resource on this page that’s good to know about is the “Dashboard” which will let you see in one place all of the information that’s stored across it’s various services. It’s a good idea to review this closely and close out anything that you don’t use or don’t want. While this dashboard can be scary because of all the information you see, it’s good to have the information that’s already out there in a single location for you to review.

You control nearly all of your Google (and by extension G+) security and privacy through these two panels. There are though a couple of other items not located on these panels that’s good to know about. First, you can use your account as credentials for other services. You can manage these “connected accounts” on the main account setting page (https://www.google.com/settings/account. Much like the privacy dashboard, it’s a good idea to review these connected accounts regularly and prune out any you no longer need or use. Also, there are some specific privacy settings outside of circles that govern default settings primarily for interactions. You can access and configure these through the settings page (https://www.google.com/settings/plus).


If they get credit for one thing, it should be for the idea “circles”. They use “circles” to enable you to group people you are connected to into discrete, manageable blocks that you then use when you share information out. Unlike other privacy controls, like Facebook’s “lists”, circles is a very simple concept that’s smartly implemented. It builds on a social paradigm we’re already familiar with (that of “social circles”) and is integrated into the “social enablement” that makes relatively easy-to-use.

To use circles, you simply create circles that correspond to the different categories of people that you need to share information with. You add people to these circles as appropriate and you can have people in more than one circle to match the different roles they play in your life. When you share information through you add the circles that you want to have access to this information. You manage your circles through the account dashboard at https://plus.google.com/circles.

There is one circle that you don’t configure but is very important when you’re sharing: public. This is the circle that will determine if what you shared will be seen by anyone you haven’t explicitly given permissions or not. If you do not grant the “public” circle rights to what you share, then only those circles you’ve shared with will see what you’ve shared. The public circle is a very important and one you want to be mindful of including or excluding anytime you do sharing.


Much like Facebook, pages are available for companies and organizations. As a social media manager the odds are you’ll do most of your public-facing work through Google+ pages.

The good news is that once you have these basics we’ve outlined around security and privacy down, managing pages is a nearly seamless extension. The key security concept you have to be mindful of specific to pages is that, like Facebook,  pages have administrators who have full control. In fact, the “page-specific” best practices for managing pages mirror those of Facebook to such an extent that you can apply the same two best practices I outlined for Facebook pages:

  1. Minimizing the number of administrators (“admins”)
  2. Increasing the account security options for all admins (using the options outlined earlier in this article).

A Final Tip in Closing

While Google+ can seem scary and daunting because of its seamless integration, they deserve credit for building on top of some industry-leading security and privacy practices and controls. And by implementing easy-to-understand paradigms like “circles” and building on the well-established idea of “pages”, they actually have made it easier to use from a security and privacy point of view than other social media platforms out there. So while it may seem scary, it doesn’t need to be.

One final tip in this all: it is easy to create and manage multiple accounts. So rather than use your personal account to manage your official social media presence as a page admin, go ahead and create a separate account for the purpose of managing your social media presence. It’s an extra step that can provide some additional protections as you work to manage not only your Google+ presence, but any services you and your organization might be using.

Christopher Budd
This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd
Christopher Budd


Communications professional focused on online security/privacy, technology, social media and crisis communications.
@GavinDonovan @marknca @LinkedIn seems to always be trying to be more than it is. Reminds me of @google and Google+ - 1 month ago
Christopher Budd

Please Leave a Comment!