There’s been a lot of noise this week about Gmail and the access that some third-parties have to your Gmail inbox. Hidden under misleading headlines, reports have, I think rightfully, highlighted the parallels between Gmail’s system and Facebook’s prior third-party allowances which led to Cambridge Analytica-related repercussions. The public perception of these stories is much different, though.
Here’s a few headlines from Daily Mail, Business Insider and Gizmodo, respectively:
- Gmail users beware! Third-party developers are READING your private messages
- Google says it’s not reading your Gmail, except when it does…
- Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It.
Perhaps one of the more egregious headlines was the one that started the whole debacle. “Tech’s ‘Dirty Secret’: The App Developers Sifting Through Your Gmail,” which the WSJ published on Monday.
The wild misrepresentation here is that everyone’s emails are all out… in the wild. The average onlooker would think that Google and all associated third-parties are just reading your emails in droves. The cat’s out of the bag. Every email you’ve ever written is out there for the whole world to see. That’s simply not the case.
For one, your Gmail inbox is generally not open to Google itself. As with everything, there are exceptions. First is that Google used to use computer systems to scan your email to serve you ads, a practice it ended for student, business and government users in 2014, and put a complete end to last year. The second is that Google will sometimes access emails when you ask them to or if they are “investigating a bug or abuse.”
That’s the word from Google itself:
The practice of automatic processing has caused some to speculate mistakenly that Google “reads” your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.
Outside of these cases, though, what about the issue at hand? What about third-party developers? Apps specifically built to analyze and read your emails are analyzing and reading your emails, and that shouldn’t be surprising. Apps like Boomerang, for instance, request access to your whole inbox to provide a horde of features that Google hasn’t yet built into Gmail itself.
So if companies have direct access to your email inbox, you clicked one of the below big blue “ALLOW” buttons that clearly outlines that you’re giving Boomerang for Gmail access to read, send, delete, and “manage” your email inbox. That’s pretty much everything. (To be clear, this is well-known; I’m not accusing Boomerang of doing anything malicious with your emails. They don’t.)
This applies to any developer that might be accessing and analyzing your emails for whatever purpose, or is otherwise encroaching on your privacy. If you give an app access to “Read, send, delete, and manage” your email, you should have essentially no expectation of privacy, right? And if you want to learn how to block all these developers to stay on the safe side, it’s relatively easy to do.
There are some aspects of the WSJ’s report that are valid criticism and concerns, though. Companies like Return Path Inc., for instance, reportedly collect data “for marketers by scanning the inboxes of more than two million people.” Again, Return Path’s apps would still be under the category of apps that you’ve explicitly given access to, but their tactics do indeed sound a bit shady.
Google’s policies prohibit a lot of things, from the vague “prohibited from engaging in any activity that may deceive users” to very specific requirements like not exposing collected data to outside parties (“without explicit opt-in consent from that user”), and not storing independent copies of user data. But WSJ’s investigation apparently reveals that Google doesn’t enforce these requirements close enough.
One of the more controversial topics is that some of these companies are apparently allowing their employees to read unredacted emails. They “train their computers—and, in some cases, employees—to read their users’ emails,” the WSJ says. “At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software…” Yikes.
It’s not clear whether or not these kinds of specific cases violated Google’s policies, but it wouldn’t be a stretch to say that most would think they should. And the bigger question, as mentioned, is how much Google is doing to police things. “I have not seen any evidence of human review,” the co-founder of an email app for real-estate agents told WSJ. So based on this report, it sounds like not much.
Google did defend itself this week, however, saying that they “make sure they [developers] continue to meet our policies”. They didn’t specify exactly how they do that, though:
In order to pass our review process, non-Google apps must meet two key requirements:
- Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another, and must have clear and prominent privacy disclosures.
- Only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.
We review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not.
Amidst these concerns, another interesting point the WSJ makes is that Google actually brought third-party apps farther to the forefront in its most recent redesign of Gmail, which adds a whole new section on the right side for these kinds of applets. It’s assumable that the top-tier apps that Google features as part of its G Suite Marketplace in the desktop client are a bit more vetted than others.
And finally, there’s of course the concern one might have about the collection of any data in general. Should these companies be able to access this data at all? Should they have access to the emails that you sent to a friend when they were the ones that “opened the door” to these third-parties? Are there bigger vulnerabilities for a Cambridge Analytica-like exposure of data that compromises an election? These are all much bigger questions left to be answered (and I can’t cover them all here).
For now, Google makes it so that you’re very much in control of your own data, and the trade off for end users is that they can tightly integrate useful apps like travel planners and price trackers etc. into their Gmail inbox. Maybe Google needs to improve its vetting process, but for now you have control — you can trust or not trust any app. As for me, I choose to simply not trust any of them. (And honestly, I’ve never found many Gmail add-ons to be all that useful, so it’s a non-issue in my book.)
To summarize, Google itself generally has no access to your email inbox, the headlines that suggest third-party apps have copies of all the emails in your inbox are misleading, Google has guidelines and says it does its best to continually vet those that do use its API, some may be using its API incorrectly and some are clearly doing worrying things, and WSJ says Google needs to do a better job.
Here’s your takeaway: If you haven’t lately, you should probably use Google’s handy tool to deny access to third-party apps you’re not using, and reconsider if you trust the ones that you are. But that’s just good practice and it applies anywhere: on Google, Twitter, Facebook, and more.