‘Human Third Parties’ May Be Reading Your Gmail Messages

Well, it didn’t take long after Facebook’s data scandal for Google to get some data privacy flack. This privacy issue affects 1.4 billion users, many who use Gmail for daily email activities. Similar to the Facebook scandal, this involves the permissions that the product’s company gave to third-party app developers.

The Power in Permissions

Google says the practice of humans reading others’ emails that they acquired through the Gmail API is not against its policies. But as the world’s most popular email client, you’d think Google would take immediate steps to rectify the situation. When you link a third-party app to Gmail (for example, MailChimp or a price-tracking service), you’re asked to grant the app several permissions. One of those permissions is the ability to “read, send, delete and manage your email.”

But when a lone developer gets access to the emails, it’s just him or her reading through the emails. When it’s a company, any employee could access the emails, which is a huge privacy violation. Does this speak more to third-party company structure or to Google’s lack of privacy enforcement?

The Devil’s in the Details

Often, these companies use the emails to train an algorithm, and the emails are never seen by human eyes. But sometimes, developers need to read a few emails to get a gist of what needs to be programmed. And unfortunately, sometimes, developers and/or their employees abuse this.

Google says that only companies that were vetted could see messages if Gmail users had “explicitly granted permission to access email”. Its developer policy reads, in part, “There should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Google to suspend your ability to access Google API Services.”

Companies who have user permission to read emails, like Edison Software and eDataSource Inc, say they don’t ask users for their permission because it’s covered by their user agreements. But University of Surrey Professor Alan Woodward disagrees with this notion. He says, “You can spend weeks of your life reading terms and conditions. It might well be mentioned in there, but it’s not what you would think of as reasonable, for a human being in a third-party company to be able to read your emails.”

So, Who’s Reading What?

Google answered several questions in their blog post, written by Suzanne Frey, who directs Google Cloud’s Security, Trust, & Privacy department. “A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email. However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does,” she says.

She further details, “The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.”

Unfortunately, the issue of contention doesn’t revolve around Google reading our emails; we already know it yields the greatest power over our Gmail inboxes. The issue arises from non-Google employees peeking through our digital inbox. The tech giant, located just outside of San Francisco, directed users to their Gmail Security Check-up page to review what external apps have which permissions.

When Will This End?

After Facebook’s massive controversy that landed CEO Mark Zuckerberg in Washington, DC for an in-person interrogation, Google, Apple, Amazon, Microsoft, and the rest of the tech giants have a lot of work to do to ensure all users are giving their explicit permission to have data shared outside of just the developer writing the code.

Once these types of scandals embroil companies, the company has to work harder to regain users’ trust, rather than working to protect the faith and trust users already bestow upon them. Until data privacy laws are more explicit than vague, establishing and maintaining trust will always be easier said than done.