New reports have Gmail users asking just how secure their data is—and drawing comparisons to other recent data scandals.
When users learned that Facebook had known about Cambridge Analytica’s inappropriate data use for months before reports were published, the public questioned what else the social media giant was keeping secret.
Data scraping by third-party companies has become a major concern for the tech industry, and now Google is answering for access it gave some email extensions to its popular service.
Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to “remain confident that Google will keep privacy and security paramount.”
But the internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools. Google does little to police those developers, who train their computers—and, in some cases, employees—to read their users’ emails, a Wall Street Journal examination has found.
Google asserts it allows access only to companies to which users have granted permissions.
It wrote in a blog post:
Transparency and control have always been core data privacy principles, and we’re constantly working to ensure these principles are reflected in our products.
Before a non-Google app is able to access your data, we show a permissions screen that clearly shows the types of data the app can access and how it can use that data.
We strongly encourage you to review the permissions screen before granting access to any non-Google application.
However, that assertion contradicts WSJ reporting, which says some emails were read, ostensibly to train artificial intelligence, without user consent.
The Journal continued:
Neither Return Path nor Edison [two third-party extension companies] asked users specifically whether it could read their emails. Both companies say the practice is covered by their user agreements, and that they used strict protocols for the employees who read emails. eDataSource says it previously allowed employees to read some email data but recently ended that practice to better protect user privacy.
Google, a unit of Alphabet Inc., GOOGL 2.24% says it provides data only to outside developers it has vetted and to whom users have explicitly granted permission to access email. Google’s own employees read emails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the company said in a written statement.
Google says it vets all potential business partners, which might restore consumer confidence in the short term—assuming nothing more nefarious, such as a Cambridge Analytica, is lurking under the surface.
Google detailed its safety measures:
In order to pass our review process, non-Google apps must meet two key requirements:
- Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another, and must have clear and prominent privacy disclosures.
- Only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.
We review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not.
For some, Google’s explanations fall short.
What Frey does say is that Google developers who request access to your Gmail messages must undergo a heavy vetting process. […]
Sawers also saw comparisons to Facebook’s Cambridge Analytica scandal, writing, “It’s just impossible to know for sure how Gmail users’ data is actually being used.”
Others say the Facebook issue was more egregious.
Facebook did more to implicate itself, failing to ban Cambridge as an advertiser even after it became clear they had violated platform rules. But the broader similarities are hard to ignore: A scammy plugin duped users and ended up making problems for the entire platform. You can try to blame the app-maker or the users who installed it, but in the end, it’s the platform that’s responsible.
On Twitter, some users cried foul:
This is thoroughly in violation of what Gmail promised. https://t.co/3G0g0bOgA8
— Emin Gün Sirer (@el33th4xor) July 5, 2018
Others said it’s a straightforward issue:
I’ve had multiple media requests for comments on this which surprises me because it seems so obvious: if you grant an app permission to read your mail, it can, uh, read your mail. That also means it may show parts of it to other humans – code can do that! https://t.co/krQ2JQiuwj
— Troy Hunt (@troyhunt) July 4, 2018
Still others contend that the unreadable nature of consent and permissions documents hinders the ability for users to knowingly agree to data collection and use.
Gmail messages ‘read by human third parties’? This is a complete disgrace. No consumer has given informed consent for this. “Explicitly given permission” my arse. Long unreadable terms and conditions make a mockery out of that. #privacy #surveillance. https://t.co/AdrYIQRuiZ
— Liam Pomfret (@LiamPomfret) July 4, 2018
Google explained how it uses such data.
We do not process email content to serve ads, and we are not compensated by developers for API access. Gmail’s primary business model is to sell our paid email service to organizations as a part of G Suite. We do show ads in consumer Gmail, but those ads are not based on the content of your emails. You can adjust your ads settings at any time.
The practice of automatic processing has caused some to speculate mistakenly that Google “reads” your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.
Has the company done enough to reassure consumers? What other steps would you advise?