Data-use questions resurge, this time with Google in the vortex

A Wall Street Journal article reveals third-party email extensions may have access to your Gmail account. The search giant responds—citing users’ permission—but skepticism persists.

The details in those Terms of Use consent agreements hold just so much sway with consumers.

New reports have Gmail users asking just how secure their data is—and drawing comparisons to other recent data scandals.

When users learned that Facebook had known about Cambridge Analytica’s inappropriate data use for months before reports were published, the public questioned what else the social media giant was keeping secret.

Data scraping by third-party companies has become a major concern for the tech industry, and now Google is answering for access it gave some email extensions to its popular service.

The Wall Street Journal wrote:

Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to “remain confident that Google will keep privacy and security paramount.”

But the internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools. Google does little to police those developers, who train their computers—and, in some cases, employees—to read their users’ emails, a Wall Street Journal examination has found.

Google asserts it allows access only to companies to which users have granted permissions.

It wrote in a blog post:

Transparency and control have always been core data privacy principles, and we’re constantly working to ensure these principles are reflected in our products.

Before a non-Google app is able to access your data, we show a permissions screen that clearly shows the types of data the app can access and how it can use that data.

We strongly encourage you to review the permissions screen before granting access to any non-Google application.

However, that assertion contradicts WSJ reporting, which says some emails were read, ostensibly to train artificial intelligence, without user consent.

The Journal continued:

Neither Return Path nor Edison [two third-party extension companies] asked users specifically whether it could read their emails. Both companies say the practice is covered by their user agreements, and that they used strict protocols for the employees who read emails. eDataSource says it previously allowed employees to read some email data but recently ended that practice to better protect user privacy.

Google, a unit of Alphabet Inc., GOOGL 2.24% says it provides data only to outside developers it has vetted and to whom users have explicitly granted permission to access email. Google’s own employees read emails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the company said in a written statement.

Google says it vets all potential business partners, which might restore consumer confidence in the short term—assuming nothing more nefarious, such as a Cambridge Analytica, is lurking under the surface.

Google detailed its safety measures:

In order to pass our review process, non-Google apps must meet two key requirements:

  • Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another, and must have clear and prominent privacy disclosures.
  • Only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.

We review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not.

For some, Google’s explanations fall short.

Paul Sawers with Venture Beat mused:

What Frey does say is that Google developers who request access to your Gmail messages must undergo a heavy vetting process. […]

Frey doesn’t claim, however, that third-party developers are explicitly forbidden to read your emails. And once API access is granted, it would be difficult for Google to police such a policy anyway. A quick peek at Google’s developer policy guidelines doesn’t turn up any statement regarding developers’ right to read users’ emails, though presumably such activity should be expressly divulged in the developer’s own privacy policy (which every Gmail user will obviously read … right?).

Sawers also saw comparisons to Facebook’s Cambridge Analytica scandal, writing, “It’s just impossible to know for sure how Gmail users’ data is actually being used.”

Others say the Facebook issue was more egregious.

The Verge reported:

Facebook did more to implicate itself, failing to ban Cambridge as an advertiser even after it became clear they had violated platform rules. But the broader similarities are hard to ignore: A scammy plugin duped users and ended up making problems for the entire platform. You can try to blame the app-maker or the users who installed it, but in the end, it’s the platform that’s responsible.

On Twitter, some users cried foul:

Others said it’s a straightforward issue:

Still others contend that the unreadable nature of consent and permissions documents hinders the ability for users to knowingly agree to data collection and use.

Google explained how it uses such data.

It concluded:

We do not process email content to serve ads, and we are not compensated by developers for API access. Gmail’s primary business model is to sell our paid email service to organizations as a part of G Suite. We do show ads in consumer Gmail, but those ads are not based on the content of your emails. You can adjust your ads settings at any time.

The practice of automatic processing has caused some to speculate mistakenly that Google “reads” your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.

Has the company done enough to reassure consumers? What other steps would you advise?

(Image via)


PR Daily News Feed

Sign up to receive the latest articles from PR Daily directly in your inbox.