Google has found itself mired in yet another privacy scandal after the company confirmed that users of Gmail may be having their emails read by third-party developers.
The revelations came in a report in the Wall Street Journal($) which described the practice as ‘tech’s dirty secret’.
Gmail’s ‘dirty secret’
Gmail is Google’s hugely popular and successful webmail service which is thought to have more than 1.4 billion users around the world.
One of Google’s most popular features is the ability to link your account to third-party apps. But this is where a very severe privacy issue has been identified. Because, when users connect their account to an app, it seems that many are unwittingly giving that service access to the content of their emails.
When you link to a third-party app, you will usually be required to grant that app certain permissions. Most people usually just click through this without actually reading what permissions they are granting. But one will often be permission to ‘read, send, delete and manage your email’.
While most wouldn’t even read this permission, those that do would most likely assume that their emails might be analysed by an algorithm. And in most cases, that is the case.
App developers reading your emails
But the Wall Street Journal has spoken to a number of app companies which confirm that they have reviewed the content of many emails in person, reading thousands of different emails and using the information gleaned to build new features on their service.
One such company, Edison Software, operates an app which allows users to manage their emails and accessed Gmail content to develop their ‘Smart Reply’ feature.
Others mentioned in the article include a marketing company called Return Path, which offers free email organization tool, and a software developer called eData Source Inc.
All admitted to the Wall Street Journal that they did not ask specific permission from users of their apps to read their emails, claiming that this was covered by their user agreements.
The revelations have horrified many Gmail users. Most webmail users assume that the contents of their email at least will remain private, while even fewer will have expected strangers to be able to physically access and read their emails.
Google’s disingenuous response
Google has responded to the article by posting a blog on their website from the company’s Director, Security, Trust, & Privacy, Google Cloud, Suzanne Frey.
In it, she stresses that companies that can access Gmail content all have to be thoroughly vetted by Google first. This may well be true but will still offer scant reassurance for privacy-conscious Gmail users.
She also insists that third-party apps can only access relevant data and even then, only if users have “explicitly granted permission to access email”.
She went on to highlight the process by which Gmail users grant permissions to third-party apps. However, she didn’t address the fact that the company knows many users will just click through this or that in most cases if you don’t grant permission access to the app will be refused.
While the points raised in the blog are all factually accurate, it essentially outlines the fact that Google insists the revelations made by the Wall Street Journal was already publicly available knowledge and are nothing to make a fuss about. It rebukes the headline of the article, but not its content.
It is therefore little wonder that there is a groundswell of anger amongst Gmail users online. For them, the most useful part of Suzanne Frey’s blog is in the opening paragraphs where she explains how users can amend and revoke the permissions they have already given.
As we reported earlier this week, Google has recently been accused of hiding away privacy options, but if you visit Google’s Security Checkup, you can make all the necessary changes quickly and easily.
Users should be aware that this may mean some apps or features on apps may stop working. But if privacy is a priority for you, then this is a small price to pay to prevent developers from reading your emails at their leisure.