Google Admits Third-Party App Developers Read Through Your Gmail

Google Admits Third-Party App Developers Read Through Your Gmail

“We’ve always tried to accurately define what it meant to be a good force, always doing what’s right, what’s ethical. In the end, [our company motto] ‘Don’t Be Evil’ seemed to be the easiest way to sum it up.”  — Larry Page, former Google CEO

It was May 2018 when Google, the most powerful information gatekeeper in the world, made their intentions clear when their tongue-in-cheek motto, “Don’t Be Evil,” was removed from the company’s corporate code of conduct. Both the left and the right saw this as symbolism for the worrying direction of big tech, citing Google’s involvement in U.S. drone programs, potential search engine manipulation, their links to corporate media and the endless scandals surrounding cyber-insecurity in Silicon Valley. Now, according to a report from The Wall Street Journal, email surveillance over customers can officially be added to the list of offenses.

In a recently published article titled “Tech’s ‘Dirty Secret’: The App Developers Sifting Through Your Gmail,” journalist Douglas MacMillan highlights the methods Google has used to allow third-party app developers, not just computers or artificial intelligence, to read the emails of millions of Gmail users. This intercepted data includes recipient addresses, timestamps, and entire message threads, all used for ad optimization — despite the company’s 2017 pledge to discontinue this practice.

“Consumer Gmail content will not be used or scanned for any ads personalization,” wrote Diane Greene, Google Cloud senior vice president, in her announcement blog post. “G Suite customers and free consumer Gmail users can remain confident that Google will keep privacy and security paramount as we continue to innovate."

This of course, was a lie.

Google, forced to save face and respond to the WSJ, issued a public statement to The Verge, stating they “only give data to ‘vetted’ third-party developers”, citing a vetting process which requires developers to verify their identity and hold privacy policies Google finds adequate, going on to say they have “users’ explicit consent”. This is news to Gmail customers given the way they obtain this consent is unclear.

It’s usually through a “permissions screen" similar to this:

Gmail Permissions Screen

Google states the company’s name, a link to their privacy policies, a few pointers on how they’ll manage the account, without information on what users’ data will be used for and how to withdraw consent upon clicking the ‘allow’ button.

Google users should go to the site’s security checkup section, click on the third-party access menu and click “remove access” with the press of a button. Simple.

What’s not so simple, however, is whether third-party developers use the data the ways they claim. The WSJ cited the privacy policies of two firms, Return Path and Edison Software, who allege they’ve allowed their engineers to read thousands of emails, without user consent, while their policies only state computers and artificial intelligence would have access to this sensitive information for data management.

The WSJ writes:

“One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software, people familiar with the episode say.”

They continue:

“In another case, employees of Edison Software, another Gmail developer that makes a mobile app for reading and organizing email, personally reviewed the emails of hundreds of users to build a new feature, says Mikael Berner, the company’s CEO.”

Edison Software responded to the article with a statement to The Verge saying: “We have since stopped this practice and expunged all such data in order to stay consistent with our company’s commitment to achieving the highest standards possible for ensuring privacy.”

Neither firm has faced legal action for breaching contract.

Suzanne Frey, director of security, trust, and privacy at Google Cloud, was among the first to respond from the company stating in her blog:

“To be absolutely clear: no-one at Google reads your Gmail.”

While the situation may seem reminiscent of Facebook’s Cambridge Analytica data scandal, where a Trump campaign-linked advertising firm used a personality quiz to collect the data of more than 87 million users without their consent or knowledge, these concerns have more to do with whether Google has the infrastructure, in morality and practice, to properly vet third-party developers before trusting them to use customer data.

The Verge cites the 2017 Google phishing scam, an organized cyberattack which “disguised itself as a permissions request from Google Docs to gain access to user contacts using the same authorization system.”

Given Google’s record of fighting the California Consumer Privacy Act (CCPA) and the European Union’s GDPR provisions, requiring true explicit consent from users regarding data management, it’s time for them to decide: Are they the benevolent techno-libertarians we can trust to protect us, known for their impeccable commitment to reigning in hostile actors, or do their continued mistakes, time and time again, prove they need reigning in themselves?