App Developers Could Be Reading Your Gmail

John Lister's picture

Google has confirmed that third parties may be able to read your Google email (Gmail) messages. The resulting controversy comes from a lack of clarity over its permission settings.

The issue isn't about Google itself reading email messages. Previously, Google servers would scan email messages for keywords, then use targeted advertisements based on those keyboards whenever users logged into Gmail to read their emails. However, Google has dropped this policy last year and instead bases its ads on other information, such as Google web searches and YouTube viewing.

The latest controversy relates to human operators at third-party companies accessing the emails. In this case, it deals with app permissions typically used on Android smartphones and tablets, and even Chromebooks. With the app setting permissions, users can give access to app developers so they can use a range of tools; these can include travel planners that automatically retrieve details from flight confirmation and hotel booking emails. They also include shopping price comparison services.

Permissions Could Be Misunderstood

When linking Gmail account to such tools, users have to grant permissions such as "Read, send, delete and manage your email." No doubt many people click these without reading the details, but it was widely assumed that this referred to entirely automated access with computers checking through emails remotely rather than human looking through messages. (Source: bbc.co.uk)

A Wall Street Journal investigation found that in some cases third-party app staff were manually reading messages, with the companies concerned saying it was done to improve software features and algorithms. They said such behavior was covered by the user's permissions, something Google has now confirmed.

Google Stresses Review Process

After the news broke, Google stressed that companies cannot link to Gmail accounts unless they've passed a review process. These include proving that the app accurately represents which organization is accessing the data and how it will use it, and that it only requests data that is relevant and necessary for the stated purpose. It hasn't commented on whether the companies in question have breached these rules. (Source: blog.google)

If you're worried about third-parties reading your Gmail, you can check your account at Google's Security Checkup page. Here you will find a section detailing "Third-party access". Clicking on this will list which apps can access your account and what level of access they have. You will also be able to click to remove this access.

What's Your Opinion?

Did you realize third party access to an account extended to humans rather than automated processes? Should Google make this clearer? Should there be separate permissions for automated and human access?

Rate this article: 
Average: 4.6 (5 votes)

Comments

Boots66's picture

It is allowed, I am attaching a link to another newsletter I get.
If you scroll to the bottom of their article which is similar in nature,
they have a link that will check if you have unintended apps that can access your GMail - Yes I found I had one that I had gone into briefly but do not remember at all giving them access - It was rebuked immediately:

https://www.howtogeek.com/fyi/reminder-third-party-gmail-apps-have-full-access-to-your-email/

Rusty's picture

My impression is that Google has never been especially committed to user privacy. Thanks to the EU, they appear to have tightened some of that, but only after being pretty much forced. If I can’t trust Google very much in general, I certainly don’t trust them to use integrity when interfacing their services to third party apps. Therefore, my default setting for app permissions tied to my Google account is NO. I don’t use Android In good part because I just don’t care for it. It sounds like what was uncovered was questionable practices within the Android OS. My instincts tell me that my privacy and security are much better protected by Apple than by Google, but I know Apple isn’t completely innocent. This all said, it would be wise to try to understand the parameters of specific app permissions before granting them. I personally tend to forego quite a lot of conveniences in the effort to protect my privacy and security. I believe this is a prudent approach.

swreynolds's picture

I've know for a long time that gmail reads my sent mail. So far it has been helpful. For example, I clicked send on an email and I got a response that I had said there was an attachment and I hadn't included it. Well, I included the attachment and resent the email. Thank you gmail.

JimBo's picture

I don't get it. Why do "free" services even elude to any thought of security? You get exactly what you pay for. Pay zero bucks get zero security, that's the deal take it or leave it. About the only tangible data consideration, other than your usage expectation, is that the service provider needs to control the flow of your data / information into revenue generating 3rd party venues and not simply allow it to be freely available in the wild. That's not much of a concession.

So, how much should totally secure, fully encrypted email cost us? $5 a month or maybe $10 a month? Would it even be possible for this to be smoothly integrated? I think we may have already flown by the point of having secure integration into our various mail clients. It's just not possible or even allowable, too much free info to be harvested is at stake.

The concept of information extraction in return for free service usage can, in theory, be sent to the dust bin of history but will take a bit of work. "Free" real or virtual users generate the data collected and are thus ultimately responsible for content validity. As with radio communications, accuracy of information is all about signal to noise ratio. If gentle hacks were designed to significantly dilute the accuracy of information gathered by free services via added "noise", they would then only be able to offer an information product of indeterminate credibility for sale. Hardly a good product to market to anyone. We may have to wait for slightly more advanced AI so the "hacks" cannot easily be detected but, that's-a-coming.

Rusty's picture

I’d gladly pay $5, $10 and possibly even more a month for a fully encrypted email service that is reliable and practical to use day to day. So far, I have come up with nothing. I am hopeful for the future.