app developers can read the emails of millions of Gmail users, a
Wall Street Journalhighlighted
today. Gmail’s access settings allows data companies and app
developers to see people’s emails and view private details,
including recipient addresses, time stamps, and entire messages. And
while those apps do need to receive user consent, the consent form
isn’t exactly clear that it would allow humans — and not just
computers — to read your emails.
Vergethat it only gives data to vetted
third-party developers and with users’ explicit consent. Thevetting
processinvolves checking whether a
company’s identity is correctly represented by its app, its privacy
policy states that it will monitor emails, and the data that the
company is requesting makes sense for what the company does. An
email app, for instance, should get access to Gmail. Some developers
have applied for access to Gmail but have not been granted
permission, although the company won’t say how many.
employees may also read emails but only in “very specific cases
where you ask us to and give consent, or where we need to for
security purposes, such as investigating a bug or abuse,” the
company stated to theWSJ.
it’s clear that there are a lot of apps with this access, from
Salesforce and Microsoft Office to lesser known email apps. If
you’ve ever seen a request like the one below when entering your
Gmail account into an app, it’s possible you’ve given the app
permission to read your emails. And asWSJreports,
other email services besides Gmail provide third-party apps similar
access, so it isn’t just Google that may have these issues.
of those “trusted” companies include email managing firms Return
Path and Edison Software, which have had opportunities in the past
to access thousands of email accounts. TheWSJtalked
to both companies, which said they had human engineers view hundreds
to thousands of email messages in order to train machine algorithms
to handle the data. BothReturn
Software’s privacy policiesmention that the
companies will monitor emails. Still, they don’t mention that human
engineers and not only machines have access.
situation is reminiscent of the conditions that led to Facebook’s
Cambridge Analytica data sharing fiasco: something that was common
practice for years — letting third-party apps access Facebook data —
was eventually abused and fell under government and public scrutiny
once it became well known.
there’s no evidence that third-party Gmail add-on developers have
misused data, just being able to view and read private emails seems
like crossing a privacy boundary. And it’s not clear how secure this
system really is;last
year, Google users fell victimto a phishing
attack that disguised itself as a permissions request from Google
Docs to gain access to user contacts using the same authorization
system. While Google says it’s madea
bunch of improvementssince then, the attack
highlighted the vulnerabilities of Google’s permissions system.
reached out to Return Path, Edison Software, and other popular
third-party apps for more information. If you want to see what apps
have permissions to your Gmail account and revoke those that you no
longer use or look suspicious,click