Google in hot water over third party developers access to read emails

[chiller15]

Google has been forced to respond to claims regarding Gmail third party developers having access to read the emails of users.

 

Quote

Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans — and not just computers — to read your emails.

The Verge

 

Quote

Some of those “trusted” companies include email managing firms Return Path and Edison Software, which have had opportunities in the past to access thousands of email accounts. The

WSJ talked to both companies, which said they had human engineers view hundreds to thousands of email messages in order to train machine algorithms to handle the data. Both Return Path’s and Edison Software’s privacy policies mention that the companies will monitor emails. Still, they don’t mention that human engineers and not only machines have access.

The Verge

 

Quote

“A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email,”

reads the company’s blog post, written by Suzanne Frey, the director of the company’s Security, Trust, & Privacy division of Google Cloud. “However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does.”

Frey offers a few tips to ensuring your data is in the hands of trusted sources. Those include reviewing the permissions screen before giving access to a non-Google app and using the company’s Security Checkup tool to check what devices have logged into your account, which third-party apps have access to your Gmail, and what permissions those apps have. She also says Google’s review process is designed to ensure companies and individuals do not misrepresent themselves and only request data relevant to the function they’re providing.

The Verge

 

Sources:

Original article from The Wall Street Journal: https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442

The Verge Article - pre-Google blog: https://www.theverge.com/2018/7/2/17527972/gmail-app-developers-full-email-access

Google's blog: https://www.blog.google/technology/safety-security/ensuring-your-security-and-privacy-within-gmail/

The Verge Article - post-Google blog: https://www.theverge.com/2018/7/3/17533108/google-gmail-privacy-read-email-messages-response

 

It looks like the fallout from Cambridge Analytica have hit Google has they are forced to clarify their position on data handling and access. When you install an app on your device, it will often ask for various permissions for it to work. These can include access to your email, read messages, access to location, etc. However it can include managing emails, managing messages, etc. It appears that this is where this issue has stemmed from, apps that allow it to manage a users mailbox, granting the developers (and possibly employees) permission to read all your emails. Despite the prompt to allow permissions when an app installs, it appears that users aren't taking into account exactly what this means. This isn't going to be the last time that a company like Google, one that holds user's personal/sensitive data, is highlighted in this way, but now there will be more scrutiny than ever.

 

This is something that I've come to expect, especially after using Gmail for so many years, so it hasn't surprised me at all. However I can see how it might frustrate/anger others. I think a lot of people knew that Google scanned their emails for advertising targeting (despite that was stopped last year), but I don't think they expected non-Google companies to also have practically unfiltered access to their emails.

 

Whilst Google claims they have good procedures in place to prevent unauthorised access or mistreatment, it would only take one rogue developer to slip through the net to cause some significant damage to Google.

[ZeouLs]

For german readers a good source: https://derstandard.at/2000082709252/Datenskandal-bei-Google-Aufregung-um-Apps-die-Mails-der-Nutzer

 

@chiller15 your first 2 quotes are broken

[chiller15]

3 minutes ago, ZeouLs said:

For german readers a good source: https://derstandard.at/2000082709252/Datenskandal-bei-Google-Aufregung-um-Apps-die-Mails-der-Nutzer

 

@chiller15 your first 2 quotes are broken

Cheers, fixed. Appears that I can't edit the post or reply to the topic on Firefox for some reason.

[Christophe Corazza]

“To Be Absolutely Clear: No One at Google Reads Your Gmail”

 

Yea... this one is as believable as Facebook standing for privacy rights.

[mr moose]

Wouldn't it be easy for all email clients to read emails? 

[chiller15]

2 minutes ago, mr moose said:

Wouldn't it be easy for all email clients to read emails? 

Yes, however this appears to be giving the employees of the developer access to read the emails.

[Master Disaster]

13 minutes ago, Christophe Corazza said:

“To Be Absolutely Clear: No One at Google Reads Your Gmail”

 

Yea... this one is as believable as Facebook standing for privacy rights.

So I barely watch any TV these days but last night England played so I had the box on for a few hours.

 

During one of the commercial breaks the following advertisement came on...

 

Now it seems like this is a few months old at this point but I've never seen it before and it had me almost crying with laughter, acting like they care about user privacy, spam or fake news at all lol, who do they think they're kidding?

 

On topic I'm not at all surprised by this one bit, training AI seems to be a perfect excuse for any time a human breaches privacy. "It's OK Sir or Madame, our employee was only reading your personal emails so we can train out bots to read your personal emails" like A that makes it OK and B I want bots reading my emails any more than I want humans reading them.

 

I used to think the Information age meant the age of enlightenment where information was freely available to anyone, now I'm older I realise it actually means he who has the most information has the most power.

[Tenelia]

Wasn't this an issue already several years ago? Or is this a new issue surfacing? Can someone correct me on the timeline here?

[Amazonsucks]

Protonmail for more encryption, security and privacy, Guerrillamail for disposability, VPN for account creation and privacy, Signal for actually secure messaging.

 

Google is an evil hypocritical company like Facebook. Users are their product.

[Bananasplit_00]

So is this just if you use a third party Gmail client? Or are your emails handed out either way? 

[chiller15]

1 hour ago, Bananasplit_00 said:

So is this just if you use a third party Gmail client? Or are your emails handed out either way? 

It's when you install an app on your device and it asks for permission to access, read or manage your emails. I've edited the original post to reflect this, apologies that it wasn't clear earlier.

[ItsMitch]

Google already read your emails anyway, dunno why people are so shocked. 

[chiller15]

8 minutes ago, SC2Mitch said:

Google already read your emails anyway, dunno why people are so shocked. 

Google, yes. But this is third party developers.

[ItsMitch]

6 minutes ago, chiller15 said:

Google, yes. But this is third party developers.

yeah i just dunno why people are shocked by it, fairly sure it's clearly stated in the terms of service 

[Bananasplit_00]

27 minutes ago, chiller15 said:

It's when you install an app on your device and it asks for permission to access, read or manage your emails. I've edited the original post to reflect this, apologies that it wasn't clear earlier.

Literally never give apps that permission unless it's core to their function so that's fine I guess. I don't like it but it's kinda whatever as I don't really use my Gmail accounts for anything sensitive

[John Ellmaker]

I had one of the first protonmail accounts, but realized I never sent anything sensitive enough to warrant it.  Love the fact it exists but not useful to me, I suppose if I were a journalist in an oppressive country I’d think differently.

 

Exchange online by Microsoft has azure for end to end encryption and I seem to only ever use that for demonstration to clients who want it.  There’s not a more reliable email service out there imo, and I’ve heard the pitches for all.

[Arika]

This is why if the permissions dont make sense for the type of app I'm downloading, I don't install it

[RuffRuffmcgruff]

6 hours ago, Master Disaster said:

-snip-

I saw exactly the same advert, made me laugh out loud. The absolute snakes, it's insulting to see how dumb they think people are. But then again it's scary to realise that they're completely right to assume they are at the same time!

[Sniperfox47]

Wait... so the issue here is that apps in your email client, that are to help you with your emails, that you agreed to let read your emails on a clear permission screen, can in fact read your emails like for realsies?

 

I think I've lost what little faith I still had in humanity.

 

 

I mean I don't know how you can be any less ambiguous than that it can "View your email messages when the add-on is running"

[Ariolander]

Does this kind of permissions shenanigans also affect G-Suite's Paid Email?

 

Do you think Exchange Online / Office 365 Business Essentials would be a better option? I use Outlook for work email both on my desktop and my phone. Do you think using Microsoft's paid email service would be good for personal use as well?

[TacoSenpai]

I made the switch to protonmail months ago and I'm glad I did on so many levels.