Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans — and not just computers — to read your emails.
Google employees may also read emails but only in “very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the company stated to the WSJ.
Still, it’s clear that there are a lot of apps with this access, from Salesforce and Microsoft Office to lesser known email apps. If you’ve ever seen a request like the one below when entering your Gmail account into an app, it’s possible you’ve given the app permission to read your emails. And as WSJ reports, other email services besides Gmail provide third-party apps similar access, so it isn’t just Google that may have these issues.
Some of those “trusted” companies include email managing firms Return Path and Edison Software, which have had opportunities in the past to access thousands of email accounts. The WSJ talked to both companies, which said they had human engineers view hundreds to thousands of email messages in order to train machine algorithms to handle the data. Both Return Path’s and Edison Software’s privacy policies mention that the companies will monitor emails. Still, they don’t mention that human engineers and not only machines have access.
Edison Software responded in a statement to The Verge, “We have since stopped this practice and expunged all such data in order to stay consistent with our company’s commitment to achieving the highest standards possible for ensuring privacy.”
The situation is reminiscent of the conditions that led to Facebook’s Cambridge Analytica data sharing fiasco: something that was common practice for years — letting third-party apps access Facebook data — was eventually abused and fell under government and public scrutiny once it became well known.
While there’s no evidence that third-party Gmail add-on developers have misused data, just being able to view and read private emails seems like crossing a privacy boundary. And it’s not clear how secure this system really is; last year, Google users fell victim to a phishing attack that disguised itself as a permissions request from Google Docs to gain access to user contacts using the same authorization system. While Google says it’s made a bunch of improvements since then, the attack highlighted the vulnerabilities of Google’s permissions system.
We’ve reached out to Return Path and other popular third-party apps for more information. If you want to see what apps have permissions to your Gmail account and revoke those that you no longer use or look suspicious, click here.
Update July 3rd, 11:50 AM ET: This article has been updated with a statement from Edison Software.