Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans — and not just computers — to read your emails.
Google told The Verge that it only gives data to vetted third-party developers and with users’ explicit consent. The vetting process involves checking whether a company’s identity is correctly represented by its app, its privacy policy states that it will monitor emails, and the data that the company is requesting makes sense for what the company does. An email app, for instance, should get access to Gmail. Some developers have applied for access to Gmail but have not been granted permission, although the company won’t say how many.
Google employees may also read emails but only in “very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the company stated to the WSJ.
Still, it’s clear that there are a lot of apps with this access, from Salesforce and Microsoft Office to lesser known email apps. If you’ve ever seen a request like the one below when entering your Gmail account into an app, it’s possible you’ve given the app permission to read your emails. And as WSJ reports, other email services besides Gmail provide third-party apps similar access, so it isn’t just Google that may have these issues.
Some of those “trusted” companies include email managing firms Return Path and Edison Software, which have had opportunities in the past to access thousands of email accounts. The WSJ talked to both companies, which said they had human engineers view hundreds to thousands of email messages in order to train machine algorithms to handle the data. Both Return Path’s and Edison Software’s privacy policies mention that the companies will monitor emails. Still, they don’t mention that human engineers and not only machines have access.
Edison Software responded in a statement to The Verge, “We have since stopped this practice and expunged all such data in order to stay consistent with our company’s commitment to achieving the highest standards possible for ensuring privacy.”
The situation is reminiscent of the conditions that led to Facebook’s Cambridge Analytica data sharing fiasco: something that was common practice for years — letting third-party apps access Facebook data — was eventually abused and fell under government and public scrutiny once it became well known.
While there’s no evidence that third-party Gmail add-on developers have misused data, just being able to view and read private emails seems like crossing a privacy boundary. And it’s not clear how secure this system really is; last year, Google users fell victim to a phishing attack that disguised itself as a permissions request from Google Docs to gain access to user contacts using the same authorization system. While Google says it’s made a bunch of improvements since then, the attack highlighted the vulnerabilities of Google’s permissions system.
We’ve reached out to Return Path and other popular third-party apps for more information. If you want to see what apps have permissions to your Gmail account and revoke those that you no longer use or look suspicious, click here.
Update July 3rd, 11:50 AM ET: This article has been updated with a statement from Edison Software.
Comments
Doubt they are reading my emails.
By Arc Logic on 07.02.18 7:07pm
Of course they aren’t. rofl
By tfk1 on 07.02.18 7:17pm
thats why i dont use third party app for gmail. I only use gmail app for android, ipad and even on my macbook
By apsted on 07.02.18 8:21pm
Couldn’t they read (some of) you’re emails anyway if the person you’re exchanging emails with happens to be using a 3rd party app?
By stavangr on 07.03.18 4:22am
yes – based on what this article is saying
By on2a on 07.03.18 5:43am
That applies to any email service. Once you’ve sent a message then you are trusting the other party to keep it secure.
By dissss on 07.04.18 11:48pm
ummm well that doesnt stop google from reading your emails you know.
By number1024 on 07.03.18 10:31am
Ok – I’m done with giving my data to google. Where do I take my email etc. that has comparably good service?
Dropbox for my files, iCloud for my photos, but where do i put my email, contacts & calendar? MSFT is out of the question.
By Meaculpa on 07.02.18 7:14pm
It’s probably unacceptable to most but I just use my iCloud email. Email isn’t very important to me, and I got an account when signing up for an Apple ID, so I just use that.
By JediTed on 07.02.18 7:47pm
iCloud calendar doesn’t sync well in android devices..
By Meaculpa on 07.05.18 3:13am
Instantly disregard the biggest email provider.
Okay.
By Danipo on 07.02.18 7:48pm
Why do you think it was instant?
By donotbugme on 07.02.18 9:24pm
If you don’t mind paying a few dollars for peace of mind then fastmail.com. For something free and secure protonmail.
Bottom line – if it’s free then your the product. If you don’t want the product, pay the few dollars for peace of mind.
By George_Orwell_works_at_Vox on 07.02.18 8:18pm
Mostly, but its not always that simple. The key, IMO, is to look at where the company makes its money.
With Apple, their email is free, but they don’t data mine like Google. They make their money selling hardware – email is just something they add to make the ecosystem around that hardware stronger. Similarly, with Microsoft. They make their money selling software (and a little hardware). Email and document storage is something they through in to sweeten the deal for an office subscription and to add to the Windows ecosystem with integrated storage, windows accounts, etc.
+1 for Fastmail though. I use Outlook mail for most things now, but I’ve had a Fastmail account since 2000 or so. They have a lot of cool features, like the ability to make alias addresses, multiple logins and such. You can store photos in your file storage and it will automatically create a public or private web album from them.
By pallentx on 07.03.18 10:23am
I’ll second ProtonMail. I spent a year or so on the free tier, but started paying for it because I like the service. Only downside is the lack of a desktop client (MacOS, Windows) but the mobile apps work quite well.
By ench on 07.03.18 11:43am
iCloud contacts work great. I can’t imagine going with a hardware-vendor-specific calendar (yes, you might be able to sync an iCloud calendar to an Android, but can you share with someone who never bought an Apple product?)
I think outlook.com works fantastic and would easily be my pick after Gmail. Why don’t you like it?
By Prime on 07.02.18 8:18pm
Same privacy concerns with Outlook as with Gmail?
By Chipiron on 07.03.18 4:44am
Good question. I was just about to recommend it to the person above. I’ve been satisfied with it for the past 4 years or so, and I actually trust MS a bit more with my emails. If some shit story comes out about their privacy…. ugh.
By jayclones on 07.03.18 9:23am
This is a horribly written article. I’m actually surprised to see Shannon is the author, but oh well..
The WSJ article is poorly written as well, but from the original article:
"One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. "
Both of the articles should’ve been written about the third party app developers and their practices, not on the mail app provider, IMO.
By DMP89145 on 07.03.18 9:49am
And if you still use Yahoo, anyone can read your emails.
By Stone Cold Dan Quinn on 07.03.18 2:49pm
Different business models, different privacy construct – although Google is not nearly as bad with email as they used to be back when they scanned your private email for targeted advertising intelligence. MS has never used your private email or files for advertising in any way. Apple is the same as well.
By pallentx on 07.03.18 10:25am
If you give third party apps access to your account which provider you use is moot.
By dissss on 07.04.18 11:50pm
Apple uses the iCal format (https://en.wikipedia.org/wiki/ICalendar). Which is a well-known, widely accepted calendar data format. You can easily share events created in iCloud calendar with anyone who doesn’t have iCloud calendar.
By tnypxl on 07.03.18 1:41pm
I was talking about sharing a whole calendar, is that possible?
By Prime on 07.03.18 6:46pm
Yeah, I’ve done it. But I don’t think you can give non-icloud users edit privileges, which is probably a deal-breaker for a lot of folks. Its just read-only and the calendars are public in a similar vein to private YouTube URLs.
By tnypxl on 07.05.18 9:03pm