Google tries to calm controversy over app developers having access to your Gmail

Illustration by Alex Castro / The Verge

Google has published a new blog post in response to a story from The Wall Street Journal yesterday that detailed how common it is for third-party app developers to be able to read and analyze the contents of a user’s Gmail message. While not offering any substantially new insights into the industry practice, now understood to be quite widespread, Google does outline measures a user and business organization using G Suite can do to protect their privacy and security. The company also reiterates its commitment to vetting those third-party apps and services that have access to sensitive Gmail data.

“A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email,” reads the company’s blog post, written by Suzanne Frey, the director of the company’s Security, Trust, & Privacy division of Google Cloud. “However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does.”

Frey offers a few tips to ensuring your data is in the hands of trusted sources. Those include reviewing the permissions screen before giving access to a non-Google app and using the company’s Security Checkup tool to check what devices have logged into your account, which third-party apps have access to your Gmail, and what permissions those apps have. She also says Google’s review process is designed to ensure companies and individuals do not misrepresent themselves and only request data relevant to the function they’re providing.

While the WSJ story did not unearth any wrongdoing from third-party apps or services using Gmail, it did shine a light on a previously discreet industry practice now under heavier scrutiny in the aftermath of Facebook’s Cambridge Analytica data privacy scandal. Facebook gave generous user data access to third-party app developers for years, which created a situation in which tens of millions of people had their personal information packaged and sold to a data mining firm without proper consent. Google is now in the position of having to more actively defend its own data management and user privacy practices, mainly to convince users and businesses that, unlike Facebook, Google is in fact a responsible steward of sensitive user data.

Last year, Google announced it would stop scanning the contents of Gmail users’ messages for advertising purposes as part of a strategy to make its G Suite offering more attractive to corporate customers. Google saw, well before Cambridge Analytica, that it was not a particularly smart business strategy to target ads based on people’s private conversations, especially when some users don’t have a strong grasp on how Gmail is actually monetized. Frey reiterates this in today’s blog post, where she’s careful to point out how “Gmail’s primary business model is to sell our paid email service to organizations as a part of G Suite,” and that while there are still ads in the consumer version of Gmail, those ads are no longer targeted based on the contents of emails.

“The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails,” Frey writes. “To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.”


I didn’t see this as a surprise revelation at all. As Google’s blog post explains, you expressly give certain apps the ability to read and write your email. It’s the same as using a third party keyboard permission to record what you’re typing.

WSJ article highlights cases where developers of 3rd party apps read thousands of unredacted emails to train their classifiers. This is very different from an app accessing your data, these are real people digging through your private or business stuff.

I don’t think an average user is aware that signing up to your Gmail account through a 3rd party email client could indirectly give access to all of your emails to the developers of those apps.

Well that really just highlights a problem with regular users understanding of technology. There is really no way this could not be possible. If you see the app showing your email, it would inherently have had to have access to them, and at any point it would be able to pass them along to wherever. There is simply no way do stop this, short of people actually taking responsibility for themselves for once.

No….it highlights that the technology was developed to take advantage of ordinary users in ways they probably don’t want. So it is not front and center, comes out years after it was first implemented and pisses off a ton of people.

It is bad practice and should not be encouraged just because the average person is not well equipped to defend themselves from it.

Something tells me that people aren’t going to start paying for email or running their own mail servers, so unless some company finds a magic way to make money a different way.

Well, Google don’t make money from scanning your email anymore and 3rd party services only have access if you give it to them, so there’s no real reason not to use Gmail.

Apart from the fat that they can switch it back on any time they want and that having a GMail account automatically logs you in for tracking on the rest of their services.

Right…but they still serve ads based on tracking that happens through web browsing while being logged into your Google account.

I personally don’t have a problem with the concept of it. I value the service enough to allow them access to my data. I don’t currently allow any non-google service access to my email and even then I am mindful of what happens there. My only issue with Google’s tracking is that it’s so basic that it doesn’t usually help me because I research stuff at work all the time that has no bearing on my personal ad preferences.

Oh and app having access to your email is very different from the company that made the app having access to it. This is not about an app having access to it. It is about the company getting into the users stuff.

app = company. you’re just being ignorant if you assume otherwise

This is like saying of course Garmin knows everywhere you drive to. You use their gps to navigate to it.

The difference is in what they do with the data. How they secure the data. And who is liable if there is a breach. Additionally garmin as a company doesn’t need to force me to share my location history with them to use the gps regularly. It should be optional and only for specific reasons not basic operations.

Right, and that’s why Hillary Clinton was overall, very smart to keep her private email server outside of the general Yahoo/Google/Hotmail groups of companies.

Having Terms and Conditions which allow the ability to "optimize ads" by reading your email prevents actual conversations from occuring and/or opens the email up to disclosure.

It’s like giving your iPhone access to your mail, you have to opt-in. i really don’t understand all the drama

iPhone? Totally wrong comparison. iPhone is a device, not a third party service. And iPhone is made by Apple, who are not in the ad-tech/data monetization business.

Better example would be: It’s like giving third party app developers access to your Facebook account.

Well how is it different? To gmail, apple is inherently a 3rd party app developer developing apps that can be used to access gmail through an api. Just the same as in this case, apple is in full control of that content after you grant access, and for all you know they can let their employees read through every one of your emails. It will inevitably come down to whether you trust company x with your emails or not. Personally, I’d have no issue trusting apple with my emails, while I may question "random app developer", but I really have no way of knowing if Apple really handles my emails like they say they do. For all I know they could be stealing and datamining them as well.

The difference is Apple has a lot more to lose if they get caught. They have built, and are currently reinforcing their brand image on privacy and trustworthy reliability.

They have a multi-billion dollar business that depends on people trusting them. Random 3rd party App developers, not really so much.

I use the default iOS email because I trust Apple, and I mostly use iCloud email, though I do have gmail set up through it too, but that’s just for work related stuff.

I use the default iOS email because I trust Apple, and I mostly use iCloud email, though I do have gmail set up through it too, but that’s just for work related stuff.

Are you accessing your iCloud email through a third party mail app? Because exactly the same thing applies there.

As an iOS developer, I can say that Apple is very strict when developers want to take user informations. And also, we still don’t have any framework to read mail from Mail App.

You do know that this whole thing started because of revelations about Edison Mail stealing user’s email.

The same Edison Mail app that’s ranked #65 in productivty in the iOS App Store.

we still don’t have any framework to read mail from Mail App.

Why would you need one?

Popular apps like Newton work via a cloud service connecting to your account which then pushes to your device – once the email is in their cloud then all bets are off.

The point is what will google do if a developer makes an app that pull the data. They would have to do that in the software and send it off somewhere to do anything with it. Does google allow that? If so, that is bad. This is not to say that software can’t do it, but rather what does Google do when a developer does it.

Yes software can steal your data when you give it access to your data. That is not the point. The point is that Google right now allows that for data mining apparently. That is crap.

but rather what does Google do when a developer does it.

Nothing. Nor does Apple for that matter, it’s the only way to get push working on iOS after all.

It’s only "controversy" because of irresponsible and misleading reporting by WSJ and subsequent poor re-reporting by sites such as this.

I notice no such dissemination of misinformation for clicks on Arstechnica…take that as you will.

Eh, if that’s what it takes to get people to pay more attention to what companies are doing with their data and to their privacy and take those companies to task over it, I’m all for it.

If good science can rise from bad idiologies, then perhaps good outcomes can rise from bad or click bait reporting.

Hopefully more "controversies" arise and force everyone from Facebook to small app developer Joe Blow to give more respect to people and their privacy.

Maybe… it’s made me a heck of a lot more suspicious about the news. If the WSJ and even the Verge do this with things I know about, it stands to reason they’re probably doing this elsewhere, and I just don’t know better when I read it.

View All Comments
Back to top ↑