Google doesn’t dispute claims that third-party developers may read your Gmail messages

Another week, another data privacy brouhaha. A Wall Street Journal report on Monday reveals that third-party developers have been reading Gmail users’ emails. According to the WSJ, a number of companies admitted their engineers have read thousands of email messages for reasons such as training machine learning systems.

The controversy stems from apps — such as third-party customer relationship management (CRM) software — that require access to Gmail accounts. Such integrations offer users a wide range of additional functionality, but with the Facebook and Cambridge Analytica data scandal pushing data-sharing into the public consciousness, it was only a matter of time before Google came under closer scrutiny.

Suzanne Frey, director of security, trust, and privacy at Google Cloud, has now indirectly addressed some of the findings in the WSJ report, and her response is interesting in terms of both what it says and what it doesn’t.

Titled “Ensuring your security and privacy within Gmail,” the blog post makes no reference to specific data privacy allegations, so anyone who had missed the WSJ report would probably be left wondering why the issue was even being discussed.

Say wha’?

What Frey does say is that Google developers who request access to your Gmail messages must undergo a heavy vetting process. She explains that approval entails two core requirements: Apps must accurately represent themselves and be clear about how they are using the data, and they must only request relevant data.

“We review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not,” Frey noted.

Frey doesn’t claim, however, that third-party developers are explicitly forbidden to read your emails. And once API access is granted, it would be difficult for Google to police such a policy anyway. A quick peek at Google’s developer policy guidelines doesn’t turn up any statement regarding developers’ right to read users’ emails, though presumably such activity should be expressly divulged in the developer’s own privacy policy (which every Gmail user will obviously read … right?).

It’s true that Google requires user consent for third-party access via permission screens, but, alas, many people likely just click “Allow” without fully appreciating what they’re giving permission to. Of course, if you’ve learned anything from recent data privacy shenanigans, you should now know to read everything before consenting. And this is something Google is quick to point out, too.

“Before a non-Google app is able to access your data, we show a permissions screen that clearly shows the types of data the app can access and how it can use that data,” Frey added. “We strongly encourage you to review the permissions screen before granting access to any non-Google application.”

Above: Gmail permissions

But such permissions don’t really make it clear that human eyes, as opposed to an automated algorithm, may in fact be reading your emails. There is no specific permission request that states: “An engineer at our company may read your emails from time to time,” an omission that raises questions around whether user consent is fully informed.

This is also reminiscent of the Cambridge Analytica debacle, whereby Facebook enabled access to its users’ data for one reason, and the data was then harnessed for more nefarious purposes. It’s just impossible to know for sure how Gmail users’ data is actually being used.

There is nothing to suggest that any wrongdoing or data misuse has occurred as a result of Google giving outside developers access to users’ emails. But the very fact that users’ private messages can be read by a bunch of strangers, a practice we now know does happen, becomes all the more notable in light of data privacy scandals elsewhere.

While Google seemingly doesn’t dispute the claim that third-party developers read your emails, the company is absolutely adamant that no one at Google itself does, and Frey reminded us that as of last year the company doesn’t even serve you ads based on the content of your emails. “To be absolutely clear: No one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” Frey continued.

Although Google didn’t refer specifically to the WSJ report in its thinly veiled response yesterday, it’s clear what the company is saying: You can trust us because we heavily vet third-party developers — who may well read your emails — and you gave us all permission for this to happen anyway.