What you need to know: The people peeking into your Gmail

The biggest consumer issue facing tech giants today is the problem of data privacy. For years, people have slowly been migrating their lives to the digital realm. One can argue today that some of us even spend more time pruning and shaping our social media profiles than attending to real-world responsibilities. It's a wonderful world. 

For the longest time, it felt like all fun and games. But then Facebook's Cambridge Analytica scandal hit, and if there had been any general takeaway from it, it's that our data has value – enough even to sway national elections, beyond the now-everyday threat of being a victim of hacks, digital social engineering, and funds being siphoned from online accounts. 

This week, the spotlight is momentarily taken away from Facebook by another tech giant: Google. The Wall Street Journal (WSJ) published an article (paywall) that claimed third-party app developers may be "sifting through your Gmail," possibly being able to read private emails of those who have signed up for the app developer's email-based services. 

Why should I care? And why would they want to read my emails?

If you have signed up for email-based services such as "shopping price comparisons" or "automated travel-itinerary planners," there's a high risk that your private messages could potentially be read by the company behind the services. It's a privacy issue: another individual can potentially read an email containing information you'd like to keep for yourself.

Some developers themselves have admitted to it. One CEO of a Gmail app development company, Mikael Berner, told the WSJ their employees had read emails from hundreds of users in order to build a new feature for their app. Another executive from a different company described that it had become "common practice" for employees to read emails.

The private messages are being read, either automatically by machines or individually by employees, for purposes such as data-mining and marketing. It appears to be another case of a tech giant allowing access to data, likely in a way that users do not explicitly know.

New laws such as the European Union's General Data Protection Regulation (GDPR) and the Philippines' Data Privacy Act have provisions stating that data-collecting companies must explicitly let individuals know what is being done to their data.

In Gmail's case, there doesn't appear to be enough effort to make the user aware of the extent and scope of how their supposedly private emails are being used.

How has Google responded? 

Google reacted swiftly to the news, publishing a blog just a day later. The blog didn't deny that some third-party developers do get access to a person's Gmail but the developers go through a rigorous review process to gain the privilege. 

The blog, authored by Suzanne Frey, the director of security, trust, and privacy and Google Cloud, shed some light on the review process: "However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app's privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does."

One unaddressed concern, however, is if Google is able to impose adherence to their agreements with the third-party developer.

Frey also said that Google itself does not read user emails. "To be absolutely clear: No one at Google reads your Gmail," she said. There are, however, a few cases when the company does: when a user specifically gives Google permission to access their messages, and during an investigation of a security issue, a bug or incidents of abuse. 

Third-party access to data has actually been known for years, and may include the services of other tech companies like Microsoft and Yahoo. In fact, Google may have been highlighted in the WSJ's article but other email services may be doing it too. Google, however, is the biggest email service provider in the world, with 1.4 billion users. 

Why does Google let third-party access in the first place? 

It's not for money-making purposes says Google. Instead, as Frey writes in the Google blogpost, it's for improving services for its users.

"We make it possible for applications from other developers to integrate with Gmail – like email clients, trip planners and customer relationship management (CRM) systems – so that you have options around how you access and use your email," she said. 

"A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email," Frey aso said. 

What can you do?

Review the permissions screen very carefully before authorizing any non-Google app. This applies to all apps within the Google ecosystem, and not just to Gmail.

Google showed a sample permissions screen, which you may be familiar with:

Illustration from Google

Use Google's Security Checkup tool. The tool is also useful not just for the Gmail issue. It shows you potential security issues with your Google account and devices; recent security events you might want to double check; and shows you a list of apps that you've given permission to – permissions you can opt to revoke. 

What are the implications of the Gmail exposé as to how personal data is treated? 

With the tech giants facing these huge data privacy problems with great frequency in recent months, it creates a signal for the rest of the tech industry: ensure proper user data collection, protection, use, and transparency.

New data privacy laws are still young – a fact which only reflects the state of data privacy itself: it's only now that both people and establishments are beginning to take notice. We're seeing the next chapter in data privacy unfold with the biggest tech companies with the biggest pools of users and user data understandably being in the spotlight. – Rappler.com

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.

image