Google has published a new blog post in response to a story from The Wall Street Journal yesterday that detailed how common it is for third-party app developers to be able to read and analyze the contents of a user’s Gmail message. While not offering any substantially new insights into the industry practice, now understood to be quite widespread, Google does outline measures a user and business organization using G Suite can do to protect their privacy and security. The company also reiterates its commitment to vetting those third-party apps and services that have access to sensitive Gmail data.
“A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email,” reads the company’s blog post, written by Suzanne Frey, the director of the company’s Security, Trust, & Privacy division of Google Cloud. “However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does.”
Frey offers a few tips to ensuring your data is in the hands of trusted sources. Those include reviewing the permissions screen before giving access to a non-Google app and using the company’s Security Checkup tool to check what devices have logged into your account, which third-party apps have access to your Gmail, and what permissions those apps have. She also says Google’s review process is designed to ensure companies and individuals do not misrepresent themselves and only request data relevant to the function they’re providing.
While the WSJ story did not unearth any wrongdoing from third-party apps or services using Gmail, it did shine a light on a previously discreet industry practice now under heavier scrutiny in the aftermath of Facebook’s Cambridge Analytica data privacy scandal. Facebook gave generous user data access to third-party app developers for years, which created a situation in which tens of millions of people had their personal information packaged and sold to a data mining firm without proper consent. Google is now in the position of having to more actively defend its own data management and user privacy practices, mainly to convince users and businesses that, unlike Facebook, Google is in fact a responsible steward of sensitive user data.
Last year, Google announced it would stop scanning the contents of Gmail users’ messages for advertising purposes as part of a strategy to make its G Suite offering more attractive to corporate customers. Google saw, well before Cambridge Analytica, that it was not a particularly smart business strategy to target ads based on people’s private conversations, especially when some users don’t have a strong grasp on how Gmail is actually monetized. Frey reiterates this in today’s blog post, where she’s careful to point out how “Gmail’s primary business model is to sell our paid email service to organizations as a part of G Suite,” and that while there are still ads in the consumer version of Gmail, those ads are no longer targeted based on the contents of emails.
“The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails,” Frey writes. “To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.”