Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.
We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.
Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.
A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.
That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.
Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.
Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.
There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.
One such company, Edison Software, allowed employees to review emails from hundreds of users to help it build out new features in its software, the WSJ said. Developers at another company, email marketing optimization Return Path, read over 8,000 email messages as they tried to better train its software to distinguish between personal and commercial emails, the report added.
There’s another twist to the WSJ story. It explains that Return Path not only accesses emails when users sign up for its own apps, but also when they sign up for apps operated by other companies. These companies partner with Return Path via its Context.IO subsidiary, which collects email data to help it improve its services.
One such partner app is Earny, which scans users’ email for receipts and claims refunds to help them save money. This company works with Context.IO to provide it with access to their mails.
Earny complies with strict guidelines from Context.IO, which mandates that partner apps explain the relationship in their own privacy policies. The text, provided by Context.IO and reproduced on the Earny site, says in part:
It then gives the user the chance to opt out of Context.IO services by linking to a page on the Context.IO site.
Context.IO also demands that those partners display ‘just in time’ (JIT) notifications – popping up the notices just as users sign up – to try and ensure that they understand what’s happening. Return Path points all this out in its response to the WSJ.
Google gives you some privacy information when you grant a third party app developer access to your mail, but leaves you to deduce for yourself that humans may read your email too.
This raises several questions. Is it reasonable to expect users to go through this process? Is there a better way to handle it? Should Google be more clear about exactly what people can do with the information that it shares? Where does the user’s responsibility end and the app developer’s begin? What about the app developer’s partners?
Perhaps the first question Gmail users should ask, though, is who has access to their emails and other Google data today.
To find out, you can visit the accounts permissions page. It may explicitly list some apps as having email access, but be on the lookout for apps listed as having access to your Google account. These have permissions to read your email along with lots of other data that Google holds about you. If you decide that you’re not happy with this, you can revoke access.