Someone else is reading your Gmails

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.

We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.

Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.

A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.

That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.

Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.

Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.

There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.

One such company, Edison Software, allowed employees to review emails from hundreds of users to help it build out new features in its software, the WSJ said. Developers at another company, email marketing optimization Return Path, read over 8,000 email messages as they tried to better train its software to distinguish between personal and commercial emails, the report added.

Google’s privacy policy says it may share information with third parties. However, the policy doesn’t explicitly say that humans may manually read those mails, and the opt-in message that it displays when you connect an external app to the service doesn’t say so either.

There’s another twist to the WSJ story. It explains that Return Path not only accesses emails when users sign up for its own apps, but also when they sign up for apps operated by other companies. These companies partner with Return Path via its Context.IO subsidiary, which collects email data to help it improve its services.

One such partner app is Earny, which scans users’ email for receipts and claims refunds to help them save money. This company works with Context.IO to provide it with access to their mails.

Earny complies with strict guidelines from Context.IO, which mandates that partner apps explain the relationship in their own privacy policies. The text, provided by Context.IO and reproduced on the Earny site, says in part:

If you use the Services, and connect your email account, Context.IO will have access to your Personal Information. Context.IO may use your Personal Information to operate, monitor and improve the Context.IO services and as otherwise stated in their own Privacy Policy.

It then gives the user the chance to opt out of Context.IO services by linking to a page on the Context.IO site.

Context.IO also demands that those partners display ‘just in time’ (JIT) notifications – popping up the notices just as users sign up – to try and ensure that they understand what’s happening. Return Path points all this out in its response to the WSJ.

It’s worth pointing out that Return Path only mandates the JIT notifications for EU users, leaving those outside that region to pore over privacy policies on partner web sites. At least one US-based Earny user interviewed by the WSJ had never heard of Return Path because she hadn’t read the Earny privacy policy.

She is far from the only person not to plough through a privacy policy or two when signing up for an online service. We could argue that users are responsible for all of this, but in practice they have faced years of complicated legalese that they tend to avoid. These transitive relationships seem to make things still more difficult.

Google gives you some privacy information when you grant a third party app developer access to your mail, but leaves you to deduce for yourself that humans may read your email too.

To properly protect yourself, it seems that you must then check that third party developer’s own privacy policy if you want to be sure about what it’s doing. You may then need to check still more privacy policies from other partners if you find that it is sharing your mail with them.

This raises several questions. Is it reasonable to expect users to go through this process? Is there a better way to handle it? Should Google be more clear about exactly what people can do with the information that it shares? Where does the user’s responsibility end and the app developer’s begin? What about the app developer’s partners?

Perhaps the first question Gmail users should ask, though, is who has access to their emails and other Google data today.

To find out, you can visit the accounts permissions page. It may explicitly list some apps as having email access, but be on the lookout for apps listed as having access to your Google account. These have permissions to read your email along with lots of other data that Google holds about you. If you decide that you’re not happy with this, you can revoke access.