App developers are STILL allowed to read your Gmails

Google is still allowing third-party developers to access its users’ Gmail data, it said in a letter to Senators last week.

Senators John Thune, Roger Wicker and Jerry Moran had quizzed Google in mid-July after the Wall Street Journal published a story about Google giving external app developers access to their users’ Gmail accounts.

The story prompted the trio to contact Google CEO Larry Page, asking him to clarify Google’s approach to third party email access.

They were especially worried given Facebook’s recent experiences with third party developers, they said:

In the wake of the Cambridge Analytica Scandal, in which a third party app developer for Facebook obtained large amounts of user data and shared it with a political consulting firm, the potential misuse of personal data held by large internet platforms and shared with third party developers is a matter of particular concern to the Committee.

It asked Page whether Google requires third-party developers to conform to any privacy policies and what they were, and whether the company knew of a developer sharing the data with anyone else. It quizzed him on how the manual review and suspension processes worked, and whether Google allowed its own employees to see the content of Gmail users’ personal mails.

In a response to the Senators, Susan Molinari, vice president of public policy and government affairs for Google’s Americas operation, explained that the company did let developers share data with others:

Developers may share data with third parties so long as they are transparent with the users about how they are using the data.

It relied on their adherence to its privacy policy to ensure that they were sharing the data appropriately, it added.

Google elaborated on this, explaining that third party developers wanting access to sensitive data like Gmail data must agree to the company’s privacy policy and complete a verification process. This includes a manual review of their privacy policy to ensure that they are requesting appropriate data for their purposes, explained the letter. After verification, it uses machine learning to monitor the apps for any changes in behaviour, and if it detects any then it will put them through the manual review process again.

Google gave some examples of reasons for suspending apps, including not being transparent with users, gaming its anti-spam protections, and asking for permissions that they didn’t need.

Privacy policies

This leaves privacy advocates with the same problem as they had when the WSJ story dropped in early July.

Firstly, it still means that third-party developers can read Gmail users’ email if they want to. It’s important to point out that they only get the email if users explicitly give them permission to access it when using their app, but that raises the second problem: It leaves the user responsible for ploughing through Google’s 4000-word privacy policy.

This policy doesn’t explicitly state that actual human people rather than computerised scripts may end up reading your email, by the way.

Google also makes it the user’s responsibility to read their third party developers’ policies, too, because they may have extra clauses about passing data on to yet more companies.

In short, Google’s answers to the Senators tells us what we already knew, and forces us to revisit a perennial question: How transparent and accessible should the privacy policies be?

Also tucked away in the letter was another gem. Google doesn’t let its own employees access user email, it said, unless the user explicitly asks it to, or for security purposes such as investigating a bug or abuse. The latter seems to give the company quite a bit of latitude in how it treats its users’ mail, depending on how tightly it wanted to interpret ‘investigating a bug’.

This news comes on the heels of another privacy incident involving private messages. Twitter said late last week that a bug may have sent users’ private direct messages to third-party developers who were not authorized to see them – and that the bug persisted for nearly 18 months.