Data-use questions resurge, this time with Google in the vortex
New reports have Gmail users asking just how secure their data is—and
drawing comparisons to other recent data scandals.
When users learned that Facebook had known about Cambridge Analytica's
inappropriate data use for months before reports were published, the public
questioned what else the social media giant was keeping secret.
Data scraping by third-party companies has become a major concern for the
tech industry, and now Google is answering for access it gave some email
extensions to its popular service.
The Wall Street Journal wrote:
Google said a year ago it would
stop its computers from scanning the inboxes of Gmail users
for information to personalize advertisements, saying it wanted users to
“remain confident that Google will keep privacy and security paramount.”
But the internet giant continues to let hundreds of outside software
developers scan the inboxes of millions of Gmail users who signed up for
email-based services offering shopping price comparisons, automated
travel-itinerary planners or other tools. Google does little to police
those developers, who train their computers—and, in some cases,
employees—to read their users' emails, a Wall Street Journal examination
[FREE GUIDE: 3 things you (probably) didn't know about crisis communications]
Google asserts it allows access only to companies to which users have
in a blog post:
Transparency and control have always been core data privacy principles, and
we're constantly working to ensure these principles are reflected in our
Before a non-Google app is able to access your data, we show a permissions
screen that clearly shows the types of data the app can access and how it
can use that data.
We strongly encourage you to review the permissions screen before granting
access to any non-Google application.
However, that assertion contradicts WSJ reporting, which says some
emails were read, ostensibly to train artificial intelligence, without user
Neither Return Path nor Edison [two third-party extension companies] asked
users specifically whether it could read their emails. Both companies say
the practice is covered by their user agreements, and that they used strict
protocols for the employees who read emails. eDataSource says it previously
allowed employees to read some email data but recently ended that practice
to better protect user privacy.
Google, a unit of Alphabet Inc., GOOGL 2.24% says it
provides data only to outside developers it has vetted and to whom users
have explicitly granted permission to access email. Google's own employees
read emails only “in very specific cases where you ask us to and give
consent, or where we need to for security purposes, such as investigating a
bug or abuse,” the company said in a written statement.
Google says it vets all potential business partners, which might restore
consumer confidence in the short term—assuming nothing more nefarious, such
as a Cambridge Analytica, is lurking under the surface.
its safety measures:
In order to
pass our review process, non-Google apps must meet two key requirements:
- Accurately represent themselves:
Apps should not misrepresent their identity and must be clear about how
they are using your data. Apps cannot pose as one thing and do another,
and must have clear and prominent privacy disclosures.
- Only request relevant data:
Apps should ask only for the data they need for their specific
function—nothing more—and be clear about how they are using it.
We review non-Google applications to make sure they continue to meet our
policies, and suspend them when we are aware they do not.
For some, Google's explanations fall short.
Paul Sawers with Venture Beat mused:
What Frey does say is that Google developers who request access to
your Gmail messages must undergo a heavy vetting process. […]
Frey doesn't claim, however, that third-party developers are
explicitly forbidden to read your emails. And once API access is granted,
it would be difficult for Google to police such a policy anyway. A quick
Google's developer policy guidelines
doesn't turn up any statement regarding developers' right to read users'
emails, though presumably such activity should be expressly divulged in the
Sawers also saw comparisons to Facebook's Cambridge Analytica scandal,
writing, “It's just impossible to know for sure how Gmail users' data is
actually being used.”
Others say the Facebook issue was more egregious.
The Verge reported:
Facebook did more to implicate itself, failing to ban Cambridge as an
advertiser even after it became clear they had violated platform rules. But
the broader similarities are hard to ignore: A scammy plugin duped users
and ended up making problems for the entire platform. You can try to blame
the app-maker or the users who installed it, but in the end, it's the
platform that's responsible.
On Twitter, some users cried foul:
This is thoroughly in violation of what Gmail promised. https://t.co/3G0g0bOgA8
— Emin Gün Sirer (@el33th4xor) July 5, 2018
Others said it's a straightforward issue:
I've had multiple media requests for comments on this which surprises me because it seems so obvious: if you grant an app permission to read your mail, it can, uh, read your mail. That also means it may show parts of it to other humans – code can do that! https://t.co/krQ2JQiuwj
— Troy Hunt (@troyhunt) July 4, 2018
Still others contend that the unreadable nature of consent and permissions documents hinders the ability for users to knowingly agree to data collection and use.
Gmail messages ‘read by human third parties'? This is a complete disgrace. No consumer has given informed consent for this. “Explicitly given permission” my arse. Long unreadable terms and conditions make a mockery out of that. #privacy #surveillance. https://t.co/AdrYIQRuiZ
— Liam Pomfret (@LiamPomfret) July 4, 2018
Google explained how it uses such data.
do not process email content to serve ads, and we are not compensated by developers for API access. Gmail's primary
business model is to sell our paid email service to organizations as a part
of G Suite.
We do show ads in consumer Gmail, but those ads are not based on the
content of your emails. You can
adjust your ads settings at any time.
The practice of automatic processing has caused some to speculate
mistakenly that Google “reads” your emails. To be absolutely clear: no one
at Google reads your Gmail, except in very specific cases where you ask us
to and give consent, or where we need to for security purposes, such as
investigating a bug or abuse.
Has the company done enough to reassure consumers? What other steps would