Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Google Software

Google Allows Outside App Developers To Read People's Gmails, Says Report (thisisinsider.com) 96

According to The Wall Street Journal, hundreds of app developers have access to millions of inboxes belonging to Gmail users (Warning: source paywalled; alternative source). The developers reportedly receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners. Some of these companies train software to scan the email, while others enable their workers to pore over private messages. INSIDER reports: It's not news that Google and many top email providers enable outside developers to access users' inboxes. In most cases, the people who signed up for the price-comparison deals or other programs agreed to provide access to their inboxes as part of the opt-in process. In Google's case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement, The Journal reported, citing a Google representative.

What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says. It's interesting to note that, judging from The Journal's story, very little indicates that Google is doing anything different from Microsoft or other top email providers. According to the newspaper, nothing in Microsoft or Yahoo's policy agreements explicitly allows people to read others' emails.

This discussion has been archived. No new comments can be posted.

Google Allows Outside App Developers To Read People's Gmails, Says Report

Comments Filter:
  • Oh my god, my private porn now is public?
  • by Rosco P. Coltrane ( 209368 ) on Monday July 02, 2018 @05:35PM (#56882646)

    Cloud = letting untrustworthy and/or incompetent companies manage your own data.

    Roll-your-own IT = hard (as in, really hard - I'm not talking managing 5 servers in a small company), but as good and/or competent as you/your organization is willing to be.

    The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

    Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

    • by Aighearach ( 97333 ) on Monday July 02, 2018 @05:56PM (#56882760)

      The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

      Or gets bought/merges and the people who own "your" data now don't screw you over at all; they just never made you any promises!

    • My employer decided to go Full Cloud, which motivated me to make this meme
      • ... and Slashdot doesnâ(TM)t allow posting images, apparently, so hereâ(TM)s the link [slashdot.org] (SFW)
        • You fail.
    • by Plugh ( 27537 )

      My employer went Full Cloud, so I made this meme [imgflip.com]

      (apologies for dupe post, slashcode issues)

    • by Kjella ( 173770 )

      Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

      As a company? They don't want to be sued for breach of contract, they got deep pockets and could end up on the hook for a lot of money. Also losing/misplacing data and/or conducting industrial espionage would be a PR nightmare, just make sure the redundancy and confidentiality clauses are in the SLA and I'm pretty sure you'll get it. That is, as long as what you're paying for is a hosting service and not a free service you pay through letting them rifle through your data like GMail. As for Google's employee

      • Someone being competent doesn't mean he's trustworthy. Hint: A successful con artist is usually very competent.

    • by AmiMoJo ( 196126 )

      Stop and think about this for a moment.

      What use would an email server that communicate with clients be? If you set up an email server with no SMTP, no POP3, no IMAP, what use would it be?

      So why is anyone surprised that Gmail allows clients to access it? Is it better or worse for the average person that Gmail has a more secure API that supports 2 factor auth and has a nice easy GUI where you can see what apps have what access and revoke access in a couple of clicks? Can your DIY solution do all that?

    • cloud is a homonym to the German "klaut", which means "(he) steals".

      I doubt it's a coincidence.

  • Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

    Just my 2 cents ;)
    • by Anonymous Coward

      So u peddle in FUD to prop up your buggy whip business. Good on ya!

      • by Mashiki ( 184564 )

        That's not FUD though. We already know that google has in the past gone through users cloud storage and revoked/deleted content. We already know that MS stored/and/or/is storing decryption keys in a non-secure location for cloud services, and for local HDD encryption(bitlocker).

    • by atrex ( 4811433 )

      Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

      IIRC including the government. They left a nice big loophole in place in a 1986 law that considers any data of yours left on a server more than 180 days to be "abandoned" and thus removed from all expectations of privacy. The house passed The Email Privacy Act in Feb 2017, but it never got brought up in the Senate https://www.charlotteobserver.... [charlotteobserver.com]

  • by Anonymous Coward

    Don't trust someone to read your email? Then don't give them access to your email.

    This is an opt-in process that is clearly disclosed when you sign up for whatever random app requests access to your email. Nothing sneaky or underhanded at all, at least not on the part of Google. Maybe it's foolish to grant access to these apps, but that's the user's decision. Frankly the fact that Google performs any sort of vetting at all is more than they need to do.

    The only thing that Google could stand to improve is

    • The problem is, if you send an email to someone whose email system is managed by Google, you didn't sign up for anything, nor did you give Google and their business buddies your consent to exploit your email, but they do it anyway.

      • by kqs ( 1038910 )

        So? Do you think that when you send someone email, you can control what they do with it? That's impressively arrogant. If they have chosen to let someone else access their email, whether it is a personal assistant, or Google, or Bozo the Clown, you have no say unless you have some legal contract with them.

        As to the subject of TFA: It's always tough to parse through the WSJ's misinformation to find the truth, but in this case I _think_ they are saying "if some plugin asks for access to your email and you

  • by Anonymous Coward

    the hell does that even mean??

    • It means some developer honey potted users into giving them access to their email by offering users access to some lame deal of the day website.

      I don't see the problem. If people want to exchange share their emails for internet goodies, that's up to them. The point is that this was fully voluntary and obvious to the user.

  • trust (Score:5, Insightful)

    by cascadingstylesheet ( 140919 ) on Monday July 02, 2018 @05:46PM (#56882704) Journal

    Unfortunately, you pretty much have to trust somebody.

    Hosting your own email on your own server is not easy. It's not going to be the common way for all but a few odd geeks.

    The rest? Gotta trust somebody ... your ISP, or Gmail, or MS, or some guys in Switzerland who assure you that they are the safe option, or ...

    • by kqs ( 1038910 )

      There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

      • There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

        Precisely.

  • FUD (Score:5, Insightful)

    by farble1670 ( 803356 ) on Monday July 02, 2018 @06:22PM (#56882868)

    These people explicitly signed up for the service and granted it access. Look at the screen caps in the linked article:
    https://amp.thisisinsider.com/... [thisisinsider.com]

    It says right there "VIEW ... YOUR EMAIL IN GMAIL". If you were dumb enough to do this, and want to undo it, just go to your account settings and revoke that developers' access.

    • by AmiMoJo ( 196126 )

      Indeed, this has been common for years.

      For example, Hotmail/Windows Live Mail/whatever it's called this week allows you to import and sync with Gmail if you grant it access to read your emails. You can create access tokens so that email clients like Thunderbird can access your mailbox even with 2 factor auth turned on.

      It's a feature that people want. It would be much WORSE if you couldn't do this, because then your email would be stuck in Gmail with no way to interoperate or extract it.

  • This only applies for the non-business service. Just like the post yesterday about the Google cloud account that was shut down for "suspicious activity" when they didn't pay for business level service either, and had no SLA in place. If you want real privacy, make sure your Google apps account is under a BAA and claim you will handle HIPAA data. They would be crazy to allow a third part to view your mail then.

  • by Alascom ( 95042 ) on Monday July 02, 2018 @06:48PM (#56882956)

    Google is NOT giving anyone access to users email inboxes. Period. Full stop. End of story. Shame on Slashdot editors for ever allowing this submission.

    USERS are giving 3rd party sites access to their own email by clicking "accept" on OAUTH2 requests that explicitly tell the user in big bold letters that by clicking OK they will be giving a 3rd party access to "VIEW MANAGE AND DELETE YOUR EMAIL, COMPOSE AND SEND NEW EMAIL". This isn't misleading, subtle, or accidental access - it is gross incompetence on the part of the user.

    Read more here: https://en.wikipedia.org/wiki/... [wikipedia.org]

    But fake news generates fake headlines and fake outrage which leads to higher click-thru rates and more ad impressions for the website.

  • Comment removed based on user account deletion
  • All that's in my GMail account is a furry porn collection.

    It's the online equivalent of sending live tics with the mail in a state that has its security routinely open envelopes...

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...