Google Allows Outside App Developers To Read People's Gmails, Says Report

According to The Wall Street Journal, hundreds of app developers have access to millions of inboxes belonging to Gmail users (Warning: source paywalled; alternative source). The developers reportedly receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners. Some of these companies train software to scan the email, while others enable their workers to pore over private messages. INSIDER reports: It's not news that Google and many top email providers enable outside developers to access users' inboxes. In most cases, the people who signed up for the price-comparison deals or other programs agreed to provide access to their inboxes as part of the opt-in process. In Google's case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement, The Journal reported, citing a Google representative.

What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says. It's interesting to note that, judging from The Journal's story, very little indicates that Google is doing anything different from Microsoft or other top email providers. According to the newspaper, nothing in Microsoft or Yahoo's policy agreements explicitly allows people to read others' emails.

OMG

[cesarbp]

Oh my god, my private porn now is public?

Read the article you linked to!

[Anonymous Coward]

Read the article you linked to. You consent to it when you agree to the terms of service:

The search was legal because it fell within Microsoft's terms of service which state that the company can access information in accounts that are stored on its "Communication Services", which includes email, chat areas, forums, and other communication facilities.

The terms of service add: "Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion."

If you don't like the terms of service then don't use the service!

Re:

[fisted]

A < B implies A != B, you're being redundant

Re:

[allo]

legal != consent

All free email does this.

[DogDude]

All free email providers read your email. That's why it's free, dummy.

Re:

[DogDude]

That's because you have to pay for Protonmail. I can't imagine any company that's providing email for a fee is going to scour email. They could be sued.

Re:

[DogDude]

You have a tiny starter account that most people would outgrow in a few weeks. Anything usable costs money. That's why they don't go through your email.

Re:

[allo]

The headers of a mail are like 2kb. The plain text part of the mail is lik 1-2 kb. The HTML part is like 10 kb. The icons attached for the html part are 200 kb. The images in the html part to look pretty are 2 MB.

When will people learn

[Rosco P. Coltrane]

Cloud = letting untrustworthy and/or incompetent companies manage your own data.

Roll-your-own IT = hard (as in, really hard - I'm not talking managing 5 servers in a small company), but as good and/or competent as you/your organization is willing to be.

The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

Re:When will people learn

[Aighearach]

The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

Or gets bought/merges and the people who own "your" data now don't screw you over at all; they just never made you any promises!

Re: When will people learn

[Denis Goddard]

My employer decided to go Full Cloud, which motivated me to make this meme

Re: When will people learn

[Denis Goddard]

... and Slashdot doesnâ(TM)t allow posting images, apparently, so hereâ(TM)s the link [slashdot.org] (SFW)

Re:

[Known Nutter]

You fail.

Re:

[ArsenneLupin]

The URL actually is there, just wrapped in a lot of crud: https://i.imgflip.com/2datqs.jpg [imgflip.com].

(This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)

Re:

[ArsenneLupin]

(This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)

Actually, now I notice it, he is one of these guys, with his weird misplaced trademark signs in his sentence... Quite understandable that his employer preferred to outsource IT to the cloud :-)

Re:

[Mashiki]

Quite understandable that his employer preferred to outsource IT to the cloud :-)

Sure explains why us old guys can make so much money fixing their mistakes though. And to think, they still believe outsourcing is the better option...for everything. We're in a sad shit world right now, where people believe everything can be cheap and good.

Re:

[Plugh]

My employer went Full Cloud, so I made this meme [imgflip.com]

(apologies for dupe post, slashcode issues)

Re:

[Kjella]

Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

As a company? They don't want to be sued for breach of contract, they got deep pockets and could end up on the hook for a lot of money. Also losing/misplacing data and/or conducting industrial espionage would be a PR nightmare, just make sure the redundancy and confidentiality clauses are in the SLA and I'm pretty sure you'll get it. That is, as long as what you're paying for is a hosting service and not a free service you pay through letting them rifle through your data like GMail. As for Google's employee

Re:

[Opportunist]

Someone being competent doesn't mean he's trustworthy. Hint: A successful con artist is usually very competent.

Re:

[AmiMoJo]

Stop and think about this for a moment.

What use would an email server that communicate with clients be? If you set up an email server with no SMTP, no POP3, no IMAP, what use would it be?

So why is anyone surprised that Gmail allows clients to access it? Is it better or worse for the average person that Gmail has a more secure API that supports 2 factor auth and has a nice easy GUI where you can see what apps have what access and revoke access in a couple of clicks? Can your DIY solution do all that?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

cloud is a homonym to the German "klaut", which means "(he) steals".

I doubt it's a coincidence.

I tell clients that it is probable

[oldgraybeard]

Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

Just my 2 cents ;)

Re: I tell clients that it is probable

[Anonymous Coward]

So u peddle in FUD to prop up your buggy whip business. Good on ya!

Re:

[Mashiki]

That's not FUD though. We already know that google has in the past gone through users cloud storage and revoked/deleted content. We already know that MS stored/and/or/is storing decryption keys in a non-secure location for cloud services, and for local HDD encryption(bitlocker).

Re:

[atrex]

Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

IIRC including the government. They left a nice big loophole in place in a 1986 law that considers any data of yours left on a server more than 180 days to be "abandoned" and thus removed from all expectations of privacy. The house passed The Email Privacy Act in Feb 2017, but it never got brought up in the Senate https://www.charlotteobserver.... [charlotteobserver.com]

Re:

[Rosco P. Coltrane]

I don't think so.

- General-public, apparently-free Google services are used by individuals who don't know better, mostly don't give a damn about privacy and data protection, and just don't want to pay a cent to have access to stuff. Not to mention, Google having become a virtual monopoly, good luck finding alternatives to many services that have become essential. No, Vimeo or Dailymotion aren't as good as Youtube. And Google managed to make their products so amazingly good and attractive that using somethin

No actual problem here

[Anonymous Coward]

Don't trust someone to read your email? Then don't give them access to your email.

This is an opt-in process that is clearly disclosed when you sign up for whatever random app requests access to your email. Nothing sneaky or underhanded at all, at least not on the part of Google. Maybe it's foolish to grant access to these apps, but that's the user's decision. Frankly the fact that Google performs any sort of vetting at all is more than they need to do.

The only thing that Google could stand to improve is

Re:

[Rosco P. Coltrane]

The problem is, if you send an email to someone whose email system is managed by Google, you didn't sign up for anything, nor did you give Google and their business buddies your consent to exploit your email, but they do it anyway.

Re:

[kqs]

So? Do you think that when you send someone email, you can control what they do with it? That's impressively arrogant. If they have chosen to let someone else access their email, whether it is a personal assistant, or Google, or Bozo the Clown, you have no say unless you have some legal contract with them.

As to the subject of TFA: It's always tough to parse through the WSJ's misinformation to find the truth, but in this case I _think_ they are saying "if some plugin asks for access to your email and you

"price-comparison deals or other programs"

[Anonymous Coward]

the hell does that even mean??

Re:

[farble1670]

It means some developer honey potted users into giving them access to their email by offering users access to some lame deal of the day website.

I don't see the problem. If people want to exchange share their emails for internet goodies, that's up to them. The point is that this was fully voluntary and obvious to the user.

trust

[cascadingstylesheet]

Unfortunately, you pretty much have to trust somebody.

Hosting your own email on your own server is not easy. It's not going to be the common way for all but a few odd geeks.

The rest? Gotta trust somebody ... your ISP, or Gmail, or MS, or some guys in Switzerland who assure you that they are the safe option, or ...

Re:

[kqs]

There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

Re:

[cascadingstylesheet]

There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

Precisely.

Re:

[Rosco P. Coltrane]

Again, you don't seem to realize that scanning Google customers' inboxes doesn't only impact Google customers, but anybody who emails them as well. Half of the content of anybody's inbox is composed of messages they received from somebody else, who may or may not agree to have their emails scanned by Google themselves.

Re:

[AHuxley]

A computer system internal to a brand for their own ads was what most people would have expected.
Not hundreds of app developers.. AC

Re:

[AHuxley]

Its all anonymized about humans so its ok?

FUD

[farble1670]

These people explicitly signed up for the service and granted it access. Look at the screen caps in the linked article:
https://amp.thisisinsider.com/... [thisisinsider.com]

It says right there "VIEW ... YOUR EMAIL IN GMAIL". If you were dumb enough to do this, and want to undo it, just go to your account settings and revoke that developers' access.

Re:

[AmiMoJo]

Indeed, this has been common for years.

For example, Hotmail/Windows Live Mail/whatever it's called this week allows you to import and sync with Gmail if you grant it access to read your emails. You can create access tokens so that email clients like Thunderbird can access your mailbox even with 2 factor auth turned on.

It's a feature that people want. It would be much WORSE if you couldn't do this, because then your email would be stuck in Gmail with no way to interoperate or extract it.

Want business class? Buy a business account

[ebrandsberg]

This only applies for the non-business service. Just like the post yesterday about the Google cloud account that was shut down for "suspicious activity" when they didn't pay for business level service either, and had no SLA in place. If you want real privacy, make sure your Google apps account is under a BAA and claim you will handle HIPAA data. They would be crazy to allow a third part to view your mail then.

OAUTH2 is not "Google" giving access

[Alascom]

Google is NOT giving anyone access to users email inboxes. Period. Full stop. End of story. Shame on Slashdot editors for ever allowing this submission.

USERS are giving 3rd party sites access to their own email by clicking "accept" on OAUTH2 requests that explicitly tell the user in big bold letters that by clicking OK they will be giving a 3rd party access to "VIEW MANAGE AND DELETE YOUR EMAIL, COMPOSE AND SEND NEW EMAIL". This isn't misleading, subtle, or accidental access - it is gross incompetence on the part of the user.

Read more here: https://en.wikipedia.org/wiki/... [wikipedia.org]

But fake news generates fake headlines and fake outrage which leads to higher click-thru rates and more ad impressions for the website.

Re:

[piojo]

Google creates tool that can only be used to blow a user's foot off, and we put 100% of the blame on the user? Sure, the user is far from blameless, but you think it isn't "gross incompetence" on Google's part to think they can create a vetting process and rely upon a privacy agreement by a 3rd party to somehow mediate this?

An API to access a private service is hardly a "tool that can only be used to blow a user's foot off". Certainly there are companies that vet every access to their APIs, but is that really appropriate for a user who is letting an app access their inbox? Does an IMAP admin vet and approve every e-mail client a user can use?

If Google vetted and approved or rejected each API usage, I suspect we would be complaining that GMail is locking up our data.

Re:

[account_deleted]

Comment removed based on user account deletion

Go ahead

[Opportunist]

All that's in my GMail account is a furry porn collection.

It's the online equivalent of sending live tics with the mail in a state that has its security routinely open envelopes...

Re:

[mujadaddy]

Are you in Pittsburgh today? [anthrocon.org]

Also, don't you find the 15GB limiting?

Re:

[cboslin]

Thanks for including that link, your post should NOT have been down rated to zero! If you had not listed it I was going to.

One important caveat, I do not believe that link ( https://myaccount.google.com/permissions [google.com]) automatically includes all 3rd parties. For others, here is an article about this, that is NOT behind a paywall, from the BBC dated July 3, 2018: https://www.bbc.com/news/technology-44699263 [bbc.com].

The link at the end of the above https://myaccount.google.com/p... [slashdot.org]">article, has a link to Google's [google.com]