Skip to content
Naked Security Naked Security

Someone else is reading your Gmails

Remember when privacy advocates used to worry about Google scanning your email? Well now, they have another problem on their hands: real people reading them.

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.
We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.
Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.
A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.
That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.
Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.
Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.
There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.
One such company, Edison Software, allowed employees to review emails from hundreds of users to help it build out new features in its software, the WSJ said. Developers at another company, email marketing optimization Return Path, read over 8,000 email messages as they tried to better train its software to distinguish between personal and commercial emails, the report added.


Google’s privacy policy says it may share information with third parties. However, the policy doesn’t explicitly say that humans may manually read those mails, and the opt-in message that it displays when you connect an external app to the service doesn’t say so either.
There’s another twist to the WSJ story. It explains that Return Path not only accesses emails when users sign up for its own apps, but also when they sign up for apps operated by other companies. These companies partner with Return Path via its Context.IO subsidiary, which collects email data to help it improve its services.
One such partner app is Earny, which scans users’ email for receipts and claims refunds to help them save money. This company works with Context.IO to provide it with access to their mails.
Earny complies with strict guidelines from Context.IO, which mandates that partner apps explain the relationship in their own privacy policies. The text, provided by Context.IO and reproduced on the Earny site, says in part:

If you use the Services, and connect your email account, Context.IO will have access to your Personal Information. Context.IO may use your Personal Information to operate, monitor and improve the Context.IO services and as otherwise stated in their own Privacy Policy.

It then gives the user the chance to opt out of Context.IO services by linking to a page on the Context.IO site.
Context.IO also demands that those partners display ‘just in time’ (JIT) notifications – popping up the notices just as users sign up – to try and ensure that they understand what’s happening. Return Path points all this out in its response to the WSJ.
It’s worth pointing out that Return Path only mandates the JIT notifications for EU users, leaving those outside that region to pore over privacy policies on partner web sites. At least one US-based Earny user interviewed by the WSJ had never heard of Return Path because she hadn’t read the Earny privacy policy.
She is far from the only person not to plough through a privacy policy or two when signing up for an online service. We could argue that users are responsible for all of this, but in practice they have faced years of complicated legalese that they tend to avoid. These transitive relationships seem to make things still more difficult.
Google gives you some privacy information when you grant a third party app developer access to your mail, but leaves you to deduce for yourself that humans may read your email too.
To properly protect yourself, it seems that you must then check that third party developer’s own privacy policy if you want to be sure about what it’s doing. You may then need to check still more privacy policies from other partners if you find that it is sharing your mail with them.
This raises several questions. Is it reasonable to expect users to go through this process? Is there a better way to handle it? Should Google be more clear about exactly what people can do with the information that it shares? Where does the user’s responsibility end and the app developer’s begin? What about the app developer’s partners?
Perhaps the first question Gmail users should ask, though, is who has access to their emails and other Google data today.
To find out, you can visit the accounts permissions page. It may explicitly list some apps as having email access, but be on the lookout for apps listed as having access to your Google account. These have permissions to read your email along with lots of other data that Google holds about you. If you decide that you’re not happy with this, you can revoke access.

16 Comments

The most incriminating aspect of this is, no matter what the Gmail user agreed to, that Gmail user has no authority to share the personal or confidential information sent to them by non-Gmail senders. Which also invalidates the EU specific JIT messages as EU based non-Gmail email sender will never see these nor have any knowledge of the data sharing that is occurring in the USA based recipient’s Gmail account.

Remember there is no such thing as a free lunch. Hence use PGP.

Well, PGP is “free as in money”, but by your argument it must therefore also be *not* “free as in lunch”… so what’s the cost :-)

It costs time to learn and mind-space to understand and use. Fortunately, it’s not impossibly difficult to understand quickly, and you get better returns with better understanding, so it’s possible to start slow, with significant protection results, and graduate on to more advanced features.

Is this a case of “they all do it, and Google is taking the heat for everyone”, or are there levels of complicity in vendors? Should we all use our Comcast accounts (here in the USA), or switch to outlook?

No I don’t think Google are being picked on for a practise that is common amongst other vendors. As per the article they have even had heat before for processing based on the message contents.

I try to stay away from Google period. Would you trust anyone with your location, photos, email, cloud storage and Internet search history? Google could deliver a complete dossier on 90% of Americans delivering all this information and they would be none the wiser.

There are better alternatives like Tutanota and Protonmail. If you use gmail despite all warnings, and they violate your privacy, you probably deserve it,

Are people actually surprised? What do they think permissions like “ability to read contents of email” actually means?? Facebook and Google know more about you than any government…until they subpoena them, anyway. People get up in arms about government facial recognition systems and cataloging residents, but are surprised when businesses that make their money on serving adds based on demographics do it? Or when they allow an app or plugin “ability to read email”? Come on…

I’ve been cringing the eventual move away from google. Their new motto of: All your data are belong to us, has pushed some of us over the edge. But outside of hosting my own Email server and not exchanging Email with anyone that uses a free Email service, I don’t think it will matter :/

>and not exchanging Email with anyone that uses a free Email service
I think that’s the key. You can be as secure as you like with your own email service, but if you’re exchanging email with those using free services, you stand a greater chance of being compromised. And of course let’s not forget mail metadata, which tells people an awful lot about you without them even having to read your mail contents. But many of our contacts are probably on free email services, so it’s a conundrum.
Insisting on sending sensitive emails only in encrypted form provides some protection, though, as does using a provider that doesn’t read your emails. Protonmail looks good. Services like Bitmask and programs like Mailpile also look interesting.

Things like this are why none of my Google accounts actually have any real, verifiable personal information. I use fake names, birth dates, addresses, etc. The only bit of PII that is true is the mobile number my Google Voice numbers forward to, and knowing the security restrictions the NANPM puts on the NPAC vendor, my only security issue would be with my direct mobile service provider.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?