Skip to content
Naked Security Naked Security

App developers are STILL allowed to read your Gmails

Google is still allowing third-party developers access to access its users’ Gmail data, it said in a letter to Senators last week.

Google is still allowing third-party developers to access its users’ Gmail data, it said in a letter to Senators last week.
Senators John Thune, Roger Wicker and Jerry Moran had quizzed Google in mid-July after the Wall Street Journal published a story about Google giving external app developers access to their users’ Gmail accounts.
The story prompted the trio to contact Google CEO Larry Page, asking him to clarify Google’s approach to third party email access.
They were especially worried given Facebook’s recent experiences with third party developers, they said:

In the wake of the Cambridge Analytica Scandal, in which a third party app developer for Facebook obtained large amounts of user data and shared it with a political consulting firm, the potential misuse of personal data held by large internet platforms and shared with third party developers is a matter of particular concern to the Committee.

It asked Page whether Google requires third-party developers to conform to any privacy policies and what they were, and whether the company knew of a developer sharing the data with anyone else. It quizzed him on how the manual review and suspension processes worked, and whether Google allowed its own employees to see the content of Gmail users’ personal mails.

In a response to the Senators, Susan Molinari, vice president of public policy and government affairs for Google’s Americas operation, explained that the company did let developers share data with others:

Developers may share data with third parties so long as they are transparent with the users about how they are using the data.

It relied on their adherence to its privacy policy to ensure that they were sharing the data appropriately, it added.
Google elaborated on this, explaining that third party developers wanting access to sensitive data like Gmail data must agree to the company’s privacy policy and complete a verification process. This includes a manual review of their privacy policy to ensure that they are requesting appropriate data for their purposes, explained the letter. After verification, it uses machine learning to monitor the apps for any changes in behaviour, and if it detects any then it will put them through the manual review process again.
Google gave some examples of reasons for suspending apps, including not being transparent with users, gaming its anti-spam protections, and asking for permissions that they didn’t need.

Privacy policies

This leaves privacy advocates with the same problem as they had when the WSJ story dropped in early July.
Firstly, it still means that third-party developers can read Gmail users’ email if they want to. It’s important to point out that they only get the email if users explicitly give them permission to access it when using their app, but that raises the second problem: It leaves the user responsible for ploughing through Google’s 4000-word privacy policy.
This policy doesn’t explicitly state that actual human people rather than computerised scripts may end up reading your email, by the way.
Google also makes it the user’s responsibility to read their third party developers’ policies, too, because they may have extra clauses about passing data on to yet more companies.
In short, Google’s answers to the Senators tells us what we already knew, and forces us to revisit a perennial question: How transparent and accessible should the privacy policies be?
Also tucked away in the letter was another gem. Google doesn’t let its own employees access user email, it said, unless the user explicitly asks it to, or for security purposes such as investigating a bug or abuse. The latter seems to give the company quite a bit of latitude in how it treats its users’ mail, depending on how tightly it wanted to interpret ‘investigating a bug’.
This news comes on the heels of another privacy incident involving private messages. Twitter said late last week that a bug may have sent users’ private direct messages to third-party developers who were not authorized to see them – and that the bug persisted for nearly 18 months.


Did it? I didn’t read it that way. I read it that the only apps that can read your Gmail data are the ones you give access to. Not that I hold a brief for Google.
When a Google user goes into their security settings they see with whom they have agreed to allow access and what that access is (access to Google analytics is an example)
As you say in the article “It’s important to point out that they only get the email if users explicitly give them permission to access it when using their app”
Unless I am missing something, how is that a situation that “…leaves the user responsible for ploughing through Google’s 4000-word privacy policy.”?
Why would one need to read the privacy policy in that situation?


If you’re allowing third party devs to access sensitive information like your email, then the privacy policy outlines what they should and shouldn’t be doing with your sensitive information. You could simply not read the policy, which is what many people do, but then you don’t really know what they can and can’t do with your email. Also, be sure to read the previous story about this from July 4, which draws on the WSJ reporting to explain how third party devs can share your email with other companies once they have it, as long as it’s in their own privacy policies.


I did not understand the method used. “third-party developers to access its users’ Gmail data”. do you mean a Google API permit developers to access user’s emails?


Yes, when developers get access to your Gmail, it’ll be via a software API rather than manually accessing it. See our story from July 4 for more details (linked in this story).


App developers are STILL allowed to read your Gmails
This is a hoax.
I created a Gmail draft entitled “snoopers” and typed:
Are you jerks reading my emails?
I got three replies saying “no we’re not,” so it’s all good.


Looks like a good time to have a “What Email service do you trust the most” poll. I do have a gmail account, am ready to jump ship, but not sure what, if, there is a trustworthy Free option. I think that Free, likely rules out privacy though…


These articles are stupid and sensational and makes it seem like Google is giving access to developers to read people’s emails. Developers only have access of you, the user grants them access. Enough with these idiotic articles.


Danny, your article is extremely misleading to users of Gmail.
App developers cannot scan your emails unless you allow that app to do it. You as a user need to Grant access when you use a 3rd party app with your Gmail.
Please tell me what other way a 3rd party app that u want to use could use your email without reading it?


I can find nothing about sharing email messages and other data within their privacy policy or settings, it only mentions sharing within the group, sharing email messages is absolutely disgusting and should not happen unless for support reasons, i think you can guess where my Google account is going.


Idk, technically anyone (as in your neighbor, the president, the pope, your in-laws, your boss, whoever) can read your emails if you allow them to and show it to them. I think the main point is that you allow them to. The question is, why would you? And if you choose someone to show them to, you’d make sure to at least ask them what they will do with them, in case of an app in policy form.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!