Last week we got another reminder that the times – they are a-changin’. The next big tech company after Facebook to face privacy questions is Google. At this point, this should come as no surprise, but think how our perceptions of Google have changed over time. Remember feeling happy that information got more accessible online. And then remember when Google’s “Don’t Be Evil” motto gradually came alive. Now we are reading about serious Gmail privacy issues. Here’s the latest.

Your Gmail privacy is under fire

The Wall Street Journal has published a report raising some issues concerning third-party Gmail apps and Gmail privacy. Some backstory:

In 2017, Gmail discontinued the practice of scanning the content of your emails in order to display targeted advertising. Everyone was happy, champagne flooded the streets, the mice and the crickets were singing drunken merry songs and giving each other heartfelt compliments. Possibly all for naught, as it turns out. With Google (and Facebook) becoming platforms and letting third-party developers make apps for it, email privacy is arguably more at risk than ever before. The report claims that while Google may not scan the content of your emails anymore, lots of auxiliary app devs do. In some cases, it is common practice for human employees to read them as well. As usual, we consent to all of this ourselves by agreeing to even the most Big Brother-esque privacy policy with the click of a “Next” button.

What does Google say?

If true, this is very damning. Furthermore, it just doesn’t seem good enough to do what Facebook did – deny any wrongdoing, pretend the platform has no responsibility in the matter. To be fair, Google has treated the allegations more seriously. Suzanne Frey, Director of Google Apps Security, Trust, Compliance, and Privacy has undersigned a response downplaying Gmail privacy issues and reassuring users that all non-Google apps must pass a rigorous review process, including both automated and manual steps to ascertain whether the apps meet two primary requirements. They must:

• Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another and must have clear and prominent privacy disclosures.
• Only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.

The positive sign is that Google clearly feels somewhat responsible for how third-party companies use the platform. Unfortunately, in practice that does little to protect Gmail privacy, because we got here with these measures already in place. If the carefully-researched WSJ report is to be believed, Google has left gaping holes for third-parties to exploit in their quest for private data.

The difficulties of email protection

Some of the cases described in the Wall Street Journal article seem uncomfortable at best and illegal at worst. For example, the WSJ mentions a company called Edison Software, the developers of a mobile email organizer app. The development process of these particular pieces of software involved reading the emails of hundreds of users for “guidance”. Apparently, this is nothing unique – employees often read private messages to fix bugs, improve algorithms, etc. In this case, users’ last line of security is a simple non-disclosure agreement.

Potential culprits include any app that scans your email for information – price comparison apps, travel planning apps, email organizer apps, email marketing apps and so on and so forth. Many different areas of the business world are interested in email data because it includes a lot of things they wouldn’t normally be able to access in bulk. Private conversations, bills, shopping information, all of that is gold for big data.

The report draws on interviews with dozens of employees working for developer companies. The picture they paint is grim. Users sign away access to their most private information after getting fooled by obliquely-written privacy policies or by flat-out refusing to read them. According to some interviewees, Google does very little to make sure data-hungry app developers don’t abuse their users. For example, at least one respondent denies ever going through any Google manual review process for developers or apps (something claimed in the company’s official response).

A particularly worrying detail is revealed through the example of Return Path Inc. and Earny Inc. The former is an “email deliverability expert”, or, in other words, an email marketing company. The second is a developer of one of 163 apps used by Return Path for email-data-mining purposes. Users of Earny report not knowing anything about Return Path. Mentions about the company exist in the privacy policy but require close reading to notice.

How you can protect your privacy

If this email protection news is giving you flashbacks to all those dystopian films and books, don’t worry – you’re not crazy. It’s about time everyone starts paying attention to the privacy of our digital lives. The truth is, we still cannot visualize digital surveillance. It isn’t like some trench-coated shady character listening in on your calls – an image native to the public psyche of the 20th century. Yet because of the internet, our privacy is in a lot more at risk now than it ever was.

There are always methods to protect ourselves and our families. In this case, the path is both easy and completely impossible. The first thing that you should do to circumvent these Gmail privacy issues is to go to Google’s Security Checkup page. Here you can see the list of third-party apps with access to your data (including what exactly they have permission to reach). With the click of a button, you can disable whatever bothers you and protect your privacy. The second step is the impossible one – start paying attention to those privacy policies! We know your day is short but have in mind that crafty legalese is the strongest weapon of privacy-thieves.

Lastly, we should keep the noise up. As long as people are interested and speak out, there might be consequences for overstepping your email privacy. More importantly, perhaps we’ll even be able to have a reasonable conversation about what those boundaries should be!


Here’s an article where we discuss some secure alternatives to Gmail – we’d like to see more VPNs use them!