'

Who's reading your Gmail? Not us, says Google, and we vet 3rd-party apps that do

Google says it doesn't get paid for giving third-party apps access to Gmail and checks them thoroughly.

Google has responded to Monday's Wall Street Journal report detailing how Google gives hundreds of developers privileged access to Gmail inboxes once users have signed up to a third-party app.

The special access gives approved developers, such as marketing and data-mining firms, the ability to read and analyze Gmail messages.

While much of the analysis is by machine, according to the report, one developer said it was "common practice" for companies to let employees read Gmail user email. And instead of gaining explicit consent from the user, permission is only obtained via general user agreements.

Former employees of data-mining companies told the paper that it was common for them to use free apps and services to convince people to give access to their inboxes and that the apps don't clearly explain what data they collect, nor what they do with it.

While third-party access has been known about for years, the practice has come under the spotlight due to Facebook's Cambridge Analytica scandal, which put millions of users' data in the hands of the controversial political consultancy.

SEE: How we learned to talk to computers, and how they learned to answer back (cover story PDF)

In a blogpost, Google says it allows third-party apps to integrate with Gmail to give users more choice about how to access and use email.

However, the company stresses it is not compensated by developers for granting access to its application programming interface and no longer scans Gmail to serve targeted ads itself. Google ended that practice last year, bringing consumer Gmail in line with G Suite.

"Gmail's primary business model is to sell our paid email service to organizations as a part of G Suite. We do show ads in consumer Gmail, but those ads are not based on the content of your emails," wrote Suzanne Frey, director of security, trust, and privacy for Google Cloud.

Frey also attempts to dispel fears that people at Google are actually reading Gmail messages.

"The practice of automatic processing has caused some to speculate mistakenly that Google 'reads' your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse," she explained.

She also offers some details about how Google vets developers, and what controls are in place for business G Suite and consumer Gmail accounts.

"A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email," explained Frey.

"However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app's privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does."

That review process includes checking that the apps are represented to users accurately, are clear about how they use data, and only request relevant data.

Additionally, users can use Google's Security Checkup to review permissions already granted to third-party apps, and revoke them. G Suite admins can create a whitelist of approved apps that can access user data.

gsuitegmailsecuritycheckupthirdparty-max-1000x1000.png

Google strongly encourages users to check permissions before granting access to third-party apps.

Image: Google

Previous and related coverage

Gmail app developers' employees might be reading your email (CNET)

The app makers defend the practice, but also say they've since stopped it.

Google will stop scanning Gmail content for ad targeting

The move brings the consumer version of Gmail in line with the G Suite version, which never scanned email content for ad purposes.

Google will stop scanning Gmail content for ad targeting

The move brings the consumer version of Gmail in line with the G Suite version, which never scanned email content for ad purposes.

Gmail redesign: Google overhauls G Suite with more AI, less clutter

Google's G Suite makeover is aimed at saving businesses email hours, opens and time spent on notifications.

How has Google dodged data privacy issue? It's the ROI

Google outlined its vision of an AI driven future this week at Google I/O and the data privacy discussion is just starting. Don't forget the return on investment for you sharing data.

Facebook's mea culpa tour, Cambridge Analytica and GDPR: The data game is changing before our eyes

Facebook is being skewered for its data management, but every company needs to think about its customer data strategy well beyond GDPR. The wild west of data is being tamed.

Why Gmail's confidential mode is good for privacy, but may be bad for businesses (TechRepublic)

Google's new mail features might prove to be a big issue for litigation and corporate investigations due to the compliance and e-discovery complications it creates, says Relativity's David Horrigan.