Fresh off the rollout of a new version of Gmail, Google is now trying to quell a potential storm over reports that it gives developers access to read and analyze the contents of Gmail users’ messages.
The Wall Street Journal (WSJ) reported two apps -- Edison Mail and Return Path -- gained access to Gmail content, but with user permission.
Edison Mail claims its app "extract[s] meaningful, actionable data directly from mailboxes to simplify your users and understand how their preferences are changing in real‑time — from the way they travel to the brands they enjoy most."
Return Path claims its platform connects marketers with nearly 70 percent of the email inboxes worldwide, describing itself as "help[ing] marketers take their email programs to the next level by driving more response and increasing revenue."
In response to the report, Google went on the defensive and outlined exactly what it allows developers to view in a person’s Gmail account.
"We make it possible for applications from other developers to integrate with Gmail—like email clients, trip planners and customer relationship management (CRM) systems—so that you have options around how you access and use your email," wrote Suzanne Frey, Google Cloud’s Director, Security, Trust, & Privacy.
"We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access, and we give both enterprise admins and individual consumers transparency and control over how their data is used," Frey added.
Automatic processing and strict standards
Google vows that while it shows ads in the consumer version of Gmail, those ads are not based on the content of a users’ emails. However, to head off spam and phishing emails from reaching inboxes and to make features like Smart Reply more productive, Google says it conducts "automatic processing" of emails -- a practice that is supposedly common across the industry.
Making sure it doesn’t walk into the same quicksand Facebook did over user privacy, Google wants it known that the company is not compensated by developers for API (application programming interface) access and any developer that wants to create a Gmail-related app has to toe the line and meet two key requirements:
Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another, and must have clear and prominent privacy disclosures.
Only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.
User privacy remains on high alert
Even though the WSJ report failed to peg Google with any privacy trespassing, it reminds everyone -- developer, provider, and user alike -- that the world is watching when it comes to data privacy, thanks to Facebook’s privacy negligence. And while it may seem a little undiplomatic, Google puts the onus directly on the end-user in saying "You control your data."
"Before a non-Google app is able to access your data, we show a permissions screen that clearly shows the types of data the app can access and how it can use that data," wrote Frey in her blog post. "We strongly encourage you to review the permissions screen before granting access to any non-Google application."
Take a Google privacy checkup
If you’re one of the 1.2 billion consumers with a Gmail account, there are steps you can take to tighten up your privacy settings. Those include:
Adjusting your ad settings.
Taking a "security checkup." That will show any non-Google app that’s been granted access to your data. It will also highlight any potentially risky apps you have given permission to but may want to turn off going forward.
Gmail users can also view and control permissions within myaccount.google.com under "Apps with account access."