Following a WSJ article that claimed third-party app developers have surprisingly detailed access to Gmail data, Google has written a blogpost that attempts to rebut any controversy.
"We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access, and we give both enterprise admins and individual consumers transparency and control over how their data is used", opens the post by Suzanne Frey, director, security, trust, & privacy, Google Cloud.
The WSJ story claimed that although Google employees cannot read emails, the same policy does not extend to third-party developers. These developers can allegedly read your full emails in Gmail, as well as access details like the recipient’s address and time stamps. However, the WSJ did not uncover any wrongdoing from third-party apps or services using Gmail.
Joseph Carson, chief security scientist at Thycotic told SC Media UK: "This is wrong and an unethical practice by allowing app developers to have access to read, send, delete and manage your emails and is a major privacy risk. The problem for many end users is that they do not know the extent of what information is made available, when signing up for a service it is usually disguised under many other settings and requests so most people just click and accept the terms.
Email in the past was like sending a closed envelope and today it is like sending a postcard with your sensitive information available for others to see. People need to be aware of this practice, how it impacts their privacy, exactly what data is available and also that consent is fully collected and if not, then hopefully the EU GDPR will enforce the protection and privacy for EU Citizens."
Javvad Malik, security advocate at AlienVault, told SC Media UK that although there is no evidence that a third party has actively attempted to read users Gmail messages: "It does serve as a reminder that users of online services should be aware of which third parties they are granting access to and for which purposes. Gmail, Twitter and Facebook in particular are widely used by third party websites to authenticate or share information; and these often ask for varying degrees of permissions. Users should regularly review which apps and third parties have access to their accounts and for which purposes, and revoke the ones not needed without delay."
The aftermath of the Facebook Cambridge Analytica data scandal has increased awareness of data privacy across the board, both for enterprise and consumer-facing companies. Google’s position means the company is particularly keen to be seen as strong on data protection - a position it shored up in June 2017 when it announced that Gmail inboxes would no longer be scanned for ad targeting reasons.
"The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails," Frey emphasised. "To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse."
David Emm, principal security researcher at Kaspersky Lab commented that trust - and clear terms and conditions - will continue to be key: "Organisations have a duty regarding our privacy – especially those able to access our sensitive information – by making such terms and conditions as transparent and easy to understand as possible. When we are communicating with loved ones or colleagues, sharing personal and sensitive information, we should feel safe in the knowledge that what we are sending is private."
Corporate users of G-Suite must rely on admins to whitelist non-Google apps that can access their users’ data, while individual Gmail users should visit Security Checkup to review permissions that have been granted to non-Google apps, and revoke them if required.