Does Google really let developers read your email?

The company says it only allows specific, trusted developers to scan through your emails. How does that impact you?
4 July 2018

Google’s Sundar Pichai is serious about security. Source: Shutterstock

Amid all the chatter about Facebook and its widening data scandal, news about Google allowing developers access to users’ email was made public.

Wall Street Journal, who broke the story earlier this week claimed that Google allows software developers to scan hundreds of millions of emails of users who sign up for email-based services.

And although it isn’t something absolutely new, in the aftermath of the Cambridge Analytica scandal, the gravity of the matter shocked users.

In June last year, the Guardian reported that tech giant would stop scanning the contents of personal emails – but that was only in the context of tailored ads.

There wasn’t any announcement about access or the restriction of access to developers.

In fact, the feature that users seem to love most these days, “Smart Reply” was developed by scanning users’ emails.

However, given the nature of the issue and the concern of citizens, Google Cloud’s Director of Security, Trust, & Privacy Suzanne Frey decided to highlight and explain why scanning emails won’t put users at risk.

“We make it possible for applications from other developers to integrate with Gmail—like email clients, trip planners and customer relationship management (CRM) systems—so that you have options around how you access and use your email,” said Frey.

Google also highlighted that it places a strong emphasis on vetting its approved developers and the apps that integrate with Gmail before they’re open for general access.

In fact, it seems as though Google gives both enterprise admins and individual consumers transparency and control over how their data is used.

“You can visit the Security Checkup to review what permissions you have granted to non-Google apps, and revoke them if you would like. For G Suite users, admins can control which non-Google apps can access their users’ data through whitelisting,” Frey pointed out.

Further, the company laid out the fact that apps developed by third parties are heavily scrutinized before they can be on-boarded and offered up for integration with (and read) users’ emails.

“Before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does,” revealed Frey.

Here are the key criteria that non-Google apps must meet in order to be on-boarded by Google:

  • They need to accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another and must have clear and prominent privacy disclosures.
  • They can only request relevant data: Apps should ask only for the data they need for their specific function—nothing more—and be clear about how they are using it.

And while that might not be entirely reassuring, Google says it scans email to be able to better tailor its spam and phishing filters and create the intelligent Smart Reply feature.

“In order to deliver these features, we conduct automatic processing of emails. This is standard practice across the industry,” said Frey.

“We do not process email content to serve ads, and we are not compensated by developers for API access. Gmail’s primary business model is to sell our paid email service to organizations as a part of G Suite,” she added.

The practice of automatic processing has caused some to speculate that Google “reads” emails.

However, Frey emphasized, “no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,”.

Although the company derives a significant portion of revenues from personalizing advertisements, it’s CEO has on several occasions suggested that Google understand the importance of data privacy.

This year, at the World Economic Forum, for example, he said, “data always belongs to the user and as companies, we are only stewards of it.”

While Google still needs to answer questions about data privacy, it seems as though the discussion around scanning emails (or not, if you make the necessary changes in your settings) is not really a big issue after all.