This week, The Wall Street Journal fueled new security concerns in what is quickly becoming the year of data privacy issues, when it reported that Google allows third party developers to "scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools."
In response, Suzanne Frey, A director of security, trust, and privacy at Google, published a blog post, offering clarification about what kinds of access third party developers have to your account and answering the most alarming, and obvious, question stemming from the WSJ report: Is someone reading your private emails?
First off, Frey confirms that certain developers are allowed to “integrate with Gmail so that you have options around how you access and use your email.” For example, you might download Boomerang for Gmail to schedule emails ahead. However, every Gmail user needs to provide permission before an app gets access. According to Frey’s post, only apps that pass Google’s review process can request access to Gmail accounts: This “multi-step review” requires that apps “only request relevant data” and “accurately represent themselves.”
Google does use what’s called “automatic processing” to prevent spam from hitting your inbox and let users take advantage of Smart Reply, a tool that suggests responses to messages. Frey says automatic processing of emails is not equivalent to reading emails: “To be absolutely clear: No one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.”
Still, The Wall Street Journal report claims there are few safeguards in place preventing employees at third party apps from reading email. For that reason, and as a basic security principle, it’s important to review which third-party apps can access your account. To do so, go to your Security Checkup. There, you’ll see five categories: Your devices, recent security events, sign-in and recovery, and third-party access.
Click on third-party access and you’ll see all the apps that have access to Gmail, as well as other Google services such as Google Drive and Google Contacts. Click the information icon to see when you gave the app access. If you want to revoke access, simply press the “remove access” button.
Hopefully, nothing that you see will surprise you. Remember, just because you've given apps access that doesn't mean companies are misusing it: Boomerang CEO Alex Moore published a Medium post last week assuring customers that the app does not sell data or have people reading user emails.
Still, a refresher on what permissions you have granted can't hurt, especially given the other third-party privacy debacles of 2018.
This piece has been updated to included reference to a Medium post written by Boomerang CEO Alex Moore.