Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Allows Outside App Developers To Read People's Gmails, Says Report (thisisinsider.com)

Posted by BeauHD on from the on-the-outside-looking-in dept.

According to The Wall Street Journal, hundreds of app developers have access to millions of inboxes belonging to Gmail users (Warning: source paywalled; alternative source). The developers reportedly receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners. Some of these companies train software to scan the email, while others enable their workers to pore over private messages. INSIDER reports: It's not news that Google and many top email providers enable outside developers to access users' inboxes. In most cases, the people who signed up for the price-comparison deals or other programs agreed to provide access to their inboxes as part of the opt-in process. In Google's case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement, The Journal reported, citing a Google representative.

What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says. It's interesting to note that, judging from The Journal's story, very little indicates that Google is doing anything different from Microsoft or other top email providers. According to the newspaper, nothing in Microsoft or Yahoo's policy agreements explicitly allows people to read others' emails.

96 comments

  1. OMG by cesarbp · · Score: 2

    Oh my god, my private porn now is public?

    1. Re:OMG by Anonymous Coward · · Score: 0

      Always has been. Your boyfriend slut-shamed you.

    2. Re:OMG by Anonymous Coward · · Score: 0

      Just wait until Cohen flips.

    3. Re: OMG by Anonymous Coward · · Score: 0

      Sarah?

  2. Still better than Microsoft by Anonymous Coward · · Score: 0, Informative

    ...who allows employees to read your email without consent.

    https://www.bbc.com/news/business-26677607

    1. Re: Still better than Microsoft by Anonymous Coward · · Score: 0

      Microsoft did this in one case to identify a criminal who was victimizing the company using its own services. Google does it for money. And that makes Google better than Microsoft? Interesting.

    2. Re:Still better than Microsoft by Anonymous Coward · · Score: 0

      Nice a 4 year old article, Google's sheeple are really stretching now....

  3. Well, yeah by Anonymous Coward · · Score: 0

    Of course they do. What else would you expect? It's Google.

  4. When will people learn by Rosco+P.+Coltrane · · Score: 5, Insightful

    Cloud = letting untrustworthy and/or incompetent companies manage your own data.

    Roll-your-own IT = hard (as in, really hard - I'm not talking managing 5 servers in a small company), but as good and/or competent as you/your organization is willing to be.

    The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

    Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:When will people learn by Aighearach · · Score: 4, Insightful

      The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

      Or gets bought/merges and the people who own "your" data now don't screw you over at all; they just never made you any promises!

    2. Re:When will people learn by Anonymous Coward · · Score: 0

      No cloud in Federal Prison. Sorry Trumpies.

    3. Re:When will people learn by Anonymous Coward · · Score: 0

      Cloud = letting untrustworthy and/or incompetent companies manage your own data.

      Roll-your-own IT = hard (as in, really hard - I'm not talking managing 5 servers in a small company), but as good and/or competent as you/your organization is willing to be.

      The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.

      Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

      No such thing as a cloud. Like calling wolves the handy dog pack.

      You should be offended that people INTENTIONALLY perpetuated a false paradigm in calling servers that are never in the sky or anywhere near it but are in fact servers on the ground "someplace else".

      It caught on didn't it? Monkey see monkey do. Call it a cloud to buy it but don't treat it like anything cloud-like. They are servers and server farms and datacenters often in countries way outside of your even-potential control. Hello Ireland.

      But the Jews do this all of the time. Literally misnaming is intentional deception. Consider media and Hollywood propaganda machines in the USA especially but not only.

      Then there is the law that you can't hate Jews or you are anti-Semite. Jews are not a race. Jews are not a nationality. They are a cult/false religion.

      Put two giraffes and two lions and two sloths and two of every dog and cat and monkey and put them on a boat. Ship ahoy Noah. Feed the dogs and make it back alive. Jews and their lies. They will have you believe literally anything and there is always a reason they lie. It's to fuck you. Learn it now.

    4. Re: When will people learn by denis.goddard · · Score: 1

      My employer decided to go Full Cloud, which motivated me to make this meme

    5. Re: When will people learn by denis.goddard · · Score: 1

      ... and Slashdot doesnâ(TM)t allow posting images, apparently, so hereâ(TM)s the link (SFW)

    6. Re:When will people learn by Plugh · · Score: 1

      My employer went Full Cloud, so I made this meme

      (apologies for dupe post, slashcode issues)

      --
      Part of the Second American Revolution!
    7. Re: When will people learn by Known+Nutter · · Score: 1

      You fail.

      --
      Beware of the Leopard.
    8. Re: When will people learn by Anonymous Coward · · Score: 0

      ... and Slashdot doesnâ(TM)t allow posting images, apparently, so hereâ(TM)s the link (SFW)

      Couldn't you like, paste the URL.

      Instead of whatever you did?

    9. Re:When will people learn by Kjella · · Score: 1

      Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

      As a company? They don't want to be sued for breach of contract, they got deep pockets and could end up on the hook for a lot of money. Also losing/misplacing data and/or conducting industrial espionage would be a PR nightmare, just make sure the redundancy and confidentiality clauses are in the SLA and I'm pretty sure you'll get it. That is, as long as what you're paying for is a hosting service and not a free service you pay through letting them rifle through your data like GMail. As for Google's employees, well you'll probably be hiring out of the same pool of untrustworthy and incompetent people. You can of course assume you'll do so much better, but often it's in a bigger and more professional environment you spot the frauds because you have other qualified people to check their work.

      --
      Live today, because you never know what tomorrow brings
    10. Re: When will people learn by ArsenneLupin · · Score: 1
      The URL actually is there, just wrapped in a lot of crud: https://i.imgflip.com/2datqs.jpg.

      (This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)

    11. Re: When will people learn by ArsenneLupin · · Score: 1

      (This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)

      Actually, now I notice it, he is one of these guys, with his weird misplaced trademark signs in his sentence... Quite understandable that his employer preferred to outsource IT to the cloud :-)

    12. Re:When will people learn by AmiMoJo · · Score: 1

      Stop and think about this for a moment.

      What use would an email server that communicate with clients be? If you set up an email server with no SMTP, no POP3, no IMAP, what use would it be?

      So why is anyone surprised that Gmail allows clients to access it? Is it better or worse for the average person that Gmail has a more secure API that supports 2 factor auth and has a nice easy GUI where you can see what apps have what access and revoke access in a couple of clicks? Can your DIY solution do all that?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re: When will people learn by Mashiki · · Score: 1

      Quite understandable that his employer preferred to outsource IT to the cloud :-)

      Sure explains why us old guys can make so much money fixing their mistakes though. And to think, they still believe outsourcing is the better option...for everything. We're in a sad shit world right now, where people believe everything can be cheap and good.

      --
      Om, nomnomnom...
    14. Re:When will people learn by Opportunist · · Score: 1

      cloud is a homonym to the German "klaut", which means "(he) steals".

      I doubt it's a coincidence.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    15. Re:When will people learn by Opportunist · · Score: 1

      Someone being competent doesn't mean he's trustworthy. Hint: A successful con artist is usually very competent.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    16. Re:When will people learn by OneAhead · · Score: 1

      Huh? I must have missed a chapter somewhere...

    17. Re:When will people learn by OneAhead · · Score: 1

      Never minder the penny finally dropped. Time to go do something else, I guess.

  5. I tell clients that it is probable by oldgraybeard · · Score: 1

    Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

    Just my 2 cents ;)

    1. Re: I tell clients that it is probable by Anonymous Coward · · Score: 1

      So u peddle in FUD to prop up your buggy whip business. Good on ya!

    2. Re: I tell clients that it is probable by Mashiki · · Score: 1

      That's not FUD though. We already know that google has in the past gone through users cloud storage and revoked/deleted content. We already know that MS stored/and/or/is storing decryption keys in a non-secure location for cloud services, and for local HDD encryption(bitlocker).

      --
      Om, nomnomnom...
    3. Re:I tell clients that it is probable by atrex · · Score: 1

      Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

      IIRC including the government. They left a nice big loophole in place in a 1986 law that considers any data of yours left on a server more than 180 days to be "abandoned" and thus removed from all expectations of privacy. The house passed The Email Privacy Act in Feb 2017, but it never got brought up in the Senate https://www.charlotteobserver....

    4. Re: I tell clients that it is probable by Anonymous Coward · · Score: 0

      I see. Itâ(TM)s only FUD when THEY do it

  6. The beginning of the end for Google by Anonymous Coward · · Score: 0

    More and more complaints on Googles lack of transparency, brutal blocking of Adwords / Cloud Compute accounts with no human appeal process,
    disclosing user data, altering search results and general disrespect for their customers and the public.
    It's the beginning of the end for them.

    1. Re:The beginning of the end for Google by Rosco+P.+Coltrane · · Score: 1

      I don't think so.

      - General-public, apparently-free Google services are used by individuals who don't know better, mostly don't give a damn about privacy and data protection, and just don't want to pay a cent to have access to stuff. Not to mention, Google having become a virtual monopoly, good luck finding alternatives to many services that have become essential. No, Vimeo or Dailymotion aren't as good as Youtube. And Google managed to make their products so amazingly good and attractive that using something else for the sake of principles is really, really painful.

      - Enterprise-level Google products are targeted at companies that mostly care about how much they can save by getting rid of their IT people and infrastructure, and don't seem to understand the intrinsic value of the company's data and the risk associated with sharing it or losing it.

      Google is a drug that's really hard to wean yourself of, whether you're Joe Consumer or a company. And as much as I hate to say it, that's to Google's credit. So no, it's not the beginning of the end at all for them: their future looks very bright indeed - and that of those who don't want to live in a corporate surveillance society, bleaker by the day.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. No actual problem here by Anonymous Coward · · Score: 2

    Don't trust someone to read your email? Then don't give them access to your email.

    This is an opt-in process that is clearly disclosed when you sign up for whatever random app requests access to your email. Nothing sneaky or underhanded at all, at least not on the part of Google. Maybe it's foolish to grant access to these apps, but that's the user's decision. Frankly the fact that Google performs any sort of vetting at all is more than they need to do.

    The only thing that Google could stand to improve is the control and granularity of the permissions. Just as Android has been moving to a blurry, vague model for permissions where average users have no idea what they're actually permitting, it's no surprise that users of Google's web services are experiencing similar problems. If nothing else, reading mail, sending mail, and managing mail you've received should all be separate permissions.

    1. Re:No actual problem here by Rosco+P.+Coltrane · · Score: 1

      The problem is, if you send an email to someone whose email system is managed by Google, you didn't sign up for anything, nor did you give Google and their business buddies your consent to exploit your email, but they do it anyway.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:No actual problem here by kqs · · Score: 2

      So? Do you think that when you send someone email, you can control what they do with it? That's impressively arrogant. If they have chosen to let someone else access their email, whether it is a personal assistant, or Google, or Bozo the Clown, you have no say unless you have some legal contract with them.

      As to the subject of TFA: It's always tough to parse through the WSJ's misinformation to find the truth, but in this case I _think_ they are saying "if some plugin asks for access to your email and you approve, then that plugin has access to your email. Also, you should have fear, uncertainty, and doubt about Google."

  8. "price-comparison deals or other programs" by Anonymous Coward · · Score: 1

    the hell does that even mean??

    1. Re:"price-comparison deals or other programs" by farble1670 · · Score: 1

      It means some developer honey potted users into giving them access to their email by offering users access to some lame deal of the day website.

      I don't see the problem. If people want to exchange share their emails for internet goodies, that's up to them. The point is that this was fully voluntary and obvious to the user.

    2. Re:"price-comparison deals or other programs" by Anonymous Coward · · Score: 0

      They scan your receipts and check if the prices on the items you bought drop within the next 30 days. A lot of credit card companies and other businesses have price matching guarantees. Price-comparison companies automatically try to figure out when you can use these benefits.

  9. trust by cascadingstylesheet · · Score: 4, Insightful

    Unfortunately, you pretty much have to trust somebody.

    Hosting your own email on your own server is not easy. It's not going to be the common way for all but a few odd geeks.

    The rest? Gotta trust somebody ... your ISP, or Gmail, or MS, or some guys in Switzerland who assure you that they are the safe option, or ...

    1. Re:trust by kqs · · Score: 1

      There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

    2. Re:trust by Anonymous Coward · · Score: 0

      The question is: secure from what?

      GMail might be far more secure than what you run at home against anyone other than Google.

      But if you want to secure your mail against Google, anything you run at home will be far more secure than GMail.

      Oh and there is no reason you can't have both and use each according to need.

      -- odd geek who runs own mailserver

    3. Re:trust by cascadingstylesheet · · Score: 1

      There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.

      Precisely.

    4. Re:trust by Anonymous Coward · · Score: 0

      Unfortunately, you pretty much have to trust somebody.

      I've mostly come to accept Google as my mail provider. I'm OK with that.

      Would I ever let an app have access to my email? Oh hell no.

      I find 99% of apps are pointless garbage, and their only purpose is to scrape your data, show you ads, and sell your data. Those companies can kiss my lily white ass.

      I have several tests for a new app ... can it run in airplane mode when it should? ... does it prompt me for access to stuff I don't want it to? ... does it have any more functionality than a website? ... does it ask me for my Facebook information?

      For a lot of apps, the first can cause an immediate deletion ... the second causes me to skip the install entirely ... and the third will cause me to uninstall if the answer is 'no', because if it's just a clone of their website, the only reason it's an app is for ads, analytics, and scraping through your email and contacts. I don't use Facebook, but if you're an app that wants Facebook information, you are dead to me because I assume your app serves no actual purpose.

      Sorry, you're a note-taking app, you need neither access to the internet, nor access to my contacts, so you're being uninstalled.

      The problem is everyone has become so besotted with apps they don't stop to think about what the implications.

      LinkedIn has been annoying for this lately ... they keep sending me emails saying I should give them my email address and password so they can look for contacts to add. No, sorry, fuck you, if I want to import contacts, I'll do it my own fucking self without giving you shitheads access to my email.

      Nobody is forcing you to install these apps. But apparently most people are unable to realise that certain apps asking for your contacts and your email and all sorts of other shit should be a red flag to say "what the fuck is this app doing that it wants this shit?"

      We need to be moving towards locking down what companies can collect about you and what they can do with it. Because the internet has become a shithole which is mostly about asshole ad companies trying to profit of everything ... and the 10-30 external domains I see in the average web page that I block tells me that the average person is unwittingly handing over gobs of personal information to parasites who add nothing to value to anybody.

      Fuck analytics companies. I'll block them like crazy. I don't give a shit about their business model.

    5. Re:trust by Anonymous Coward · · Score: 0

      Of course the difference between Google and ProtonMail is that the Proton guys make their mail server code fully open for inspection. Now, is there anything saying they're not siphoning off emails in that brief period of time they're actually readable in memory? Nope. On the other hand, and others have pointed out, even encrypted email is not private. Once you send something, or someone sends you something, there is no guarantee of privacy at all.

  10. BBC by Anonymous Coward · · Score: 0

    Trump voters enjoy big black cock.

  11. Read the article you linked to! by Anonymous Coward · · Score: 3, Funny

    Read the article you linked to. You consent to it when you agree to the terms of service:

    The search was legal because it fell within Microsoft's terms of service which state that the company can access information in accounts that are stored on its "Communication Services", which includes email, chat areas, forums, and other communication facilities.

    The terms of service add: "Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion."

    If you don't like the terms of service then don't use the service!

    1. Re:Read the article you linked to! by Anonymous Coward · · Score: 0

      Terms of Service != The Law
      &&
      Terms of Service The Law

      Just as I can't make a "Terms of Service" contract that makes someone my slave for a billion years *hintety hint hint* and have it carry ANY legal weight whatsoever, ALL contracts are subject to the Law.

      Saying "you're my property because you signed the paper" doesn't make it so.

    2. Re:Read the article you linked to! by Anonymous Coward · · Score: 0

      Serves me right for not proofreading...

      Terms of Service != The Law
      &&
      Terms of Service < The Law

    3. Re:Read the article you linked to! by Anonymous Coward · · Score: 0

      If you use the service or application without reading the terms of service you are making a deliberate and binding decision. Terms of service agreements have been litigated in the court system with the terms of service winning the argument. And your slavery analogy is ass backwards. If the terms of service specified you would become a slave then you would have to consciously make a decision on whether or not you want to be a slave.
      It's become increasingly clear that growing number of people in today's society absolutely refuse to take responsibility for their choices and actions in life and as a result today's society has become dysfunctional People are defining themselves by the things they hate instead of the things they like. Lying, directly or by omission, combined with non-stop and hateful rhetoric has become the norm.

    4. Re:Read the article you linked to! by fisted · · Score: 1

      A < B implies A != B, you're being redundant

      --
      CLI paste? paste.pr0.tips!
    5. Re:Read the article you linked to! by allo · · Score: 1

      legal != consent

  12. As long as they are government employees by Anonymous Coward · · Score: 0

    ... but say they are not, yeah?

    Do No Evil. - lolol

  13. google login by Anonymous Coward · · Score: 0

    This! is why I don't use google or facebook to login to 3rd party sites

  14. This is a surprise because.... ??? by Anonymous Coward · · Score: 0

    > Hundreds of app developers electronically "scan" inboxes of the people who signed up for some of these programs, and in some cases, employees do the reading, the paper reported.

    So, let me get this straight... someone is making a big deal out of the fact that if you give a company permission to read your emails, they might read your emails? And once they have your emails, they might make use of them for something other than what they said, or actual real people might look at them?

    This is a surprise to... who, exactly?

    "Journalism" of the highest order, obviously.

    1. Re:This is a surprise because.... ??? by Rosco+P.+Coltrane · · Score: 1

      Again, you don't seem to realize that scanning Google customers' inboxes doesn't only impact Google customers, but anybody who emails them as well. Half of the content of anybody's inbox is composed of messages they received from somebody else, who may or may not agree to have their emails scanned by Google themselves.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:This is a surprise because.... ??? by AHuxley · · Score: 1

      A computer system internal to a brand for their own ads was what most people would have expected.
      Not hundreds of app developers.. AC

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re: This is a surprise because.... ??? by Anonymous Coward · · Score: 0

      If you send someone an email there is nothing stopping that individual from publishing it to the world. Don't pretend that sent emails are still your property.

  15. Perverts by Anonymous Coward · · Score: 0

    In Google's case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement

    I'm sure you could get a lot of perverts to provide a privacy agreement and pass a vetting process. If they're really big perverts, they can start working for the NSA.

  16. Privacy Agreements by Anonymous Coward · · Score: 0

    So while the 3rd party developers will read through your emails at their pleasure for naked pictures and your private tax information, they promise not to tell your husband/wife who you are sending those naked pictures to.

    1. Re:Privacy Agreements by AHuxley · · Score: 1

      Its all anonymized about humans so its ok?

      --
      Domestic spying is now "Benign Information Gathering"
  17. FUD by farble1670 · · Score: 4, Insightful

    These people explicitly signed up for the service and granted it access. Look at the screen caps in the linked article:
    https://amp.thisisinsider.com/...

    It says right there "VIEW ... YOUR EMAIL IN GMAIL". If you were dumb enough to do this, and want to undo it, just go to your account settings and revoke that developers' access.

    1. Re:FUD by Anonymous Coward · · Score: 0

      One, yes the article/summary specifically mentions you have to sign up and opt-in. Two, the actual text is "View, manage, and permanently delete your mail in Gmail" which is not in all caps but is the first thing in the box. Three, Android has basically trained people to see such boxes and just click "okay"/"got it", not unlike EULA windows have trained people to click "I agree" radio and "Next ->" without actually meaningfully reading the content.

      But, I do like how you say "if you were dumb enough to do this" without qualifying "without realizing it" just "want to undo it". So, you agree it's a dumb thing to do to allow third party access to your gmail? Dumb enough that Google really shouldn't allow it? Because that would seem to be the point, so I don't see how it's FUD. We seem to be on the same page about how bad this is.

    2. Re:FUD by Anonymous Coward · · Score: 0

      So, you agree it's a dumb thing to do to allow third party access to your gmail? Dumb enough that Google really shouldn't allow it? Because that would seem to be the point, so I don't see how it's FUD.

      Not FUD, but certainly a spin to try and put Google in a bad light.
      Many people, quite a surprising amount right here on Slashdot, seem to fall for it trivially easy.

      Imagine the reaction from slashdot, if Google didn't and never had a way to do this.
      A few app developers that asked for this API and were denied would be the ones writing articles to complain, but writing as if they are only gmail users and saying "Google will not allow us to do with our emails as we please, they are restricting the use of my own emails!"

      Opposite spin but towards the same ends. And you know many of the same people would then complain about that being wrong and how it's not Googles choice what you do with your own email, and how wrong they are to stop you from giving such access so long as there is a way for us not to do it...
      (Right before saying you should run your own mail server, then you can grant access to anyone you want)

    3. Re:FUD by Anonymous Coward · · Score: 0

      A few app developers that asked for this API and were denied would be the ones writing articles to complain, but writing as if they are only gmail users and saying "Google will not allow us to do with our emails as we please, they are restricting the use of my own emails!"

      Ie developers in bad faith would misrepresent themselves as a means to manipulate Google to gain access to information.

      Opposite spin but towards the same ends. And you know many of the same people would then complain about that being wrong and how it's not Googles choice what you do with your own email, and how wrong they are to stop you from giving such access so long as there is a way for us not to do it...

      The issue is that Google isn't merely granting access and being a neutral party. They've placed themselves in a position of guardianship of your data to "vet" developer access. Why? Because if they didn't then anyone could get access (with permission) and the competitive advantage Google has to Gmail access would be lost. At that point, it would be almost like you were running your own mail server, and I'm sure Microsoft and Facebook would love to mandate access if you have a gmail account.

      So, I definitely agree with your general point that regardless people will find a reason to bitch and moan about whatever Google[/Microsoft/Facebook] does/doesn't do. But if you're going to make an actual counterargument to the claims made, it's best to present it like you have and not how the GP did as if it weren't a potential issue with consequences.

      If it turns out that some developers were acting in bad faith with their access, does Google suffer for failing to do a good job vetting? It's enough to make it clear today that such access requests do exist (since I personally have never had such a request made beyond maybe by Android/Google). If that alone is FUD, then it really only is because everyone seems to agree that scummy developers exist who will act in bad faith. The real question then is if Google's vetting process is sufficient--which I inherently doubt--and what the actual consequences turn out to be. So, we should all be made aware and be on alert that such requests will be made, so we know to refuse them.

    4. Re:FUD by Anonymous Coward · · Score: 0

      People get spammed with so many dialogs and information they naturally ignore most of it. We've been trained to do so.

      Take that stupid EU GDPR for example: it forces sites to spam you with even more cookie warnings, consent dialogs and privacy statements that rival "War and Peace" in length. Do YOU read through all those?

    5. Re:FUD by Anonymous Coward · · Score: 0

      The fact that so many people think Google or any other top tier email provider is just giving people access to your emails is...I guess it doesn't surprise me anymore that people believe whatever they want to believe now. Common sense, critical thinking, basic reading comprehension, and the truth don't matter anymore.

    6. Re:FUD by AmiMoJo · · Score: 1

      Indeed, this has been common for years.

      For example, Hotmail/Windows Live Mail/whatever it's called this week allows you to import and sync with Gmail if you grant it access to read your emails. You can create access tokens so that email clients like Thunderbird can access your mailbox even with 2 factor auth turned on.

      It's a feature that people want. It would be much WORSE if you couldn't do this, because then your email would be stuck in Gmail with no way to interoperate or extract it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  18. In the words of Hollywood action movie actors. by Anonymous Coward · · Score: 0

    thenyoumustkillthem.

  19. Want business class? Buy a business account by ebrandsberg · · Score: 1

    This only applies for the non-business service. Just like the post yesterday about the Google cloud account that was shut down for "suspicious activity" when they didn't pay for business level service either, and had no SLA in place. If you want real privacy, make sure your Google apps account is under a BAA and claim you will handle HIPAA data. They would be crazy to allow a third part to view your mail then.

  20. OAUTH2 is not "Google" giving access by Alascom · · Score: 5, Informative

    Google is NOT giving anyone access to users email inboxes. Period. Full stop. End of story. Shame on Slashdot editors for ever allowing this submission.

    USERS are giving 3rd party sites access to their own email by clicking "accept" on OAUTH2 requests that explicitly tell the user in big bold letters that by clicking OK they will be giving a 3rd party access to "VIEW MANAGE AND DELETE YOUR EMAIL, COMPOSE AND SEND NEW EMAIL". This isn't misleading, subtle, or accidental access - it is gross incompetence on the part of the user.

    Read more here: https://en.wikipedia.org/wiki/...

    But fake news generates fake headlines and fake outrage which leads to higher click-thru rates and more ad impressions for the website.

    1. Re:OAUTH2 is not "Google" giving access by Anonymous Coward · · Score: 0

      Google is NOT giving anyone access to users email inboxes. Period. Full stop. End of story. Shame on Slashdot editors for ever allowing this submission.

      Except they are.

      USERS are giving 3rd party sites access to their own email by clicking "accept" on OAUTH2 requests

      There is nothing about OAUTH2 that mandates that a server provide any specific access to any specific resource as a byproduct of non-credential sharing authorization sharing. It is entirely within Google's purview to block such access or limit it in some fashion, especially in the scope of its use by 3rd party companies. If it were not the case, the whole notion of a "vetting" process would be nonsensical.

      that explicitly tell the user in big bold letters that by clicking OK they will be giving a 3rd party access to "VIEW MANAGE AND DELETE YOUR EMAIL, COMPOSE AND SEND NEW EMAIL".

      The text is neither bold nor in caps. And you click "Got it" not "OK". And the actual text is different but the substance of the meaning is the same. Otherwise, you're correct.

      This isn't misleading, subtle, or accidental access - it is gross incompetence on the part of the user.

      Google creates tool that can only be used to blow a user's foot off, and we put 100% of the blame on the user? Sure, the user is far from blameless, but you think it isn't "gross incompetence" on Google's part to think they can create a vetting process and rely upon a privacy agreement by a 3rd party to somehow mediate this? You want to argue that Google is just a tool maker and people want to blow their foot off, so they're eager to help them, that's something. But then you'll have to simultaneously explain the various ways in which Google is also playing nanny on search results. Clearly Google is being at minimal very inconsistent.

    2. Re:OAUTH2 is not "Google" giving access by Anonymous Coward · · Score: 0

      You are only half right, google are allowing this via an OAUTH2 token, nothing says they have to enable this avenue of 3rd party access. Yes the users are agreeing to it or being tricked into it, but google is also permitting it.

    3. Re:OAUTH2 is not "Google" giving access by piojo · · Score: 1

      Google creates tool that can only be used to blow a user's foot off, and we put 100% of the blame on the user? Sure, the user is far from blameless, but you think it isn't "gross incompetence" on Google's part to think they can create a vetting process and rely upon a privacy agreement by a 3rd party to somehow mediate this?

      An API to access a private service is hardly a "tool that can only be used to blow a user's foot off". Certainly there are companies that vet every access to their APIs, but is that really appropriate for a user who is letting an app access their inbox? Does an IMAP admin vet and approve every e-mail client a user can use?

      If Google vetted and approved or rejected each API usage, I suspect we would be complaining that GMail is locking up our data.

      --
      A cat can't teach a dog to bark.
    4. Re:OAUTH2 is not "Google" giving access by Anonymous Coward · · Score: 0

      An API to access a private service is hardly a "tool that can only be used to blow a user's foot off".

      Great way to underplay what this is. It's a means for a 3rd part to read, delete, or create/send emails from your account. The GP makes clear they believe that a user allowing this is "gross incompetence". I agree.

      Certainly there are companies that vet every access to their APIs, but is that really appropriate for a user who is letting an app access their inbox? Does an IMAP admin vet and approve every e-mail client a user can use?

      Apples and oranges. There's nothing about using a different e-mail client that involves a 3rd party precisely because a user has to use their credentials. The closest equivalent would be an admin vetting multiple IPs in multiple locations are all simultaneously using an account. Nominally that's suspicious behavior.

      If Google vetted and approved or rejected each API usage, I suspect we would be complaining that GMail is locking up our data.

      No doubt. One can still make the claim because Google makes clear they are vetting who can use said API, which means it still takes Google's approval to do these things. But even on the extremes of no 3rd party access or any 3rd party access with authorization, I'm sure people could find reason to complain about some aspect of what's going on. If that's all that is taken away from this--people bitch about things--then I think the point is being missed. The only really relevant thing to me is that there is a way to give 3rd parties substantial access to my Gmail account. Knowing this, I'll even be more wary of agreeing to anything that pops up from Google.

  21. How do I opt out? by Anonymous Coward · · Score: 0

    Ever since I installed that inbox app, my emails are.clumoed together in groups and my travel itineraries are grouped and analysed. I need to now assume I am affected.

    How do I opt out? There isn't any easy information, nor did I ever give permission to 3rd parties to read my emails. That's unacceptable. If using Gmail means I have to give permission to this, this will stop me using them after signing up in the early days of the invite only process.

  22. FOSTA requires email scanning by Anonymous Coward · · Score: 0

    Any site that provides web-based email must scan it to prove an attempt to comply with FOSTA's requirement to make sure their site isn't enabling coordination of sex trafficking. Otherwise, they could lose big in a civil suit.

    Given that that is required, just assume your email is no longer private unless you're encrypting it.

  23. All free email does this. by DogDude · · Score: 1

    All free email providers read your email. That's why it's free, dummy.

    --
    I don't respond to AC's.
    1. Re:All free email does this. by Anonymous Coward · · Score: 0

      Protonmail doesn't read my email. They actually can't, because my inbox is encrypted.

    2. Re:All free email does this. by DogDude · · Score: 1

      That's because you have to pay for Protonmail. I can't imagine any company that's providing email for a fee is going to scour email. They could be sued.

      --
      I don't respond to AC's.
    3. Re:All free email does this. by Anonymous Coward · · Score: 0

      No I don't. My Protonmail account is free.

    4. Re:All free email does this. by DogDude · · Score: 0

      You have a tiny starter account that most people would outgrow in a few weeks. Anything usable costs money. That's why they don't go through your email.

      --
      I don't respond to AC's.
    5. Re:All free email does this. by Anonymous Coward · · Score: 0

      No, most people using it for personal use would not outgrow it in a few weeks. If one were using it for business, then they would probably get a paid account.

    6. Re:All free email does this. by Anonymous Coward · · Score: 0

      500MB storage
      150 emails per day

      Even if we say a single email is a whopping 10KB (10,000 characters, or 20 times the size of your average college essay), that's 50,000 messages. Most people don't receive anywhere near 150 emails per day nor do they receive anywhere near 50,000 emails in a few weeks as you claim that they do.

    7. Re:All free email does this. by Anonymous Coward · · Score: 0

      I've had my gmail account for over 15 years (judging by my oldest message) and I only use ~64MB. So, I'll probably be dead before I hit the 500MB limit. :)

    8. Re:All free email does this. by allo · · Score: 1

      The headers of a mail are like 2kb. The plain text part of the mail is lik 1-2 kb. The HTML part is like 10 kb. The icons attached for the html part are 200 kb. The images in the html part to look pretty are 2 MB.

  24. That's just about enough, I think... by Hallux-F-Sinister · · Score: 1

    Google has made my ever-expanding list of "free" services I'm going to have to stop using.

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  25. Why is anyone surprised? by Anonymous Coward · · Score: 0

    If you still trust Google, you are either 14 or a Google employee. Everyone else knows better. They aren't going to stop until they are forced to.

  26. Aren't paying for a service, you are the product by Anonymous Coward · · Score: 0

    This is true, but you'll never find my email on a large centralized email solution.

    Live by the cloud, die by the cloud. Security and privacy are different things. Google knows lots about both. Sadly, they know how to break privacy and doing so is their primary business model.

    I've been running email servers about 25 yrs now. The real server is at home with a 2-way gateway sitting on a $5/month VPS. Protected by Smith & Wesson with FDE too. The VPS is patched daily, current, maintained. The real email server in my home office only accepts and sends email to that VPS box. It is patched weekly and doesn't really sit on the internet.

    I won't run my own public DNS. Got burned in 2002 over that, but email isn't nearly THAT hard.
    If someone wants access to the email server, they'll need to break into our home. Breaking in wouldn't be hard, but some trace would be left behind and I'd know it had happened. FDE is a nice thing to have and a hassle, but at least we know when data is being stolen.

    Unlike with cloudy providers of anything, where you only know what you've been told. There's no way to verify anything.

  27. Surprise, surprise. by Anonymous Coward · · Score: 0

    Don't fret over privacy (hey, our whole business model is based on fucking over your personal data, after all!).

    Guess you get what you pay for.

    My take? Avoid Google. Avoid Facebook. And Amazon, Microsoft, Apple. And a bunch of others.

  28. Go ahead by Opportunist · · Score: 1

    All that's in my GMail account is a furry porn collection.

    It's the online equivalent of sending live tics with the mail in a state that has its security routinely open envelopes...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Go ahead by mujadaddy · · Score: 1

      Are you in Pittsburgh today?

      Also, don't you find the 15GB limiting?

      --
      Populus vult decipi, ergo decipiatur...
      "Force shits upon Reason's back." - Poor Richard's Almanac
  29. Check your account access by Anonymous Coward · · Score: 0

    Here's a link to check what 3rd party apps have account access and what type

    https://myaccount.google.com/permissions

    1. Re:Check your account access by cboslin · · Score: 1
      Thanks for including that link, your post should NOT have been down rated to zero! If you had not listed it I was going to.

      One important caveat, I do not believe that link (https://myaccount.google.com/permissions) automatically includes all 3rd parties. For others, here is an article about this, that is NOT behind a paywall, from the BBC dated July 3, 2018: https://www.bbc.com/news/technology-44699263.

      The link at the end of the above https://myaccount.google.com/p...">article, has a link to Google's Security Checkup Page, funny when I went there, it said I have one app, that I did give access too, that I might want to consider removing...fyi, that site cannot read my emails, what is funny, is when I go to the link provided above looking for applications that I gave Permission to to read my email, that app is NOT listed...my guess is it is a "3rd Party application with limited (cannot read emails) access to my account.

      In fact, per that page, I have NOT given any applications access to my Google gMail account. Of course I know it (Google's Primary checkup page) is NOT checking for 3rd party sites.

      Like everything online, the devil is in the details and most people (me included sometimes) do not make time to dig into the details...deep in the bowls of the FREE website. Hey its FREE, we are giving them something, else its not cost effective for them to provide that service for FREE.

      And if you do read the Terms of Service (ToS) of every website, there is a very good chance you would miss the sentenance where you gave them access to everything about you as they are rarely straight forward.

      For Reference:
      https://www.bbc.com/news/business-26677607Here is a 2012 article about this same issue with Microsoft

      I am sure I could find this for every other email service, especially if it is free, online, to be honest I do not want to bother looking.

      An important point to consider,

      my guess is all the websites work like this, to be sure check your email application's FAQs or better yet other blogs not controlled by the company that put out that email package

      , is that if you have given a 3rd party access, even when you later turn it off, it will NOT automatically turn off ALL 3rd Party access, only future 3rd party access.

      From Microsoft Outlook: If Integrated Apps is turned off, apps that have already been installed and have permission to access information won't be uninstalled, and the permissions won’t be removed. Even though Integrated Apps is turned off,....

      Look for a place where each app is listed and can individually be turned off if you want to later block third party applications!