Google Allows Outside App Developers To Read People's Gmails, Says Report (thisisinsider.com)

← Back to Stories (view on slashdot.org)

Google Allows Outside App Developers To Read People's Gmails, Says Report (thisisinsider.com)

Posted by BeauHD on Monday July 2, 2018 @10:25AM from the on-the-outside-looking-in dept.

According to The Wall Street Journal, hundreds of app developers have access to millions of inboxes belonging to Gmail users (Warning: source paywalled; alternative source). The developers reportedly receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners. Some of these companies train software to scan the email, while others enable their workers to pore over private messages. INSIDER reports: It's not news that Google and many top email providers enable outside developers to access users' inboxes. In most cases, the people who signed up for the price-comparison deals or other programs agreed to provide access to their inboxes as part of the opt-in process. In Google's case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement, The Journal reported, citing a Google representative.

What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says. It's interesting to note that, judging from The Journal's story, very little indicates that Google is doing anything different from Microsoft or other top email providers. According to the newspaper, nothing in Microsoft or Yahoo's policy agreements explicitly allows people to read others' emails.

47 of 96 comments (clear)

Min score:

Reason:

Sort:

OMG by cesarbp · 2018-07-02 10:30 · Score: 2

Oh my god, my private porn now is public?
When will people learn by Rosco+P.+Coltrane · 2018-07-02 10:35 · Score: 5, Insightful

Cloud = letting untrustworthy and/or incompetent companies manage your own data.
Roll-your-own IT = hard (as in, really hard - I'm not talking managing 5 servers in a small company), but as good and/or competent as you/your organization is willing to be.
The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.
Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:When will people learn by Aighearach · 2018-07-02 10:56 · Score: 4, Insightful
  
  The former looks like a good, cost-effective option until the company that manages your data screws your over or the internet goes down. The latter then starts to look like a better deal - but by then, it's too late.
  Or gets bought/merges and the people who own "your" data now don't screw you over at all; they just never made you any promises!
2. Re: When will people learn by denis.goddard · 2018-07-02 11:39 · Score: 1
  
  My employer decided to go Full Cloud, which motivated me to make this meme
3. Re: When will people learn by denis.goddard · 2018-07-02 11:41 · Score: 1
  
  ... and Slashdot doesnâ(TM)t allow posting images, apparently, so hereâ(TM)s the link (SFW)
4. Re:When will people learn by Plugh · 2018-07-02 11:52 · Score: 1
  
  My employer went Full Cloud, so I made this meme
  (apologies for dupe post, slashcode issues)
  
  --
  Part of the Second American Revolution!
5. Re: When will people learn by Known+Nutter · 2018-07-02 11:54 · Score: 1
  
  You fail.
  
  --
  Beware of the Leopard.
6. Re:When will people learn by Kjella · 2018-07-02 12:54 · Score: 1
  
  Now then, ask yourself: is Google competent? Probably. Trustworthy? Hell no...
  As a company? They don't want to be sued for breach of contract, they got deep pockets and could end up on the hook for a lot of money. Also losing/misplacing data and/or conducting industrial espionage would be a PR nightmare, just make sure the redundancy and confidentiality clauses are in the SLA and I'm pretty sure you'll get it. That is, as long as what you're paying for is a hosting service and not a free service you pay through letting them rifle through your data like GMail. As for Google's employees, well you'll probably be hiring out of the same pool of untrustworthy and incompetent people. You can of course assume you'll do so much better, but often it's in a bigger and more professional environment you spot the frauds because you have other qualified people to check their work.
  
  --
  Live today, because you never know what tomorrow brings
7. Re: When will people learn by ArsenneLupin · 2018-07-02 17:55 · Score: 1
  
  The URL actually is there, just wrapped in a lot of crud: https://i.imgflip.com/2datqs.jpg.
  (This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)
8. Re: When will people learn by ArsenneLupin · 2018-07-02 17:57 · Score: 1
  
  (This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)
  Actually, now I notice it, he is one of these guys, with his weird misplaced trademark signs in his sentence... Quite understandable that his employer preferred to outsource IT to the cloud :-)
9. Re:When will people learn by AmiMoJo · 2018-07-02 19:53 · Score: 1
  
  Stop and think about this for a moment.
  What use would an email server that communicate with clients be? If you set up an email server with no SMTP, no POP3, no IMAP, what use would it be?
  So why is anyone surprised that Gmail allows clients to access it? Is it better or worse for the average person that Gmail has a more secure API that supports 2 factor auth and has a nice easy GUI where you can see what apps have what access and revoke access in a couple of clicks? Can your DIY solution do all that?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
10. Re: When will people learn by Mashiki · 2018-07-02 20:37 · Score: 1
  
  Quite understandable that his employer preferred to outsource IT to the cloud :-)
  Sure explains why us old guys can make so much money fixing their mistakes though. And to think, they still believe outsourcing is the better option...for everything. We're in a sad shit world right now, where people believe everything can be cheap and good.
  
  --
  Om, nomnomnom...
11. Re:When will people learn by Opportunist · 2018-07-02 22:56 · Score: 1
  
  cloud is a homonym to the German "klaut", which means "(he) steals".
  I doubt it's a coincidence.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
12. Re:When will people learn by Opportunist · 2018-07-02 22:59 · Score: 1
  
  Someone being competent doesn't mean he's trustworthy. Hint: A successful con artist is usually very competent.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
13. Re:When will people learn by OneAhead · 2018-07-03 04:47 · Score: 1
  
  Huh? I must have missed a chapter somewhere...
14. Re:When will people learn by OneAhead · 2018-07-03 04:54 · Score: 1
  
  Never minder the penny finally dropped. Time to go do something else, I guess.
I tell clients that it is probable by oldgraybeard · 2018-07-02 10:35 · Score: 1

Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.

Just my 2 cents ;)
1. Re: I tell clients that it is probable by Anonymous Coward · 2018-07-02 11:54 · Score: 1
  
  So u peddle in FUD to prop up your buggy whip business. Good on ya!
2. Re: I tell clients that it is probable by Mashiki · 2018-07-02 20:40 · Score: 1
  
  That's not FUD though. We already know that google has in the past gone through users cloud storage and revoked/deleted content. We already know that MS stored/and/or/is storing decryption keys in a non-secure location for cloud services, and for local HDD encryption(bitlocker).
  
  --
  Om, nomnomnom...
3. Re:I tell clients that it is probable by atrex · 2018-07-03 00:44 · Score: 1
  
  Everything in Gmail, 365, Hotmail, the Cloud that is not encrypted IS being accessed by who knows who. And if that is not OK changes need to be made.
  IIRC including the government. They left a nice big loophole in place in a 1986 law that considers any data of yours left on a server more than 180 days to be "abandoned" and thus removed from all expectations of privacy. The house passed The Email Privacy Act in Feb 2017, but it never got brought up in the Senate https://www.charlotteobserver....
No actual problem here by Anonymous Coward · 2018-07-02 10:44 · Score: 2

Don't trust someone to read your email? Then don't give them access to your email.
This is an opt-in process that is clearly disclosed when you sign up for whatever random app requests access to your email. Nothing sneaky or underhanded at all, at least not on the part of Google. Maybe it's foolish to grant access to these apps, but that's the user's decision. Frankly the fact that Google performs any sort of vetting at all is more than they need to do.
The only thing that Google could stand to improve is the control and granularity of the permissions. Just as Android has been moving to a blurry, vague model for permissions where average users have no idea what they're actually permitting, it's no surprise that users of Google's web services are experiencing similar problems. If nothing else, reading mail, sending mail, and managing mail you've received should all be separate permissions.
1. Re:No actual problem here by Rosco+P.+Coltrane · 2018-07-02 11:07 · Score: 1
  
  The problem is, if you send an email to someone whose email system is managed by Google, you didn't sign up for anything, nor did you give Google and their business buddies your consent to exploit your email, but they do it anyway.
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
2. Re:No actual problem here by kqs · 2018-07-02 14:08 · Score: 2
  
  So? Do you think that when you send someone email, you can control what they do with it? That's impressively arrogant. If they have chosen to let someone else access their email, whether it is a personal assistant, or Google, or Bozo the Clown, you have no say unless you have some legal contract with them.
  As to the subject of TFA: It's always tough to parse through the WSJ's misinformation to find the truth, but in this case I _think_ they are saying "if some plugin asks for access to your email and you approve, then that plugin has access to your email. Also, you should have fear, uncertainty, and doubt about Google."
"price-comparison deals or other programs" by Anonymous Coward · 2018-07-02 10:45 · Score: 1

the hell does that even mean??
1. Re:"price-comparison deals or other programs" by farble1670 · 2018-07-02 11:25 · Score: 1
  
  It means some developer honey potted users into giving them access to their email by offering users access to some lame deal of the day website.
  I don't see the problem. If people want to exchange share their emails for internet goodies, that's up to them. The point is that this was fully voluntary and obvious to the user.
trust by cascadingstylesheet · 2018-07-02 10:46 · Score: 4, Insightful

Unfortunately, you pretty much have to trust somebody.
Hosting your own email on your own server is not easy. It's not going to be the common way for all but a few odd geeks.
The rest? Gotta trust somebody ... your ISP, or Gmail, or MS, or some guys in Switzerland who assure you that they are the safe option, or ...
1. Re:trust by kqs · 2018-07-02 14:13 · Score: 1
  
  There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.
2. Re:trust by cascadingstylesheet · 2018-07-03 00:39 · Score: 1
  
  There are a few odd geeks who can run their own mailserver. There are far fewer geeks who can run a mailserver correctly and securely. I say that as someone who ran mailservers for over two decades, and who now uses gmail for their mail because it is far more secure than anything I can build.
  Precisely.
Read the article you linked to! by Anonymous Coward · 2018-07-02 10:48 · Score: 3, Funny

Read the article you linked to. You consent to it when you agree to the terms of service:

The search was legal because it fell within Microsoft's terms of service which state that the company can access information in accounts that are stored on its "Communication Services", which includes email, chat areas, forums, and other communication facilities.
The terms of service add: "Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion."
If you don't like the terms of service then don't use the service!
1. Re:Read the article you linked to! by fisted · 2018-07-02 19:42 · Score: 1
  
  A < B implies A != B, you're being redundant
  
  --
  CLI paste? paste.pr0.tips!
2. Re:Read the article you linked to! by allo · 2018-07-03 08:10 · Score: 1
  
  legal != consent
Re:The beginning of the end for Google by Rosco+P.+Coltrane · 2018-07-02 10:59 · Score: 1

I don't think so.
- General-public, apparently-free Google services are used by individuals who don't know better, mostly don't give a damn about privacy and data protection, and just don't want to pay a cent to have access to stuff. Not to mention, Google having become a virtual monopoly, good luck finding alternatives to many services that have become essential. No, Vimeo or Dailymotion aren't as good as Youtube. And Google managed to make their products so amazingly good and attractive that using something else for the sake of principles is really, really painful.
- Enterprise-level Google products are targeted at companies that mostly care about how much they can save by getting rid of their IT people and infrastructure, and don't seem to understand the intrinsic value of the company's data and the risk associated with sharing it or losing it.
Google is a drug that's really hard to wean yourself of, whether you're Joe Consumer or a company. And as much as I hate to say it, that's to Google's credit. So no, it's not the beginning of the end at all for them: their future looks very bright indeed - and that of those who don't want to live in a corporate surveillance society, bleaker by the day.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:This is a surprise because.... ??? by Rosco+P.+Coltrane · 2018-07-02 11:15 · Score: 1

Again, you don't seem to realize that scanning Google customers' inboxes doesn't only impact Google customers, but anybody who emails them as well. Half of the content of anybody's inbox is composed of messages they received from somebody else, who may or may not agree to have their emails scanned by Google themselves.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:This is a surprise because.... ??? by AHuxley · 2018-07-02 11:16 · Score: 1

A computer system internal to a brand for their own ads was what most people would have expected.
Not hundreds of app developers.. AC

--
Domestic spying is now "Benign Information Gathering"
Re:Privacy Agreements by AHuxley · 2018-07-02 11:18 · Score: 1

Its all anonymized about humans so its ok?

--
Domestic spying is now "Benign Information Gathering"
FUD by farble1670 · 2018-07-02 11:22 · Score: 4, Insightful

These people explicitly signed up for the service and granted it access. Look at the screen caps in the linked article:
https://amp.thisisinsider.com/...
It says right there "VIEW ... YOUR EMAIL IN GMAIL". If you were dumb enough to do this, and want to undo it, just go to your account settings and revoke that developers' access.
1. Re:FUD by AmiMoJo · 2018-07-02 19:51 · Score: 1
  
  Indeed, this has been common for years.
  For example, Hotmail/Windows Live Mail/whatever it's called this week allows you to import and sync with Gmail if you grant it access to read your emails. You can create access tokens so that email clients like Thunderbird can access your mailbox even with 2 factor auth turned on.
  It's a feature that people want. It would be much WORSE if you couldn't do this, because then your email would be stuck in Gmail with no way to interoperate or extract it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Want business class? Buy a business account by ebrandsberg · 2018-07-02 11:39 · Score: 1

This only applies for the non-business service. Just like the post yesterday about the Google cloud account that was shut down for "suspicious activity" when they didn't pay for business level service either, and had no SLA in place. If you want real privacy, make sure your Google apps account is under a BAA and claim you will handle HIPAA data. They would be crazy to allow a third part to view your mail then.
OAUTH2 is not "Google" giving access by Alascom · 2018-07-02 11:48 · Score: 5, Informative

Google is NOT giving anyone access to users email inboxes. Period. Full stop. End of story. Shame on Slashdot editors for ever allowing this submission.
USERS are giving 3rd party sites access to their own email by clicking "accept" on OAUTH2 requests that explicitly tell the user in big bold letters that by clicking OK they will be giving a 3rd party access to "VIEW MANAGE AND DELETE YOUR EMAIL, COMPOSE AND SEND NEW EMAIL". This isn't misleading, subtle, or accidental access - it is gross incompetence on the part of the user.
Read more here: https://en.wikipedia.org/wiki/...
But fake news generates fake headlines and fake outrage which leads to higher click-thru rates and more ad impressions for the website.
1. Re:OAUTH2 is not "Google" giving access by piojo · 2018-07-02 17:08 · Score: 1
  
  Google creates tool that can only be used to blow a user's foot off, and we put 100% of the blame on the user? Sure, the user is far from blameless, but you think it isn't "gross incompetence" on Google's part to think they can create a vetting process and rely upon a privacy agreement by a 3rd party to somehow mediate this?
  An API to access a private service is hardly a "tool that can only be used to blow a user's foot off". Certainly there are companies that vet every access to their APIs, but is that really appropriate for a user who is letting an app access their inbox? Does an IMAP admin vet and approve every e-mail client a user can use?
  If Google vetted and approved or rejected each API usage, I suspect we would be complaining that GMail is locking up our data.
  
  --
  A cat can't teach a dog to bark.
All free email does this. by DogDude · 2018-07-02 12:45 · Score: 1

All free email providers read your email. That's why it's free, dummy.

--
I don't respond to AC's.
1. Re:All free email does this. by DogDude · 2018-07-02 14:09 · Score: 1
  
  That's because you have to pay for Protonmail. I can't imagine any company that's providing email for a fee is going to scour email. They could be sued.
  
  --
  I don't respond to AC's.
2. Re:All free email does this. by allo · 2018-07-03 08:11 · Score: 1
  
  The headers of a mail are like 2kb. The plain text part of the mail is lik 1-2 kb. The HTML part is like 10 kb. The icons attached for the html part are 200 kb. The images in the html part to look pretty are 2 MB.
That's just about enough, I think... by Hallux-F-Sinister · 2018-07-02 12:45 · Score: 1

Google has made my ever-expanding list of "free" services I'm going to have to stop using.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
Go ahead by Opportunist · 2018-07-02 23:05 · Score: 1

All that's in my GMail account is a furry porn collection.
It's the online equivalent of sending live tics with the mail in a state that has its security routinely open envelopes...

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Go ahead by mujadaddy · 2018-07-03 02:55 · Score: 1
  
  Are you in Pittsburgh today?
  
  Also, don't you find the 15GB limiting?
  
  --
  Populus vult decipi, ergo decipiatur...
  "Force shits upon Reason's back." - Poor Richard's Almanac
Re:Check your account access by cboslin · 2018-07-03 15:19 · Score: 1

Thanks for including that link, your post should NOT have been down rated to zero! If you had not listed it I was going to.
One important caveat, I do not believe that link (https://myaccount.google.com/permissions) automatically includes all 3rd parties. For others, here is an article about this, that is NOT behind a paywall, from the BBC dated July 3, 2018: https://www.bbc.com/news/technology-44699263.

The link at the end of the above https://myaccount.google.com/p...">article, has a link to Google's Security Checkup Page, funny when I went there, it said I have one app, that I did give access too, that I might want to consider removing...fyi, that site cannot read my emails, what is funny, is when I go to the link provided above looking for applications that I gave Permission to to read my email, that app is NOT listed...my guess is it is a "3rd Party application with limited (cannot read emails) access to my account.
In fact, per that page, I have NOT given any applications access to my Google gMail account. Of course I know it (Google's Primary checkup page) is NOT checking for 3rd party sites.

Like everything online, the devil is in the details and most people (me included sometimes) do not make time to dig into the details...deep in the bowls of the FREE website. Hey its FREE, we are giving them something, else its not cost effective for them to provide that service for FREE.
And if you do read the Terms of Service (ToS) of every website, there is a very good chance you would miss the sentenance where you gave them access to everything about you as they are rarely straight forward.
For Reference:
https://www.bbc.com/news/business-26677607Here is a 2012 article about this same issue with Microsoft
I am sure I could find this for every other email service, especially if it is free, online, to be honest I do not want to bother looking.
An important point to consider,

my guess is all the websites work like this, to be sure check your email application's FAQs or better yet other blogs not controlled by the company that put out that email package
, is that if you have given a 3rd party access, even when you later turn it off, it will NOT automatically turn off ALL 3rd Party access, only future 3rd party access.

From Microsoft Outlook: If Integrated Apps is turned off, apps that have already been installed and have permission to access information won't be uninstalled, and the permissions won’t be removed. Even though Integrated Apps is turned off,....
Look for a place where each app is listed and can individually be turned off if you want to later block third party applications!