Google Defends Gmail Data Sharing, Gives Few Details on Violations

Google defended how it polices third-party add-ons for Gmail in a letter to U.S. senators made public on Thursday, saying that upfront review catches the "majority" of bad actors. A report adds: Google said it uses automated scans and reports from security researchers to monitor third parties with access to Gmail data, but gave no details on how many add-ons have been caught violating its policies. Google's privacy practices have been under growing scrutiny. The Senate Commerce Committee has a hearing scheduled for Sept. 26 to question Google, Apple, AT&T, Twitter about their consumer data privacy practices. Gmail, the Google email service used by 1.4 billion people, enables add-on developers access to users' emails and the ability to share that data with other parties as "long as they are transparent" with users about how they are using data and get consent, Google said in the letter. For instance, a program that logs receipts could be allowed to scan Gmail as it searches for receipts.

Idea

[Ol+Olsoc]

I'll fully support Google sharing my purchasing history if they give me all of the credit card numbers of all their employees from the top down.

Re:Idea

[DarkRookie]

Don;t forget the code on the back on them.
Need those as well.

Re:Idea

Note - these add-ons are things that the user chose to give access to their account data.

share my data with everyone

I am rich and have an enormous dick

Re:share my data with everyone

[TomGreenhaw]

Is it shaped like a mushroom?

Re: share my data with everyone

You are a dick!

Re: share my data with everyone

"Then she pulled out my mushroom tip, and when it came out, it went drip drip drip, I didn't know she had the GI Joe, kungfu grip"

I really hate Google

Really hate this company

Having a "gmail.com" email will hurt job searches

There have been articles on slashdot about email addresses holding them back or even adversely affecting a job search.People with an "aol.com" or hotmail.com" email being looked down upon.

It's time to put "gmail.com" in that same category.

https://tech.slashdot.org/story/18/08/28/2230245/is-your-email-address-holding-you-back
https://tech.slashdot.org/story/10/01/11/1016237/does-a-lame-e-mail-address-really-matter

haHA

[DarkRookie]

Its stuff like this that made me finally delete the account.

My only concern with that is mature YouTube video. Last I was aware they required an account.

Re:haHA

[jtgd]

So do like everyone else. Create a dummy account for just this. There won't be any of your personal information for them to get.

It is my right to share with add-ins I choose

[RhettLivingston]

A vital part of freedom is having the freedom to choose to trust whom or what you want to trust or to choose not to even care about privacy over service. If the government wants to get into the business of policing the add-ins, fine, though I personally feel that policing to catch crimes before they happen is an overreach of the Constitutional duties given to government. But policing has to be to detect a real crime. Do not limit what I can do for the purpose of protecting me from myself. That is a massive overreach.

Google, as the private business offering the API, does have a right to police how their product is used given that misuse could damage their business. They especially have the right to at least verify that the add-ins are correctly disclosing and are not violating their rules. But, I am the only one with the right to decide what level of privacy I'm willing to sacrifice to get services.

Re:It is my right to share with add-ins I choose

[Wrath0fb0b]

No one is disagreeing with that or saying there shouldn't be an API that allows you to knowingly chose to share all your email data with whoever you want. But just like the grocery store can't sell a bag chips without disclosing how many grams of fat are in it, so too should the person offering the API disclose clearly what data are shared, whether they are shared-onwards to third parties, whether they are persisted and how to remove yourself.

Maybe another way to put it is that you can't decide on what level of privacy you are sacrificing if the service doesn't clearly explain what you are singing up for, or worse, claims one thing but then does another. Uninformed consent is not valid consent.

If Google is enforcing those disclosure, opt-out and accuracy requirements, great. No problem. But they don't necessarily have an interest to do so too thoroughly, not least because it requires lots of human intervention, which isn't their strong suit.

Re:It is my right to share with add-ins I choose

[RhettLivingston]

In a free environment, a certain amount of risk must be allowed to exist. Otherwise, a back door to limiting freedoms opens up. If the requirements for enforcement become too costly, then the result will be the same as banning add-ins in the first place. If those costs are pushed to the add-in developers in some way, it furthermore results in unevenly banning add-ins because only larger-scale businesses could afford to attempt to enter the market. Regulations almost always favor large businesses by increasing cost-of-entry.

All that said, there are some ways that I can see things being made more secure. Google could force all add-ins to publish their code for review by any consumer. Or they could force the add-ins to run in sandboxes that can see and process the data but not send any data or derivative of the data outside of the client sandbox or a sandbox running on a Google-controlled and monitored server. But even if they did something like that, I'd want the ability as a consumer to give the business the right to collect my data if I so choose. There are applications I can imagine that might use my email data in combination with data collected elsewhere to provide or improve services not directly related to my email.

Re:It is my right to share with add-ins I choose

They disclose they're giving access to your email, they can't really monitor what a third party does once it has the mail. Google is being scape goated here, the real issue is that click-thru EULAs with ambigious obtuse terminology shield companies doing activities which are orthogonal and non-obvious to the normal user of the service. e.g. many EULAs include the phrase "share with partners" which really means sell data.

There is a specific example in this Gmail case - Unroll.me whose pitch was unsubscribing users from emails (incidentally they didn't actually unsubscribe from the lists, they merely deleted emails) whose real business model was scraping user's email and selling it, for example to Uber.

Re:It is my right to share with add-ins I choose

Google is at this point is an amalgam between a private enterprise, state authorities in various states of the world (e.g. NSA in the US and perhaps others), and can well be seen as public utilities.

Anyway, 1. You're not free. 2. Google is not in the business of maintaining or upholding your freedom.

How does this differ from Thunderbird add-ons?

I don't quite follow all the outrage, since it's not much different from this:

https://addons.thunderbird.net/en-US/thunderbird/

Anyone can create a malicious Thunderbird add-on, which can read your e-mails too. To install the user needs to take active steps and approve the installation. These add-ons probably get much less scrutiny than the apps that you can write for Gmail.

U'm its Google we should know better

There must be people who still do not realize how Google mostly makes money. Its ads, or more specifically target ads based on information you provide as a Google services user. Not unlike Facebook, or any other provider of A free service where you trade personal information for that service. Your value to them is your data, why is people still don't get it? If you don't like, ween yourselves off Google, I did.

Announcement much? Thanks Google...

This may be the proverbial straw that breaks the camels back.

Might finally be time to ditch GMail. Yes, I've been lazy...

Step 1. Accepting the problem...

Secure?

I am sick of Google. Thinking of buying a ProtonMail subscription. Written by CERN people, fully encrypted. Only issues are cost and my ten million emails on Gmail :-(

If you don't like it...

If you don't want gmail scanning your emails, there is a really, really, simple solution.

Remenber Facebook...

[Sooner+Boomer]

...and Cambridge Analytica? And here, Google freely *admits* to selling data! Which political party is going to squeal about this one?

An ad company

[AHuxley]

always has to go full ads.

Well, shit

[Snotnose]

I have 2 gmail accounts, one 20 years old I use for junk (supermarket gives me 10% off for an email? This is what you get), another 10 year old I use. I get 20-30 msgs a day in the first, 2-3/week on the latter.

If Google is letting everyone with $$$$ access to my email account I'm tempted to switch to Protonmail. Problem is, Protonmail is a bit of a PITA compared to gmail, but if Alphabet is selling everything to whomever then fuck them, I can spend the extra couple minutes a day. Been using duckduckgo for a search engine for a couple years now with no complaints.

Re: Well, shit

Impressive! A Gmail accounr just 16 days after Google was founded, and 6 years before Gmail started invitation only beta! Your e-peen must be YUUUUUGE!