Google this week found itself on the defensive after the Wall Street Journal published a lengthy report the practice by the company and some other email provides of allowing third-party software developers to access the contents of email messages of people using their apps.
In a blog July 3, Google Cloud’s director of security, trust and privacy Suzzane Frey said the company allowed non-Google apps to access the Gmail content of users. But Frey maintained the access was only provided to carefully vetted third parties and with the full consent and knowledge of users.
In order for a third-party app to access Gmail content, the app developer has to go through a multi-stage review process. The vetting includes manual and automated reviews of the developer’s privacy practices and of the controls in the app itself.
Google also ensures that before a third-party app can access a user’s Gmail content, the user is fully informed of the types of data the app can access. Users have to grant explicit permission before an app can access their Gmail, Frey said.
“We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access,” Frey wrote. “We give both enterprise admins and individual consumers transparency and control over how their data is used.”
According to the Journal, Google lets hundreds of third-party software developers “to scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools.”
Often the scans are automated and designed to collect information that can later be sold to marketers for targeted advertising purposes. But in several cases, employees working for outside companies have read un-redacted emails of thousands of Gmail users.
Third-party developers have similar access with other email service providers including Microsoft and Verizon’s Oath unit, which acquired Yahoo, the Journal said. But the concerns with Google are high because of the company’s dominant presence in the email space with two-thirds of all active email users—some 1.5 billion—having a Gmail account.
Contrary to Frey’s claims about Google carefully monitoring third-party access to Gmail content, the company does little to police developers, the Journal said citing interviews with more than two-dozen current and former employees of email application developers.
While Google has several tough policies pertaining to how, when and why third parties can access Gmail content and how they can use it, the company seldom enforces those policies, the Journal reported.
This is not the first time that Google has found itself on the defensive over the issue of email scanning. Until last year, the company scanned and used consumer Gmail content for ad personalization purposes. It stopped the practice last June amid growing privacy concerns over the practice.
Now, the only reason why Google might read a user’s email is when the user asks or gives consent to the company for doing so or if there is a security need for it, Frey said.