How User Permissions Enable Developers to Read Your Company’s Email

UPDATED - NEWS ANALYSIS: An article in the Wall Street Journal revealed that Google provides access to email as a way for developers to create apps that use Gmail.

Gmail redesign

To some, an article in the Wall Street Journal about “Tech’s Dirty Secret” was a revelation. How is it that Google could allow developers from hundreds of companies to spend their days “sifting” though your email messages? The answer, it seems, is a lot more complicated that the article suggested. 

Here’s what’s actually happening. Google, like some other big email providers, is trying to promote Gmail as an application platform, not just a mail service. But for it to be a platform (whatever that means) it has to have apps. For Gmail to have apps, they need to provide a useful service, and for those apps to turn something as mundane as email into something more, they need to know what’s in those messages. 

A few years ago, Google faced intense criticism for allowing its advertising engine to scan users email to develop targeted ads. The company was eventually forced to stop that practice. So now, as a way to indirectly monetize its users’ email, it allows third-party developers to have access to subscriber emails as part of the development process. The idea is that for these apps to work properly, someone needs to see what’s actually in the email they’re filtering.

Some of the apps that developers are creating are simply to give users an option for handling email besides using Google’s web interface. A good example of such an email app is Microsoft’s Outlook, which can see what’s in your Gmail inbox and display it in the mail client. 

Others include apps that handle your calendar by spotting email messages with meeting times or they handle your contacts by finding them in emails and using those to manage your contacts list. These apps work in the personal version of Gmail as well as in G Suite, which is Google’s business productivity application suite. 

Even if you don’t use Gmail, you’re almost certainly familiar with emails that offer meeting times or with emails from colleagues that tell you their travel schedule or include contact information for you to save. 

As Google has pointed out in a number of ways, the only way that these apps can scan your email messages is for you to give permission and for you to have provided the information necessary to enable the access. This usually happens when you run an app that needs access to Gmail and it requests permission. It’s likely that you’ve seen these requests and simply clicked on “OK” without thinking about it much because you needed the app to do whatever it was that you wanted. 

This access takes place using Open Authentication, otherwise known as Oauth. It’s a means of secure communications between applications. Using Oauth, users don’t need to divulge their login credentials to third parties. Google (and others that allow the use of Oauth) require a verification process to allow access. 

In the case of G Suite accounts, the mail administrator has the ability to control whether users can allow random apps to access their company email accounts. To accomplish this, Google provides a means of allowing administrators to limit which mail APIs are available to users, and thus, which external apps can access Gmail or Google Drive. These limits can apply to most things in the Google Cloud, including Gmail and Drive, but also Calendar and Google Cloud Platform services. 

For individual users, there’s also a Security Checkup that’s recently been enhanced. With Security Checkup, you can see what apps have access to your Google services, and Google may flag those that are questionable. Note that Google may consider anything that’s not theirs to be questionable. For example, when I ran the Security Checkup, it flagged Microsoft Outlook and offered to remove access. 

So does this mean that the Wall Street Journal is wrong? Not exactly. But it’s likely to raise alarms for things that aren’t security problems. Just because an app may have access to your email that doesn’t mean that the employees of software development companies are sitting around reading your emails and joking about your inane conversations. 

While it is certainly possible for an employee of the company developing an email client to see some of your email, Google requires that those developers adhere to specific policies regarding your privacy and the security of your company’s information. Developers that don’t follow Google’s requirements can have their access to Google’s API services revoked, which effectively puts them out of business. 

Google is at least as stringent about protecting user privacy and in protecting your organization’s confidential information as other platform vendors. In the case of your business access through G Suite, most of the control lies in the hands of your system administrator and one has to presume that you’ve chosen well when you hired that person. 

None of this ensures that some rogue employee or organization won’t misuse sensitive data from someone’s Gmail account just as it doesn’t mean that a disgruntled administrator won’t disclose your cloud passwords on Facebook. But it appears that Google is being responsible about how it handles private and sensitive information, and right now that’s about all you can ask for. 

But unlike Facebook, Google isn’t letting people run phony games that expose their data and that of their friends to political operatives for data mining.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...