Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    How User Permissions Enable Developers to Read Your Company’s Email

    By
    WAYNE RASH
    -
    July 3, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Gmail redesign

      To some, an article in the Wall Street Journal about “Tech’s Dirty Secret” was a revelation. How is it that Google could allow developers from hundreds of companies to spend their days “sifting” though your email messages? The answer, it seems, is a lot more complicated that the article suggested. 

      Here’s what’s actually happening. Google, like some other big email providers, is trying to promote Gmail as an application platform, not just a mail service. But for it to be a platform (whatever that means) it has to have apps. For Gmail to have apps, they need to provide a useful service, and for those apps to turn something as mundane as email into something more, they need to know what’s in those messages. 

      A few years ago, Google faced intense criticism for allowing its advertising engine to scan users email to develop targeted ads. The company was eventually forced to stop that practice. So now, as a way to indirectly monetize its users’ email, it allows third-party developers to have access to subscriber emails as part of the development process. The idea is that for these apps to work properly, someone needs to see what’s actually in the email they’re filtering.

      Some of the apps that developers are creating are simply to give users an option for handling email besides using Google’s web interface. A good example of such an email app is Microsoft’s Outlook, which can see what’s in your Gmail inbox and display it in the mail client. 

      Others include apps that handle your calendar by spotting email messages with meeting times or they handle your contacts by finding them in emails and using those to manage your contacts list. These apps work in the personal version of Gmail as well as in G Suite, which is Google’s business productivity application suite. 

      Even if you don’t use Gmail, you’re almost certainly familiar with emails that offer meeting times or with emails from colleagues that tell you their travel schedule or include contact information for you to save. 

      As Google has pointed out in a number of ways, the only way that these apps can scan your email messages is for you to give permission and for you to have provided the information necessary to enable the access. This usually happens when you run an app that needs access to Gmail and it requests permission. It’s likely that you’ve seen these requests and simply clicked on “OK” without thinking about it much because you needed the app to do whatever it was that you wanted. 

      This access takes place using Open Authentication, otherwise known as Oauth. It’s a means of secure communications between applications. Using Oauth, users don’t need to divulge their login credentials to third parties. Google (and others that allow the use of Oauth) require a verification process to allow access. 

      In the case of G Suite accounts, the mail administrator has the ability to control whether users can allow random apps to access their company email accounts. To accomplish this, Google provides a means of allowing administrators to limit which mail APIs are available to users, and thus, which external apps can access Gmail or Google Drive. These limits can apply to most things in the Google Cloud, including Gmail and Drive, but also Calendar and Google Cloud Platform services. 

      For individual users, there’s also a Security Checkup that’s recently been enhanced. With Security Checkup, you can see what apps have access to your Google services, and Google may flag those that are questionable. Note that Google may consider anything that’s not theirs to be questionable. For example, when I ran the Security Checkup, it flagged Microsoft Outlook and offered to remove access. 

      So does this mean that the Wall Street Journal is wrong? Not exactly. But it’s likely to raise alarms for things that aren’t security problems. Just because an app may have access to your email that doesn’t mean that the employees of software development companies are sitting around reading your emails and joking about your inane conversations. 

      While it is certainly possible for an employee of the company developing an email client to see some of your email, Google requires that those developers adhere to specific policies regarding your privacy and the security of your company’s information. Developers that don’t follow Google’s requirements can have their access to Google’s API services revoked, which effectively puts them out of business. 

      Google is at least as stringent about protecting user privacy and in protecting your organization’s confidential information as other platform vendors. In the case of your business access through G Suite, most of the control lies in the hands of your system administrator and one has to presume that you’ve chosen well when you hired that person. 

      None of this ensures that some rogue employee or organization won’t misuse sensitive data from someone’s Gmail account just as it doesn’t mean that a disgruntled administrator won’t disclose your cloud passwords on Facebook. But it appears that Google is being responsible about how it handles private and sensitive information, and right now that’s about all you can ask for. 

      But unlike Facebook, Google isn’t letting people run phony games that expose their data and that of their friends to political operatives for data mining.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×