Google has responded to a troubling investigation into the data privacy practices of its Gmail email client with a series of tips for users to keep their accounts secure.

The Mountain View-based firm says people should use the Security Checkup tool to review and control permissions before giving access to non-Google apps.

The blog post was shared in response to an investigation by the Wall Street Journal which revealed people’s private emails could be read by third-party app developers. 

The creators of a number of popular online tools designed to work with Gmail trawled through private messages sent and received from users’ email address, the investigation found.

The revelation comes a few months after it was revealed that political data firm Cambridge Analytica had siphoned private data from third-party apps on Facebook.

Scroll down for video 

Google has responded to a worrying investigation into Gmail's data privacy with three tips for users wanting to keep their accounts safe (stock image)

Google has responded to a worrying investigation into Gmail’s data privacy with three tips for users wanting to keep their accounts safe (stock image)

According to the Wall Street Journal, the hugely-successful Google email client allows third-party developers to scan the inbox of anyone who installs their app. 

According to experts, this ‘dirty secret’ is now common practice among some firms. 

These apps can provide additional functionality to the Gmail inbox, like the ability to compare prices from different online retailers, or quickly unsubscribe from any marketing emails sent to your address. 

Google Cloud director of security, trust and privacy Suzanne Frey has shared a blog post in the wake of the news to give worried users advice about how they can keep their guard up.

Frey said while it is common for third-party developers to read the contents of users’ Gmail messages, users have full control over exactly what people can access. 

The Google manager points users to the Security Checkup tool, which allows Gmail users to see how many devices are signed into their account, and whether there have been any security issues flagged-up in the past 28 days.

It also shows a user’s sign-in and recovery method as well as how many third-party apps have access to data at any one time.

Apps with access to email contents which are no longer being actively used should be removed from the account, Google cautions. 

Users should also review any requested permissions before granting access to non-Google applications, Frey cautioned.

HOW CAN YOU SAFEGUARD YOUR GMAIL INBOX?

Google has responded to a troubling investigation into the data privacy practices of its Gmail email client with a series of tips for users to keep their accounts secure.  

Director of Security, Trust and Privacy at Google Cloud, Suzanne Frey shared a blog post in which she admitted it was common for third-party developers to read the contents of users’ Gmail messages if they had been granted the permissions to do so – one of the primary allegations of the investigation.

Frey also revealed three simple tips for users who wanted to restrict the access third-party developers had in their private inbox. 

Here is how to control how much non-Google apps can see —

1. Use the Security Checkup tool

To access this users must go to their account and click on the squares in the top right hand corner

To access this users must go to their account and click on the squares in the top right hand corner

To access this, users need to navigate to their account and click on the squares in the top right hand corner. 

Then click on ‘Account’ in the dropdown menu.

Click on ‘Security Checkup’. This enables users to see how many devices are signed into the account and whether there have been any security issues detected in the past 28 days.

It also shows a user’s sign-in and recovery method as well as how many third-party apps have access to data. 

If there are apps no longer being used, Google suggested they should be removed to avoid potential privacy concerns.

2. Review permissions

Gmail users should review their permissions before granting access to non-Google applications.

If an app wants to access a user’s Google account it will list what aspects of the service it wants to access – for example to read, send, delete and manage emails.

Users can then decide whether to allow the application access to their Gmail account.

3. View and control permissions

To access this option, users need to navigate to their account and click on the squares in the top right hand corner.

Click ‘Account’ in the dropdown menu, then ‘Apps with account access’.

This allows users to keep track of which apps or services have permission to access a user’s accounts. Users can remove any they no longer trust.

It also lets users look at saved passwords and which ones Google Smart Lock has permission to remember. 

If there are any that look untrustworthy or outdated they can be removed.

Users should review the requested permissions before granting access to non-Google applications. If an app wants to access a user's Google account it will list what things it wants to access. For example to read, send, delete and manage emails

Users should review the requested permissions before granting access to non-Google applications. If an app wants to access a user’s Google account it will list what things it wants to access. For example to read, send, delete and manage emails

Permissions can be viewed and controlled so users can keep track of which apps or services are accessing their account and delete any no longer in use. 

The Google review process is designed to make sure companies cannot mislead users, she said.

Writing on a company blog, Frey said: ‘A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email. 

‘However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process.

‘That includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does.’   

Last year, Google confirmed that it had stopped scanning Gmail users’ messages to better generate targeted advertisements.

‘Gmail’s primary business model is to sell our paid email service to organisations as a part of G Suite,’ Frey said.

Permissions can be viewed and controlled so users can keep track of which apps or services are accessing their account and delete any no longer in use. Users can keep track of which apps or services have permission to access a user's accounts

Permissions can be viewed and controlled so users can keep track of which apps or services are accessing their account and delete any no longer in use. Users can keep track of which apps or services have permission to access a user’s accounts

‘The practice of automatic processing has caused some to speculate mistakenly that Google “reads” your emails,’ the Google Cloud security expert added.

‘To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.’

But while Google did not read the contents of users’ emails, it was commonplace among third-party developers, according to the Wall Street Journal. 

One app, which is designed to help users manage their Gmail inbox, let employees read ‘thousands’ of emails, an investigation by the newspaper found.

The report was based on the testimonies of more than two dozen employees of companies who create services around Gmail – the most popular email service in the world, with 1.2 active monthly users.

One company involved in this practice is New York-based firm Return Path, which helps marketers drive revenue through email.

HOW DO APPS PROVIDE ACCESS TO PRIVATE EMAILS ON GMAIL?

Hundreds of third-party developers have created online services that bring additional functionality to Gmail, the hugely-successful Google email client.

Almost anyone can build an app that connects to Gmail using the Application Programming Interface (API) supplied by Google.

These apps can provide additional functionality to the Gmail inbox, like the ability to compare prices from different online retailers, or quickly unsubscribe from any marketing emails sent to your address. 

When Gmail users sign-up for one of these third-party services, or open an app that accesses their Gmail, Google requires them to grant permission. 

If users grant permission, the app can access their inbox and can read the contents of sent and received messages.

Google does not disclose how many apps currently have access to Gmail. 

Trawling through the contents of users’ emails is useful for companies who want data on users’ shopping habits, travel itineraries and personal communications.

The practice is not illegal and is covered by user agreements, the developers claim.

However, an investigation by the Wall Street Journal discovered that developer employees say their customers are often not aware of what data is being collected and what companies are doing with it.

‘Some people might consider that to be a dirty secret,’ said Thede Loder, the former technology officer at eDataSource. 

It has scanned the inbox of two million people, the report revealed.

Last year, Return Path employees trawled through 8,000 personal emails as part of an effort to train the company’s software, according to anonymous sources.

Employees at Mountain View-based Edison Software also reviewed the emails of hundreds of thousands of users while building a new feature for their mobile app, which is designed to help people organise their emails.

Neither company asked users for permission to read users’ messages but say the practice is covered by user agreements.

‘Some people might consider that to be a dirty secret,’ Thede Loder, the former technology officer at eDataSource, which provides competitive intelligence for email marketing, told the Wall Street Journal.

However, he said this type of behaviour was now ‘common practice’. 

The question of data privacy has been an increasingly important issue since Facebook’s Cambridge Analytica controversy. 

The social network allowed third-party apps to request permission to access users’ data, as well as data of all their Facebook friends.

WHAT IS THE CAMBRIDGE ANALYTICA SCANDAL?

Communications firm Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.

The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.

‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.

The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.

The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump

The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump

This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so.

This was designed to help them create software that can predict and influence voters’ choices at the ballot box.

The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.

This information is said to have been used to help the Brexit campaign in the UK.

This enabled developers to mine the private information of 87 million Facebook users, when only 270,000 people had used the service and granted permission. 

Almost anyone can build an app that connects to Gmail accounts using an application programming interface (API).

If Gmail users open these apps a button asks for permission to access their inbox. 

If users grant permission, the app can access their inbox and can read the contents of sent and received messages. 

Google does not disclose how many apps currently have access to Gmail. 

Both Return Path and Edison have defended their actions.

‘The article mentions a specific incident at Return Path where approximately 8,000 emails were manually reviewed for classification’, wrote Matt Blumberg, founder of Reutrn Path in a blog post.

‘As anyone who knows anything about software knows, humans program software – artificial intelligence comes directly from human intelligence.

‘Any time our engineers or data scientists personally review emails in our panel (which again, is completely consistent with our policies), we take great care to limit who has access to the data’, he said.

Mr Blumbery said all data is destroyed after work on a new feature is completed.

Similarly, Mikael Berner, CEO of Edison, defended his company’s actions, but added that the practice has since been stopped.

He said the company had ‘expunged all such data in order to stay consistent with our company’s commitment to achieving the highest standards possible for ensuring privacy,’ according to Cnet.

‘Our email app was mentioned in the context of our engineers having in the past the ability to read a small random sample of de-identified messages for R&D purposes.

‘This method was used to guide us in developing our Smart Reply functionality which was developed some time ago,’ he said.  

 





READ SOURCE

SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here