Of Course App Developers Can Read Your Email

The Wall Street Journal published what seemed like a bombshell report about developers being able to read your emails if you give them access to your Gmail account. There's no doubt that some of the actions described, such as having employees read users' emails to train machine learning algorithms, are cause for alarm. But thinking developers weren't going through users' emails was simply naive.

Using a service like Gmail puts you at the mercy of companies like Google. Because the messages aren't end-to-end encrypted, the company has the ability to read them whenever it wants. Google said it doesn't usually--employees are said to read emails only when they need to to squash bugs or fix security flaws--but the reality is that Gmail users have little say over who at Google can read their email.

Users also have few controls over what third-party developers can do once they're granted access to an account. Many of these developers simply want to offer a new email app, help you sift through your emails, or do something else you can't achieve through Gmail's core experience. Developing those features isn't easy, though, and the WSJ reported that some developers read users' emails to help speed up the process.

None of this should be news to anyone. The issue of who can read your communications has been repeatedly brought up since Edward Snowden revealed NSA surveillance programs in 2013; that's why end-to-end encrypted tools like Signal have become increasingly popular. The dangers of giving app developers access to your information was also headline news when an OAuth phishing scam compromised 1 million Google users.

Let's spell it out again: non-encrypted messages aren't secure and developers will gather as much information about you as you let them. Using a service like Gmail or a third-party app requires a leap of faith, and no one should be surprised when that faith is misplaced. Not that the problem is exclusive to email. Remember when Uber came under fire because employees were tracking journalists, exes, and other people?

The phrase "fox guarding the henhouse" could have been coined specifically for this situation. Companies that rely on user data to make their money, improve their features, or merely just offer their services are going to find ways to access more of that data. Any restrictions will either be self-imposed or required by regulators--neither of which prevents rogue employees from abusing their positions to spy on their users.

Yet the fact of the matter is that none of this will shock people enough to effect change. Users will still be surprised when a report similar to the Journal's is published in the future, or when they're told after a data breach not to use the same password on very website, or when they're reminded not to download suspicious files because some new malware is spreading faster than the flu. Time will tell which headline we'll see in a week.

None of that is to say that the Wall Street Journal and other publications should just give up on consumers. The specter of being publicly chastised for misusing data is, in some cases, the only thing stopping companies from behaving even worse. Just don't expect the majority of Gmail users to change their habits or even remember this story in a few days. Most hens only worried about "now," and can't be bothered with "then."

Create a new thread in the News comments forum about this subject
This thread is closed for comments
12 comments
Comment from the forums
    Your comment
  • hellwig
    We all know the only way Google can stay afloat is to read your emails and offer you personalized ads. I know that my ad clicks have gone up infinity-fold since Google rolled-out their personalized service. I'm up to zero ad clicks a second now, and growing every day!

    Honestly I've never seen a website advertise something I want (sorry Tom's), even with personalization. And simply displaying the ads doesn't pay the piper, at least not for the companies buying the ads.
  • WINTERLORD
    yea, 9700k is a 8core 16thread and 9900k is 12cores actually 24 threads
  • derekullo
    Just send all email responses in a PDF file.

    Use 7zip to encrypt that PDF.

    Then re-encrypt that encrypted 7zip file again.

    Finally email that doubly encrypted file to the recipient.

    Exchange passwords either in person or with your personal SFTP server.

    Aluminum hats required.


    Kudos if you change passwords for each email / PDF.