Of Course App Developers Can Read Your Email

The Wall Street Journal published what seemed like a bombshell report about developers being able to read your emails if you give them access to your Gmail account. There's no doubt that some of the actions described, such as having employees read users' emails to train machine learning algorithms, are cause for alarm. But thinking developers weren't going through users' emails was simply naive.

Using a service like Gmail puts you at the mercy of companies like Google. Because the messages aren't end-to-end encrypted, the company has the ability to read them whenever it wants. Google said it doesn't usually--employees are said to read emails only when they need to to squash bugs or fix security flaws--but the reality is that Gmail users have little say over who at Google can read their email.

Users also have few controls over what third-party developers can do once they're granted access to an account. Many of these developers simply want to offer a new email app, help you sift through your emails, or do something else you can't achieve through Gmail's core experience. Developing those features isn't easy, though, and the WSJ reported that some developers read users' emails to help speed up the process.

None of this should be news to anyone. The issue of who can read your communications has been repeatedly brought up since Edward Snowden revealed NSA surveillance programs in 2013; that's why end-to-end encrypted tools like Signal have become increasingly popular. The dangers of giving app developers access to your information was also headline news when an OAuth phishing scam compromised 1 million Google users.

Let's spell it out again: non-encrypted messages aren't secure and developers will gather as much information about you as you let them. Using a service like Gmail or a third-party app requires a leap of faith, and no one should be surprised when that faith is misplaced. Not that the problem is exclusive to email. Remember when Uber came under fire because employees were tracking journalists, exes, and other people?

The phrase "fox guarding the henhouse" could have been coined specifically for this situation. Companies that rely on user data to make their money, improve their features, or merely just offer their services are going to find ways to access more of that data. Any restrictions will either be self-imposed or required by regulators--neither of which prevents rogue employees from abusing their positions to spy on their users.

Yet the fact of the matter is that none of this will shock people enough to effect change. Users will still be surprised when a report similar to the Journal's is published in the future, or when they're told after a data breach not to use the same password on very website, or when they're reminded not to download suspicious files because some new malware is spreading faster than the flu. Time will tell which headline we'll see in a week.

None of that is to say that the Wall Street Journal and other publications should just give up on consumers. The specter of being publicly chastised for misusing data is, in some cases, the only thing stopping companies from behaving even worse. Just don't expect the majority of Gmail users to change their habits or even remember this story in a few days. Most hens only worried about "now," and can't be bothered with "then."

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • hellwig
    We all know the only way Google can stay afloat is to read your emails and offer you personalized ads. I know that my ad clicks have gone up infinity-fold since Google rolled-out their personalized service. I'm up to zero ad clicks a second now, and growing every day!

    Honestly I've never seen a website advertise something I want (sorry Tom's), even with personalization. And simply displaying the ads doesn't pay the piper, at least not for the companies buying the ads.
    yea, 9700k is a 8core 16thread and 9900k is 12cores actually 24 threads
  • derekullo
    Just send all email responses in a PDF file.

    Use 7zip to encrypt that PDF.

    Then re-encrypt that encrypted 7zip file again.

    Finally email that doubly encrypted file to the recipient.

    Exchange passwords either in person or with your personal SFTP server.

    Aluminum hats required.

    Kudos if you change passwords for each email / PDF.
  • Malik 722
    of course since when there was the sense of privacy before.lol
  • alextheblue
    I thought Google started working on end-to-end encryption after it was leaked that the NSA was jacking the unencrypted intra-Google data. Did they stop working towards that "goal" once the public got bored? Not that that would stop Google from reading your emails, nor would it hinder the apps that have access to your gmail from doing the same. Speaking of which... app permissions are kind of a joke when most users are just like yeah sure OK, just do the thing already!

    "The specter of being publicly chastised for misusing data is, in some cases, the only thing stopping companies from behaving even worse."

    Eh hasn't really seemed to put much of a speedbump on Facebook or Alphabet. Maybe if you punished execs.
  • cebonkresek
  • cebonkresek
  • BryanFRitt
    WARNING: When you sign into Google using your phone(like to get an app from their app store), Google claims all the contacts on your phone, and all your appointments belong to them and not to you. Please at least back them up locally before you sign in, and again before you sign out, as Google will DELETE them from your phone.

    If you don't want Google even seeing your contacts/appointments and still want to sign in, make a local backup copy(off your phone?) of your contacts/appointments and then delete the non-backups before signing in. "What has seen can't be unseen"

    Google probably has your phone number(from friends/co-workers) even if you didn't directly give it to Google.

    P.S. Anybody want to sue Google for deleted contacts/appointments?
  • DGurney
    This is why you get a proper E-mail account instead of GMail or other Web-based junk.
  • nimbao6
    Why should I care about privacy? I have nothing to keep private. I don't send passwords or pins via email. Pictures of my vacation are fine, I have a security system at my house and insurance anyway. I don't have debts or enemies I'm trying to hide from. If Google wants to tailor ads to my emails .. well let me close them after they pop up and I'll be OK. I have no need for encrypted emails, and I don't feel particularly good about those outside of espionage careers that do need them.