Google faces criticism for giving 3rd-party apps access to user emails

Search giant Google pushed back at critics of its security policies this week, saying the power to deny third party applications access to their email has been in the hands of individual users all along.

Company says it isn't 'reading' user emails, but others' apps often request blanket permissions

Google says it thoroughly vets any outside apps requesting permissions for user data, but the ultimate choice on the matter still rests in users' hands. (Shamil Zhumatov/Reuters)

Search giant Google pushed back at critics of its security policies this week, saying the power to deny third-party applications access to their email has been in the hands of individual users all along.

The Wall Street Journal first reported on Monday that Google allows hundreds of outside software developers to read and store personal information from millions of the company's customers, as long as they have consented.

Smartphone users have become accustomed to blindly clicking OK to any new app's request for permissions, which in many cases involve asking for access to the user's Gmail account, but often demand control over things like cameras, microphones and even access to contact lists.

While Google — with its 1.4 billion Gmail users — has been a frequent target of privacy activists in the past, the Journal report prompted Director, Security, Trust and Privacy Suzanne Frey to attempt to set the record straight in a blog post on the company's corporate website.

"We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access," Frey said, "and we give both enterprise [administrators] and individual consumers transparency and control over how their data is used."

In addition to outlining the company's vetting process for third-party apps, Frey moved to dispel the notion that Google is somehow "reading" its users emails.

"To be absolutely clear," Frey said, "no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse."

That's a change from the company's original policies. From its launch in 2004, Google algorithms would routinely scan incoming emails, and use the information in them to tailor ad contents to the user, which is how the company makes money.

But the company stopped doing that years ago. "We do show ads in consumer Gmail," Frey said, "but those ads are not based on the content of your emails."

Google says it thoroughly vets any new app it makes available on its app store, including making sure the apps aren't misrepresenting their intentions, and that they are only requesting permission to access data or services related to their core function. 

But that doesn't mean abuses don't happen. Neil Bearse, the director of marketing at the Smith School of Business at Queen's University in Kingston, Ont., says Google's damage control efforts "are obviously a response to the increased scrutiny that we've seen since Facebook's Cambridge Analytica scandal."

In that story, the company in question came under fire when it was revealed that up to 87 million Facebook users worldwide may have had their private information lifted from Facebook via third-party apps, and used to create targeted advertisements ahead of the 2016 U.S. presidential election and Brexit vote.

The resulting scandal led to a major sell-off of Facebook's shares, an appearance in front of Washington lawmakers by founder Mark Zuckerberg, and the demise of Cambridge Analytica itself as a company.

Bearse says whether it's Google, Facebook or anyone else, technology consumers are not nearly as scrupulous as they should be when it comes to protecting their own data.

"I know it can be onerous," he says, "but it comes down to actually understanding what you are allowing that company to do."

Bearse says the issue has come under increased scrutiny since privacy legislation in Europe started forcing companies to be much more diligent about their storage of users' personal data.

He singles out the example of one company,, which billed itself as a way of helping users unsubscribe themselves from various email services. "What they didn't tell you is that they were selling your data out the back of the truck as part of a marketing research firm," Bearse notes.

The company is now facing lawsuits related to its previous data policies.

With any such app, Bearse says, "you are trusting them to always do good things with your data."

"But sometimes it's not worth the risk."

While Bearse says he himself uses Gmail, he stresses that there's a difference between using individual services and blindly handing over blanket permissions.

"There's a difference between using Gmail," Bearse says, "and clicking 'I allow' to every third-party application that seems cool to access and read my email every day."

With files from the CBC's Meegan Read