If you have been reading the headlines over the past few days, you may have been lead to believe that Google’s email service was hacked. Earlier this week, The Business Insider released a horrible article that lightly plagiarized a Paywalled Wall Street Journal article stating that Google gives developers free reign to your inbox. They further introduced wording to allow some readers to formulate conspiracy theories to fill in the many gaps in their content – and it worked. They also gloss over the most important fact – users, not Google are who are giving services access to their email. Here is why it is all bullshit.
Lets start with the opening statement from the Business Insider post :
Employees working for hundreds of software developers are reading the private messages of Gmail users, The Wall Street Journal reported on Monday.
A year ago, Google promised to stop scanning the inboxes of Gmail users, but the company has not done much to protect Gmail inboxes obtained by outside software developers, according to the newspaper. Gmail users who signed up for “email-based services” like “shopping price comparisons,” and “automated travel-itinerary planners” are most at risk of having their private messages read, The Journal reported.
The revelation comes at a bad time for Google and Gmail, the world’s largest email service, with 1.4 billion users. Top tech companies are under pressure in the United States and Europe to do more to protect user privacy and be more transparent about any parties with access to people’s data. The increased scrutiny follows the Cambridge Analytica scandal, in which a data firm was accused of misusing the personal information of more than 80 million Facebook users in an attempt to sway elections.
This thesis statement was carefully designed to create a sense of violation among gmail uses by blending three different and largely unrelated talking points. Furthermore while most of the article did originate with the Wall Street Journal, I am bashing Business Insider for making it worse. Let me break each one down.
- “A year ago, Google promised to stop scanning the inboxes of Gmail users, but the company has not done much to protect Gmail inboxes obtained by outside software developers, according to the newspaper” – This statement is completely disingenuous and only leads to steer readers down a a path that makes them assume the worse. What exactly does this have to do with the fact that third party developers can read emails after being granted access by the user?
- “Employees working for hundreds of software developers are reading the private messages of Gmail users” – Technically this is possible if a user grants a third party service access to their email. Both the Wall Street Journal and Business Insider fail to point out how they came to this conclusion or how they know how many developers are reading emails. There are several practical reasons why this makes no sense. I will revisit this point later in this article.
- “The revelation comes at a bad time for Google and Gmail, the world’s largest email service, with 1.4 billion users” – What revelation and how is this the fault of Google/Gmail? Users willingly granted access to their email to third party services? Do you blame Amazon for releasing your shopping history to your spouse if you willing give them your password? Furthermore Business Insider felt the need to throw “The Cambridge Analytica scandal” into this statement, I assume to stir up more emotions of betrayal.
Here are the facts
API Access To Google Accounts
Many tech companies, Google included have a way for third party applications and services to interact with your Google Account. This is specifically known as a API or an Application Programming Interface. When a user chooses to use a third party service that integrates to something like Facebook or GMail, the user must authorize the connection and in the process, the user will see exactly what the third party service has access to. This is often done via a OAuth Request – Here is an example of what such a screen would look like –
As a user, you must read and understand each permission that you are granting the application before blindly hitting the “Accept” box. You really should be asking “does XXXX really need access to my email?” every time before clicking the Accept, if a permission does not make sense, simply hit “Cancel” and use a different service. I have seen examples of Android Flashlight applications that request access to my Contacts and Email – These permissions made no sense so the application was removed
In the examples given by the Business Insider –
- The outside app companies receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners, according to The Journal.
Furthermore to answer the other question that Business Insider mentioned (again to try to grow the conspiracy)
- What isn’t clear from The Journal’s story is whether Google is doing anything differently than Microsoft or other rival email services.
No, Google is NOT doing anything different with their API. Everything you can do with the Google EMail API can be done with Microsoft, Yahoo, AOL and just about everything else. Furthermore it is possible to do similar with Facebook, Twitter, Instagram and more. Any basic developer would be able to answer this
Companies DO NOT Employ Workers To Read Emails
From The Business Insider Post
- Some of these companies train software to scan the email, while others enable their workers to pore over private messages, the report says.
This whole idea is silly when you think about it as who in their right mind would pay a group on employees to read their customer’s emails? What is there to gain from this financially? It sounds like a fast way to go bankrupt. These services use automated tools to parse out relevant content from emails for the specific task that the company does (example creating a automated travel itineraries). These automated tools do not know or care about anything else except receipts from hotel companies and airline conformations.
There are cases where a company will take sample emails, normally with all personal emails obfuscated in order to train the automated tools.
It is however worth noting that it is not impossible for a rogue employee to also gain access to an email account with a certain level of skill. This is why you need to have some level of trust with companies that you grant access to your email to ensure that they have taken measures to prevent this sort of behavior.
The final nail in the coffin for this is how would a company keep this a secret for long? A company caught doing this would be abandoned by their user base overnight so they would need to keep this a secret. Secrets always leak out and I have yet to see many cases of this sort of abuse happening.
Furthermore there is absolutely no evidence that any of these third party websites harvest and sell your data to third party advertisers. Furthermore some think that Google actually sells your information to third party companies – they don’t and never have.
This is really the straw that broke the camels back in my case as the Business Insider and Wall Street Journal lead users to think that this was a privacy breach and for some reason they threw “The Cambridge Analytica scandal” into this story which makes no sense at all. I actually had 3 people contact me on Monday to ask if I knew that Google was just hacked while other people are upset as they do not feel that Google is doing enough to protect their users personal data.
Google actually takes several steps to ensure the users are always in control of their data. Lets look at a few
- When a third party requests your permission to allow access to your account, the application must define each permission up front. These permissions cannot be modified by the application once set unless they revoke access and require users to re-grant access.
- Google provides a “Account Privacy Checkup” tool to see what services have access to your content. You can easily view and revoke access to services you no longer use or no longer trust with a few clicks. I encourage all users to check this every few months. Google has also been known to run ads and promotions to encourage users to check this, even giving free Google Drive storage. You can view and revoke any application by visiting – https://myaccount.google.com/permissions?hl=en if you don’t want to go through the entire Privacy checkup.
- E-Mail Confirmation – In many cases, you will get an automated email response from GMail when you grant an application access to your email.
Sadly the fallout from this bad reporting will likely have some long-reaching consequences. I am sure that a few European Commissioners have smelt blood in the waters and are already drafting their questions.
Furthermore as I stated in my opening statement, you would not be wrong for thinking that Google was hacked especially with a massive number of websites regurgitating the same story, some like CNet even tagging their post under “Hacking” – https://www.cnet.com/news/googles-gmail-controversy-is-everything-wrong-with-silicon-valley/. You can also get pure laughing gold when news outlets also release things like –
Question for the CBS Contributor/Wired Editor – Nicholas Thompson – How much more up-front should Google be? I mean they only give the user a warning describing EXACTLY what access they are providing and even sends a follow up to confirm within a few seconds. Furthermore Google does already have restrictions on what developers can do with the data.