This week, it was Google that faced a firestorm of difficult questions around its data protection and privacy handling after the Wall Street Journal broke the story that hundreds of third party app developers scan the inboxes of millions of Gmail users.
A closer look reveals that the story is not as scandalous as it seems.
Facebook has been in the hot seat for quite some time following the Cambridge Analytica scandal. Google has largely evaded scrutiny of its privacy practices (and so have others like Amazon and Microsoft). This is somewhat surprising given that Google’s knowledge about our everyday lives is much more extensive.
Google operates the world’s most popular search engine (google), video service (youtube), smartphone operating system (Android), and email service (gmail). Consequently, Google knows what websites people have looked at, their travel schedules, and potentially any content in google drive or gmail. Gmail has around 1.6 billion users worldwide.
So, who has access to your Gmail account?
However, Google confirmed that external developers of third party applications can still obtain rights to scavenge through users gmail accounts, if, and only if, the third party app developer obtained consent from the user first.
In order for the third-party developers to have access to a user’s gmail account the user must first give consent. This consent is usually granted by the user in exchange for free services such as automatic travel planners or price comparison portals. Once the app developers have gained consent from the gmail users, they may decide to automatically scan the emails or to sift through them manually. This is usually done to improve their software application or to place targeted ads.
This practice is not exactly a “dirty little secret”. The process is explained in the privacy policies of the respective third party apps. Gmail users agree to it. The real problem is that users are not reading the privacy policies and that is partly because the terms are long and sometimes hard to understand and consumer do not really have the ability to negotiate the terms anyway.
This has changed to a degree since the GDPR took effect in May 2018 which requires consent to be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement. Personal information should be deleted or destroyed once consent expires or is withdrawn.
Google offers a security checkup section which allows users to control who can access their data. Users can also revoke third party access. It might be a good time to check which apps and services can access your gmail account.