Third-Party Poopers: Privacy at Gmail

Mark Zuckerberg testifies before the U.S. Congress in 2018 following the Cambridge Analytica scandal. (Photograph: Xinhua / Barcroft Images)

Dear Sundar,

Our recent challenge with Unroll.Me has revealed another dimension to public concerns over Gmail data privacy: the rules governing access by third-party app developers. Whether it is fair or not, the reality is that Google will be the one who users and regulators ultimately hold accountable for the actions of the external developers we entrust with access to our platform. Therefore, my team’s recommendation is to require all third-party apps to abide by the same standard that we follow ourselves at Google: the contents of our users’ e-mails cannot be the basis of your business model.

First, let’s discuss why e-mail is fundamentally different to our users than other products. Unlike Search, e-mail has an “analog analog” — the mailed letter. The expectation of privacy in written communication between two or more parties is enshrined in the psyche of users, and is also enshrined in law: in the United States, the penalty for illegally opening someone else’s mail is five years in federal prison. While the statute governing the privacy of stored communications has a carveout for providers of an electronic service like ours, this does not change the consumer’s basic expectation.

Some might attribute this particular sensitivity to e-mail vs. other forms of online data to just the “creepiness factor.” While the risk to any one individual might be small, from the perspective of the user, there is a lot at stake. The threat that someone has the ability to access the contents of their inbox and outbox — whether perceived or real — has the potential to affect six of the seven University of Washington measures of human impact in its security threat kit, including:

• Emotional wellbeing: likely to cause fear, anger, confusion, and frustration in the event of exposure
• Financial wellbeing: risk of revealing confidential financial information such as banking details and credit card accounts, and also opens users to the increased cost of credit monitoring or even blackmail
• Personal data: ranging from the damaging to the embarrassing, e-mail contains photos, correspondence, and other sensitive personal information
• Physical wellbeing: e-mail likely includes physical location, both permanent and travel tendencies, and could include health information
• Relationships: exposure of communications could easily damage interpersonal and inter-organizational relationships
• Societal wellbeing: risk of self-censoring and reduced effectiveness of communication due to the dangers of lowered privacy expectations

There are two arguments we have cited in the past in defense of our current policy, which features robust screening of the purpose and transparency of the third-party’s use of Gmail data. First, opening up Gmail to third-party developers promised to increase the utility for users by adding features that we ourselves had not considered, or perhaps only a subset of users would find useful, thus driving an increase in adoption. Second, we point out that issues related to unauthorized (or simply creepy) use of data are really subject to the agreement between the third-party and the user. Is it right for us to intervene?

At this point in time, Gmail has 1.4 billion users and owns 65% of the e-mail market, and a credibility crisis could be damning in a way that a few missed features cannot. Our colleagues at Facebook have recently learned this lesson. According to The Manifest, 44% of users viewed Facebook more negatively after the revelation that political consulting firm Cambridge Analytica had accessed the personal data of 50 million users without their consent, despite the fact that it was an external app that sold the data and not Facebook. There are approximately 300 third-party apps in the Apple and Android app stores with access to Gmail, and it only takes one to have a lapse. We are implicitly signaling to our users that when we grant access to one of these developers, their app checks out.

Just as we need to be realistic about who will face the blame in the event of an issue, we need to be realistic about the limitations of our users — namely, their attention spans. A recent University of Chicago study found that “only one or two of every 1,000 retail software shoppers access the license agreement and that most of those who do access it read no more than a small portion.” No matter how intuitive the app’s policy might be, the user simply will not read it — and will still be mad at us when something happens involving their e-mails. Part of this is laziness, but part of this is also a genuine limitation in their capacity to imagine what is possible. No developer will say in their data policy “We might sell your Lyft receipts to Uber,” nor would they volunteer that there is an offhand chance that someone technically could read your e-mail.

To address these privacy concerns, here is a proposed implementation plan:

1. Indicate immediately to third-party app developers with access to Gmail that we are reviewing our policies governing their use of Gmail data.
2. Bring together a cross-functional team to finalize our new policy. For starters, we will propose banning app developers from access to Gmail if the core business model involves selling information gleaned from the content of e-mails, or includes the ability for the third-party to read the contents of an individual’s live e-mails.
3. Assign the Google Product Policy team to review the data practices of each third-party developer with access to Gmail for compliance with the new policy, notifying those who do not meet the standards.
4. Give the app developers time — let’s say, 3 months — to come into compliance with our new rule by modifying their business practices, such as exploring paid subscription models instead of selling data, or allowing users to manually upload their e-mails to an external site for processing.
5. Communicate the change to our users.

There will be pushback, but this is the right move for our customers and for Google. In the event of another scandal, don’t expect the third-party apps to have our back anyways. As Unroll.Me recently posted “Just know, Gmail has more data on you than we ever would.”