Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans – and not just computers – to read your emails.
Wait, you mean to tell me that when I granted one of those newfangled we-will-organise-your-email-for-you email clients access to my email I granted them access to my email? I am shocked, shocked I say!
Privacy and security stories tend to get easily inflated, and while it indeed sucks that actual people at said companies can read your email, you did explicitly grant them access to your email account. It’s all spelled out right there in the Google account permission dialog. These companies aren’t here to make your email lives easier – they’re here to mine your data and sell it to third parties.
You wouldn’t let a random small company install cameras in your house. Why do you treat your email any differently?
Google has access to anything people type into its services or cloud. That’s just common sense. How do people expect these giant tech companies who give away their services at no charge to make the billions that they generate every year? It should be obvious to anyone using social media or Google services that the data they freely give them is theirs to do with as they wish.
It’s not about google, but 3rd part devs and people giving them access despite warnings… it would be just as bad if you’d agreed to give them password to your privately hosted email account.
Thomas Holwerda,
Your example of cameras is flawed, many IP cameras do get installed in and around people’s homes for security, get saved “in the cloud” where 3rd parties can access them (whether people realized they could be spied on or not).
I’m often disappointed that corporations don’t do more to protect privacy, but when we embrace “cloud technology” being designed by corporations for corporate interests, this is the result.
It doesn’t technically have to be this way (ie end to end crypto that makes interception by 3rd parties impossible), but the industry usually squanders the opportunities to promote secure standards & protocols.
http://www.osnews.com/story/30278/Chat_is_Google_s_next_big_fix_for…
I don’t use Gmail myself, but …
Not only that, but the only thing I use email for these days is to receive electronic bills and such, so I’m not terribly concerned if somebody happens to eavesdrop on my email. It IS plain text after all, so if you’re doing something private over email, you really SHOULD be using encryption anyway.
And many people even pay money for spyware that sends everything going on in their house to strangers in big corporations. It is a booming business at the moment, and is called “smart assistants” and “smart homes”, though they are only for dumb people.
We’ve trained an entire generation of computer users to not bother reading agreements, or https warnings, or UAC prompts– just click through to get to the good stuff.
And if that wasn’t enough:
https://gizmodo.com/facebook-google-and-microsoft-use-design-to-tric…
a recent study points out that the social parasite corporations go out of their way to make it difficult to figure out exactly what you’re agreeing to.
(Disclaimer: I work for Google, but I would have said the exact same thing for Hotmail, Yahoo or even your local sendmail server. And of course this is my personal opinion).
The article includes a clear dialog warning the user they are allowing a third party application to access all their email. It is more or less the same as giving your IMAP password, or keys to your account.
As a developer myself, I like being able to access my data with scripts, local programs (Thunderbird), or in limited circumstances trusted third parties (with restricted access).
However given “people will give out password for chocolate” (https://www.theregister.co.uk/2007/04/17/chocolate_password_survey/ ), there is another side of the coin.
I remember seeing web sites giving detailed instructions to bypass UAC controls in Internet Explorer (click the yellow bar, choose Allow, etc.)
I had friends who had disabled the antivirus software so that they could open that .exe attachment.
But we should not go thru this slippery slope. The only “final solution” would be locking everything down, with no outside access. That would be terrible.
Personally, I would still prefer having these kind of APIs and open protocols. I want to be able to script my data, or access it remotely with open protocols.
But the sensationalist articles cause power users losing more and more control. Our PCs are becoming like appliances, and less like the older open platforms. Our phones are already mostly locked down.
Let’s keep as much of our data open as possible (with sufficient platform security of course).
Yes, it clearly states that the application will be granted certain permissions. Nowhere does it state, however, that this app would then upload all your data, from your phone, to a third party for their own amusement. This is the point and it’s obvious to anyone that this is a huge issue.
Cynical people will understand the implications but even here I regularly get bashed for being cynical – it isn’t common sense anymore but something beyond that. In the modern “good vibes only” society being realistic is frowned upon.
The sensationalist journos want clicks and therefore focus on the aspect that a human will be able to read through our emails, because that’s what will grab our attention. They themselves fail to understand the actual problem that is lack of distinction between granting online and offline access to apps.
But again on this website I see more “enlightened” people fail to grasp this basic issue, so I can only concede how deep the rot has gotten.
Edited 2018-07-03 07:33 UTC
Its not obvious that is a difference to me. If I give you permission to see my data. I assume its going to be moved to their servers and processed. Its kind of crazy to assume that wouldn’t be the case.
“people will give out password for chocolate”
Mmmm… Chocolate…
That quote is rather silly; if an application/website can access your email, then, of course, the creators/maintainers will also be able to.
No, that’s complete bullshit. If you’re granting permissions to an app, it’s just a piece of code living on your phone. If the app wants to share that data over to a cloud, it should be prompted separately. To be even more clear, it should somewhere state that sharing the data this way will then give no holds barred access to a third party.
Yes, it is very naive to assume that the “app” is only the code on your phone, but it should not be the regular people’s concern to try to decode what these dialog messages are likely to mean or in the worst case possible will allow.
They only see a message on their screen, they do not understand that it is an automated listing of certain properties defined in a simple text file, not an actual technical mechanism that would safeguard one’s personal information.
Edited 2018-07-03 07:36 UTC
What’s not to understand in “This will allow sample application to read, send, delete and manage your email”?
It’s not hard to decipher from this that this grants full access to the app to send your mail wherever it likes since that’s what is literally stated in that sentence.
Edited 2018-07-03 09:20 UTC
No, it is hard. You yourself only assume that because you have been taught to. But you are sort of brainwashed to expect it automatically, voluntarily waiving your right to privacy right there and then. People should have the right to expect better, not duty to expect worse.
Again the distinction between just letting an app access your data locally vs. sending it outside of the phone should be there. But it isn’t. That is the problem.
If the permissions clearly stated that granting them means the data will be shared outside of the physical device, then it is irrelevant whether or not humans or only machines will process that data.
Edited 2018-07-03 11:07 UTC
Do you at least understand that you’re “Obvious” distinction between local processing and uploading, isn’t obvious to many people?
Just below that paragraph I stated that people in general have been conditioned to NOT understand this fairly obvious point. So: yes.
Many obvious things aren’t so obvious to people, whose ability to think is limited to what the marketing departments tell them. But, my point was also that it should not need to be. There should be legal protections, if not simply goodwill, for these kinds of things.
Edited 2018-07-04 13:26 UTC
No, you didn’t understand my reference. I was referring to your earlier post that called it an “obvious problem” that most people wouldn’t understand the warning. I don’t think its either obvious or a problem.
The more you add to a warning to make it as explicit as possible, the less people will read it.
So if the original permission was
No I don’t. I merely read literally what is stated there. If I want to know what the app is going to do with the access, I go and read the terms and conditions of that application’s producer, google’s warning page even provides a helpful link to that application’s privacy policies. If they abuse my trust, I go to them to complain.
Edited 2018-07-03 22:57 UTC
If I bring my car in for a repair I have to sign a piece of paper that allows the repair company to “open the door, start the engine, perform a drive”. Common sense says that they will only drive a little bit to test out some repairs, try to recreate a rambling noise, etc. If they decide to take my care for a long weekend trip to Paris-and-back I am going to have a big discussion with that car repair shop because they are …wait for it… a car repair shop and not a travel service. It is called “reasonable expectation” and is codified in many ways in law:
https://www.lawteacher.net/free-law-essays/contract-law/reasonable-e…
https://en.wikipedia.org/wiki/Legitimate_expectation
https://legal-dictionary.thefreedictionary.com/Reasonable+expectatio…
An email app that presents itself as an app that allows you to send an receive email but that has a clause in the EULA that says “all your mails are belong to us” is breaking the expected behavior and would cause a legal issue
If the repair shop was offering their service for free, you’d be suspicious, right?
If you’re allowing a free app access to your email, I think you can reasonably expect them to monetize the hell out of your data.
Yes, I would be suspicious if the repair shop was offering their service for free because there isn’t a single repair shop in the world that I know of that offers their service for free.
However there are millions of apps, programs and even complete Operating Systems bundled with thousands of entirely free/FREE programs so people aren’t suspicious when a “simple email organising app” is free
What’s silly is people shouting at “free” cares because this is “socialism”, yet expect everything being given “free” of charge like if corporations were NGOs.
Indeed, you are going to have a discussion with the car-repair shop, not with the car company. Never having owned a car, I don’t know this, but how many manufactures give the warning “if you give your car keys to someone else, they could use it for going on a holiday” or something similar.
The problem is that google’s warning is not the third party email program’s EULA or even a privacy statement. It states, precisely, what you are allowing technically.
If you want to know what the software is actually going to do with the access you are giving it, you have to go to the producer of that software.
Edited 2018-07-03 22:52 UTC
This basically means that we are talking about licensed repair-shops here.
Now I don’t like the wording from this quote “for what the company does”. That should be “for what the app-user expects the app to do”. The way it is worded now a “data mining company” like Cambride Analytica could make a “Which muppet am I” app with a description “Looks at your defined Gmail labels to see if you are a Kermit or ms Piggy” while downloading all your mails from history with full permission from Google!
People have become far too trusting in what they install because the appstores are “trusted”.
Edited 2018-07-04 10:23 UTC
It’s amazing! After 30+ of computer industry somebody just realised what developers actually can access the data they develop UI for? Wow!
Edited 2018-07-03 08:06 UTC
UI has nothing to do with it.
Any piece of code that you allow to run on your machine should be considered “trusted” because theoretically even an innocent “dir” command could be changed to upload a copy of all your user-accessible files secretly. Guarding yourself against this behavior (ACL’s, UAC, Firewalls, app-permissions) just comes down to trusting more code.
(for the Richard Stallman fans: Nobody can analyze every line of code and compiling everything from source still means trusting that source)
The problem here is trust and expectation. We expect programs to do what we want them to do, not more
and realises that with almost every week that passes my decision not to setup email on my phone or use any social media sites on my phone or laptop seems more and more sensible.
I quickly realised how much data these things could slurp from my time working at a rival to Google.
As for Gmail… I just won’t go there.
Let’s not overreact. If you don’t work with nuclear secret stuff, then having your own mailserver and K-9 mail on your smartphone will be probably OK.
https://k9mail.github.io/
I agree with Thom on this one. People should not be surprised, and use their brains before agreeing.
It is not about overreacting or working on Hush-hush stuff. For me it is the desire to keep my private life… private and to not broadcast what I’m doing, where I’m going etc etc to the world.
Firstly, no one apart from Advertisers and thieves would be interested and secondly, I have better things to do with my life than ‘boast’ about my dull and boring life to the world.
If you search for me on Google, you won’t find me and I intend to keep it that way as long as possible.
Now I must go and milk the Goats.
[QUOTE] You wouldn’t let a random small company install cameras in your house. Why do you treat your email any differently? [/QUOTE]
But people install microphones in their house every day, or haven’t you heard of Alexa?
Edited 2018-07-03 13:35 UTC
And they will get burned by those just the same and be just as unjustifiably shocked.
Yep, and ‘Hey Google’ and none of that IoT shit or smart speakers is coming into my Home unless it is on its way to recycling.
My so called Smart TV is only connected to the internet once a year to get any software updates. When that is done, the plug is pulled.
Yours,
Grumpy Old Man/boring old fart.
Good one Thom. I really like the comment regarding random companies installing cameras in your home. Well done!
Made my day!
well nothing surprizing..with all those news of FB leaking private information we can all guess that what we enter when registering somewhere isn’t that private as we might have thought..when researching for http://yourhomeworkhelp.org/ on similar found this article https://www.washingtonpost.com/business/on-small-business/googles-pr…
that’s an interestingly intriguing story