
Software developers scan emails of users who sign up for email-based services - hodgesrm
https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442
======
danpalmer
I know of at least one startup who do this and use a "machine learning
algorithm" to find details of particular things in your inbox.

That "algorithm" is a guy in their office. He reads your email. He searches it
for common keywords, uses some regexes, but ultimately reads your email, then
copies bits out into the system.

I'm all for bootstrapping with things that don't scale, but this example was a
bad-faith use of Gmail access. I'm glad I don't use Gmail so couldn't
accidentally give a random guy access to my inbox.

~~~
enieslobby
It's very hard to accidentally give a random guy access to your Gmail inbox.
Doing so would require you to opt in to a dialog clearly and explicitly
stating that you are giving said permission to a developer.

~~~
rob_b
You’re dismissing the observation that users habitually click accept or
continue when prompted with a dialog. Sure, you can blame this on the users
being lazy but it becomes ingrained into users when everything they access has
a dialog, especially when that contains terms of service that would be twenty
pages long in paper form (slight exaggeration). I cannot even count the number
of times I’ve had conversations with people when observing this behavior. So
many users inherently trust that what they’re agreeing to is not only safe,
but widely accepted. After all, why else would the service be so popular and
have so many users—“Someone out there had to make sure this was legit before
me.”

~~~
tedeh
Im suggesting a UI feature same as the one Github has when deleting repos:
clearly input the full name of the repo, or in this case, maybe input ”I
UNDERSTAND” in order to proceed. This could be a browser plugin maybe...

Access to my personal email would be pretty much security game over for me as
far as I can tell. Other people might feel otherwise.

------
Ivoirians
Breaking news: Third parties scan full transaction histories and balances from
bank accounts of users who sign up for financial planning services (e.g.
Mint).

The WSJ really knows how to write misleading, incendiary headlines about tech
companies. Like, just read that comment section. Gotta stoke that techlash.
Plenty of people have plenty of real reasons to hate Google, but hit pieces
designed to drive the non-technical (and apparently some HN readers) to think
"Oh no, my Gmails are being sold and read by people"\--I guess it's too
effective of a strategy to pass up. Just an utter shame.

There is a real problem here, that lots and lots of users that glaze over the
"This app can manage (view, send, delete) all of your emails" permission
setting without thinking about it. I mean, even I double checked my
permissions to make sure I hadn't accidentally given my email access away to a
random plugin. What do you do about normal users (like my parents) who will
gladly click Next and Confirm on every single popup in front of them, without
even attempting to read it?

------
kanox
Wait, apps can really read emails? As in the text of emails? Even archived
emails?

Because for a lot of people that contains a ton of "password reset" emails
with new passwords in plain text.

~~~
masukomi
when you sign up for a service that does shit with your email, and give it
access to your email account, of course the service can read your email.

This seems pretty obvious to me. There are many useful services that do this
(SaneBox for example) but DUH how do you expect them to do anything
intelligent with your email if they can't read it?

This is all predicated upon the user granting access to their email account
though, so this is roughly equivalent to saying "People you sent a letter to
can read your letter" ... duh that's why you did it.

~~~
reaperducer
_when you sign up for a service that does shit with your email, and give it
access to your email account, of course the service can read your email._

The article isn't about some automated service looking at your e-mail. It's
about actual humans reading it. Big difference.

~~~
PantaloonFlames
Yes, that’s the point. Granting access to an App, a person doesn’t assume the
all will copy out your email so that it can be read or analyzed by humans.

------
hodgesrm
It appears you can block app access by going to the "Apps with account access"
page under 'Sign-in & Security' on your Google account page. I just checked on
one of my accounts and there are a few apps like WordPress with basic profile
access.

This page is hard to find and it's even harder to parse the meaning of the
current settings, let alone track changes to them over time.

~~~
blakesterz
That page has a bunch of interesting stuff!

I assume this link works for all accounts?
[https://myaccount.google.com/security?pli=1](https://myaccount.google.com/security?pli=1)

~~~
pietroglyph
Wouldn't it be
[https://myaccount.google.com/security?pli=1#connectedapps](https://myaccount.google.com/security?pli=1#connectedapps)

~~~
blakesterz
Yep, didn't notice you can anchor that. Same page, better link.

------
cherioo
I don't understand the negativity in this thread. The whole point of email
based service is to read users' email. Should we be categorically rejecting a
class of application?

How much value is privacy vs. value of those services?

~~~
__jal
> Should we be categorically rejecting a class of application?

What you mean, "we"?

 _I_ categorically reject any third party getting their nose in my email,
including Google.

> How much value is privacy vs. value of those services?

Correcting the question to "is the loss of privacy worth the value provided",
again, _my_ answer is absolutely not.

On this point, though, it is less about 'privacy' than it is trust. How much
do you trust some random startup techbros with more entitlement than sense
with everything in your inbox? Not that that's every startup, but it is enough
of them.

But in general, I frankly don't understand why anyone invites random third
parties to read their mail. That's crazy to me. Maybe select family, or (if I
were way richer) agents with a contractual relationship.

~~~
protonimitate
>>But in general, I frankly don't understand why anyone invites random third
parties to read their mail. That's crazy to me. Maybe select family, or (if I
were way richer) agents with a contractual relationship.

It's ignorance, plain and simple. Most people (even those with tech
experience) don't understand, or care, about the reach of that the companies
they rely on have.

Convenience comes at a price, always.

Even if Google were to simplify their ToS and app permission notices as much
as possible, a good portion of users would blindly click 'o.k.' and move on.

------
virtuabhi
I use Google/Gmail account to login into multiple apps. All the apps have some
of these three permissions - (1) View your basic profile info (2) View your
email address (3) View your phone numbers.

Are these permissions strictly enforced? I know that Google employees can read
my emails (under some specific cases), but can third party app developers also
read my emails?

~~~
Alex3917
> Are these permissions strictly enforced?

Yes, each of those items corresponds to an OAuth scope. If you try to make an
API call for data that isn't covered by the OAuth scopes you have access to,
you'll just get an error.

Developers can add broader OAuth scopes to their apps at any point, but if
they do then all their users will need to re-authenticate and will see that
the app now requires additional permissions.

C.f.: [https://developers.google.com/gmail/add-
ons/concepts/scopes](https://developers.google.com/gmail/add-
ons/concepts/scopes)

------
auslander
Apple iOS does not have permission for apps to access emails at all, if I'm
not mistaken.

------
h000per
Its not just Google, Microsoft Office 365 also supports the use of Oauth
tokens to read email.

------
Hnrobert42
How is it a secret?

~~~
jsoc815
Most users of these products are _non_ -technical, among other things. They
have no idea that they should even consider that something like that is
happening.

> _i 've been trying to explain this to my wife for a while and struggle with
> it lol._

A losing battle, it seems. I find people can't make the pattern connections
about good and bad hygiene. So explaining one example doesn't prevent similar
behavior in another, even for really "obvious" stuff. Kinda drives me a little
crazy.

~~~
tomashertus
Users don't read. There are Consent screen which clearly explain what kind of
access the application will have to your Google Account.

Edit: Formatting & Spelling

~~~
hodgesrm
That said, there's a difference between understanding what privilege you are
granting and understanding the implications of that grant.

For instance, Google help pages [0] just talk about "Full account access" and
"View your basic profile information." What about apps that can view your
calendar? That's in between. What information do those apps actually see? What
can somebody do with the information that I might not like? These are hard
questions to answer with the information Google gives you.

[0]
[https://support.google.com/accounts/answer/3466521?hl=en](https://support.google.com/accounts/answer/3466521?hl=en)

~~~
inetknght
> understanding the implications of that grant

Grant an application permission because it asked to in order to fulfill a
request to handle one particular thing about one particular email. Instead,
grant access to your entire email account, not get notified of which emails
the application accessed, and get upset because the application exceeded what
you desired to grant.

------
auslander
Original article title is "Tech’s ‘Dirty Secret’: The App Developers Sifting
Through Your Gmail"

Could moderators fix it, please?

------
luhn
Does anybody have a non-paywall link?

Edit: Found this re-reporting of the story:
[http://www.businessinsider.com/google-allows-app-
developers-...](http://www.businessinsider.com/google-allows-app-developers-
to-read-peoples-gmails-report-2018-7)

~~~
lwhsiao
Two options for passing the paywall:

1\. Facebook trick: [https://www.fullwsj.com/articles/techs-dirty-secret-the-
app-...](https://www.fullwsj.com/articles/techs-dirty-secret-the-app-
developers-sifting-through-your-gmail-1530544442)

2\. Decluttered via Outline:
[http://outline.com/gZTuBC](http://outline.com/gZTuBC)

~~~
balls187
3\. Click the "web" link underneath the title link.

------
nisten
This is getting quite irresponsible and sad. The reason nothing too
terrible(apart from election tampering) has yet happened is simply because the
current market demand for developers prevents us from engaging in malicious
behaviour.

However, once there's a market downturn, this data will be used for criminal
purposes in no time. The malware industry in east european countries with good
engineering talent exploded in the 90s after their economies collapsed. But
who cares right?

I feel like this level of naivety towards powering interoperability with brute
openness today is just plain stupid and will lead towards a backlash or risk
all out witch-hunt against developers and intellectuals in general. That risk
is becoming unacceptable in my opinion and it is worth it to start regulating
a bit our profession.

~~~
justinclift
> The reason nothing too terrible(apart from election tampering) has yet
> happened is simply because the current market demand for developers prevents
> us from engaging in malicious behaviour.

That doesn't seem to be how humans work. Groups that want to do malicious
stuff are able to hire people too (eg electon tampering as you mention).

They'd probably have to direct their hiring efforts differently though.
Probably towards known areas of er... scum and villany? ;)

Seriously though, they managed to hire people for the electon tampering, so at
least it shows it _can_ be done.

~~~
nisten
Yes it can be done, but the probability of malicious players finding someone
competent enough is quite low. It's unlikely you would help a shady
organization when you have a high salary and a nice life.

However this also means that security relies on the state of the market rather
than on good code.

