
Google confirms it's letting third parties scan your Gmail - octosphere
https://www.theinquirer.net/inquirer/news/3063198/google-is-letting-third-parties-scan-your-gmail-long-after-it-stopped
======
QuercusMax
This article, like previous articles[1][2], is highly misleading. What it
basically amounts to is that if you grant a site permission to access to your
email, they can access your email. I'm sure this is a stunning fact to
everyone here.

1\. [https://www.theinquirer.net/inquirer/news/3035211/gmail-
app-...](https://www.theinquirer.net/inquirer/news/3035211/gmail-app-
developers-are-reading-your-emails)

2\.
[https://news.ycombinator.com/item?id=17446459](https://news.ycombinator.com/item?id=17446459)

(Disclaimer: I work for Alphabet, but having nothing to do with Gmail, except
that I'm very sad Inbox is being discontinued.)

~~~
everdev
It's frustrating when people cry wolf over topics like this with so many
legitimate digital privacy and security concerns to actually report on.

------
cletus
So there are two vectors here:

1\. Chrome extensions can pretty much do whatever they want. These should be
used sparingly.

2\. OAuth tokens, which is what this post is alluding to. So if you're using
an Email client on your laptop or phone there are two models for
authentication:

a) Enter your username and password. You really don't have much control over
what happens from this point and most people are agreed that this is generally
a bad idea; or

b) Create a token that will grant access (and certain permissions) to someone
who uses it. In the OAuth model you have two token types: access (short(ish)
lived) and refresh (that can generate new access tokens). When a site asks you
for OAuth permissions that mention anything about "offline" usage, you're
really granting it a refresh token.

An access or refresh token can be revoked.

However once an app has an OAuth token there's not a whole lot stopping a
malicious developer in using that token themselves for whatever purpose they
like... including scanning your emails and selling that data.

So it's not so much that "Google lets third parties scan your email" as much
as it's "Google lets you use third-party apps to access GMail" and the rest
follows as "well, that's how computers work". It's not much different to
sending someone a photo and then losing any control over its further
distribution.

~~~
mercer
Chrome should really come up with some better approach to its extensions. I
consider myself a relatively cautious user (definitely well above average),
and more than once I've enabled an extension that, in a later moment of
clarity, I turned off because of what the permissions allowed it to do.

Part of the solution might be informational: make it more clear how dangerous
it is to give an extension 'control' of a domain or, as it often the case, all
the pages you ever visit.

Or perhaps there are ways to make this more granular: considering that web
apps are more and more powerful, limit not just on what domains an extension
can operate, but limit what it can do. While I imagine this one is more
challenging, if installing an extension says "this extension can READ and
MODIFY stuff on <domain>, but will never send this data anywhere" could be a
huge win (assuming this is possible to detect automatically).

Finally, depending on how much power an extension has, Google could be more
diligent about gatekeeping (assuming they aren't already).

To give an example: I use cVim. It's permissions are: \- Read and change all
your data on the websites that you visit \- Read and change your browsing
history on all your signed-in - devices \- Read and change your bookmarks \-
Read and modify data that you copy and paste \- Manage your downloads

I understand and accept that it needs to do these things, but it strikes me as
rather important whether the plugin is allowed to GET/POST stuff too. Correct
me if I'm wrong, but looking at my other plugins, this does not appear to be a
specific permission.

I'd basically be happy to allow a plugin access to everything the browser has
on me, provided that it can't send this data anywhere.

(and, assuming I'm wrong and this is actually a permission, clearly most of my
phoning-home plugins seem to get around it using a somewhat opaque other
permission to do this. probably "Read and change all your data on the websites
that you visit", which sort of is correct, but shouldn't be)

------
mslate
“Google confirms it’s letting you choose to grant third parties access to your
email so they can provide you services that they would try to provide you in
unsupported/insecure ways if Google didn’t” just doesn’t have that ring I
suppose.

------
azinman2
What a trash and misleading article. It’s letting 3rd parties using their SDK
after a given user requested being able to access your gmail. What’s the
problem?

News flash: Apple mail also can read my gmail, because I configured it to do
so!

------
chooseaname
Misleading.

If you use a 3rd party email app that adds any kind of features to your email,
like, say, notifying you that a flight is coming up, then they're scanning
your email. It doesn't have to be a gmail account. It could be ANY account you
grant the 3rd party access to.

If they do this for free... well, you're the product.

------
jchw
Yes? I mean... Many of the third party Gmail addons rely on being able to read
your inbox, for obvious reasons.

------
xenomachina
This headline is pretty misleading. It makes it sound like they're giving
access without the user's consent, but based on some other articles I could
find (eg:
[https://uk.mobile.reuters.com/article/amp/idUKKCN1M02P9](https://uk.mobile.reuters.com/article/amp/idUKKCN1M02P9))
it looks like what's really going on is that users can give access to third
party Gmail add-ons. Those add-ons in turn are capable of giving access to
someone else, though it is against Google's rules to do so without the user's
consent.

This seems a bit like claiming "Google confirms it lets other users read your
email" because the ability to forward (or even copy and paste) exists.

------
dmortin
The article is talking about 3rd party apps. If one installs such an app then
is it a suprise if it reads your mails? It has to if it provides some mail
related feature.

------
tomcam
Not a big fan of Google, but this has been documented very clearly in their
user agreement since day one, if I’m not mistaken.

------
rando444
Allowing a company to access your e-mail via a token is not very different
than just giving them your e-mail password.

I think the article does a poor job of differentiating the fact that this has
little to do with gmail, and everything to do with third-parties that are
trying to access your e-mail.

Having an API is hardly something to be reprimanded over.

------
cwyers
It's not just Google, it's any e-mail provider that supports IMAP/POP.

------
blahpro
Just like any other email provider supporting POP3/IMAP.

------
godshatter
Time to finish my switch-over to fastmail, I guess. I prefer their interface,
anyway.

And, yes, I realize this is pretty much a nothing burger. They lost my trust,
though, and any attempts to make me believe that they have stopped and that
this won't be a problem in the future are falling on deaf ears here.

~~~
QuercusMax
If you grant somebody access to your fastmail, they can do the exact same
thing. I'm not sure why this would have any bearing on your decision at all.

~~~
godshatter
Agreed. It's just reminding me that I need to complete my move away from gmail
for other reasons, mostly trust related.

