
Google has been letting app developers read users’ Gmail - benryon
https://www.forbes.com/sites/janetwburns/2018/07/02/google-has-been-letting-app-developers-read-users-gmail-unsurprisingly/#453a83404ddd
======
mwnivek
Discussion from earlier today:

[https://news.ycombinator.com/item?id=17443056](https://news.ycombinator.com/item?id=17443056)

~~~
auslander
Quite insightful comments there too.

------
PantaloonFlames
If you install an add-in, or an app, and it wants to read any of your stuff
managed by google (emails, drive contents, calendar, etc) the app must request
user consent. This user experience is well known and understood. The user must
sign in and then also grant consent specifically to the app in question. If
the user grants consent for the app to “read email” then the app will be able
to read your inbox.

The article is saying that _humans_ employed with the 3rd party app
development company are also able to see your email.

Users might reasonably conclude that When they grant consent, the app – the
3rd party computer software – would be able to read their email, but no human
would be able to read their email. Well it turns out, once the app has
consent, the app, if its designers make it so, could read your email and then
save your email elsewhere. And then humans could read the contents of that
email elsewhere.

~~~
pacala
There is a difference between "the app can read email", i.e. this piece of
software that runs on my computer / my phone / in a Google datacenter can read
emails, and "the app can read email", i.e. the app siphons your email off into
a third party server, with no privacy or data protection safeguards.

This user experience is well known and understood in the desktop world. Leave
it to internet adtech companies to disrespect user's expecations for privacy
and personal data protection.

Google could be more honest and label the permission "this app will make your
email public for all intents and purposes".

~~~
bdhess
> Google could be more honest and label the permission "this app will make
> your email public for all intents and purposes".

How is offering the worst case hypothetical of what the 3rd party might do
with your data _more honest_ than refraining from hypothesizing?

~~~
pacala
Because that's what's happening. Having an app with both "read email" and
"network access" is basically saying "this app will siphon your email to an
unvetted and likely unsecure third party location". You wouldn't want your
bank account info treated the same, would you.

Would it be that hard to raise the user's awareness right then and there?
Bonus points for offering a sandboxing mode, where the app can only access
certain network locations, like Google IMAP servers, and only Google IMAP
servers. Extra bonus points for auditing traffic from sandoxed apps to catch
them if they try something fishy.

~~~
simonh
That’s not the same as making your emails public, ie posting them in a world
readable archive.

------
Lazare
I mean, I have installed a third party gmail client. So the app can read my
email. And that means the developers of the app have access to my email. Which
is why I think very carefully before install third party gmail clients!
That's...how this works. Right?

I'm a little confused honestly; how is the headline not just a fancy way of
saying "Google supports third party email clients"? Or even "Google supports
IMAP"? Wouldn't the real scandal be if they _didn 't_?

There's always a tension between freedom and security here, but I'm honestly
not at all okay with the balance this article seems to be advocating.

~~~
pacala
How about sandboxing apps with access to sensitive private information from
network access? I don't want my email to leave my desktop / mobile phone /
Google's server, is it really that hard to have that as an option?

~~~
lern_too_spel
> I don't want my email to leave my desktop / mobile phone / Google's server,
> is it really that hard to have that as an option?

That option exists. It's called not adding a third party app to your Gmail and
clicking its consent button.

~~~
pacala
Absolutely. Even better, just not use GMail until they start taking data
protection seriously.

~~~
lern_too_spel
Every other email provider also provides API access to email, typically via
IMAP or POP. Your suggestion then is (instead of simply not authorizing third
parties to have access to your email) to not use email at all?

~~~
pacala
There is quite a bit of friction when setting up IMAP/POP access to an email
provider. If I go to the trouble of setting up IMAP/POP, it's likely I know
what I am doing. To the best of my understanding, the article is about 1-click
permission granting / data leak.

------
majormajor
I think there is a meaningful distinction between "I'm using a client running
locally on my machine, distributed from known locations, and it wouldn't be
too hard for someone to spot if it was exfiltrating my data to third party
servers" and "I'm using a service running on someone else's servers,
effectively shipping my emails through them as a middleman, with no insight to
what's going on behind the scenes."

I'm technically aware enough that I haven't used any of these services, since
it seems to have _bad idea_ written all over it. But I'm not surprised that
the average user _wouldn 't_ be that technically aware - I just never was able
to convince people I knew that it was something worth being concerned about.

So rather than scorn for the users who never thought about this before, I
think it's great that people are starting to be more aware of the compromises
we've made in the name of convenience. There are other ways to build these
sorts of systems, and many of them would be less prone to abuse.

------
rayiner
It’s funny how everyone is saying “of course this is how it works” while on
every fourth amendment article all you read is how protected cloud content is
and how its totally reasonable to have an expectation of privacy in that data.

It’s rapidly becoming clear that once you give your data to third parties in
unencrypted form, all bets are off. Any assumption that the data is private or
protected or otherwise not subject to abuse is an unreasonable one. And that
fact is intrinsic to the cloud (and the biggest weakness of cloud computing as
a concept—at lesst, with putting logic in the cloud as opposed to treating it
as dumb storage). Cloud computing is fundamentally incompatible with peivacy.

~~~
crazygringo
Your cloud content is as protected as you choose it to be. That's a feature,
not a bug.

If you choose not to share it with third parties (e.g. via additional app
permissions)... then it's private and secure.

If you choose to share it with third parties... then it's only as private and
secure as you deem those third parties to be.

I suppose cloud servers can be hacked by malicious actors, but so can your
local machine, and chances are that Google is able to better defend its
network than you are.

------
kryogen1c
This reads like a FUD hit piece. Anyone have any actual data/evidence on
what's going on?

~~~
kyrra
WSJ started this article, who is owned by News Corp. News Corp occasionally
does anti Google and Facebook pieces. See:

[https://www.theguardian.com/media/2018/may/04/google-
faceboo...](https://www.theguardian.com/media/2018/may/04/google-facebook-not-
playing-by-the-rules-news-corp-tells-accc)

And: [https://www.recode.net/2017/6/26/15878518/yelp-oracle-
news-c...](https://www.recode.net/2017/6/26/15878518/yelp-oracle-news-corp-
letter-supporting-eu-action-against-google-antitrust)

(Disclaimer: I'm a Google employee, but also an avid WSJ reader)

~~~
drb91
Who doesn’t occasionally do anti-Google pieces? I’d be more skeptical if they
didn’t!

That said, this does smell like a hit job.

~~~
kyrra
Listened to a short podcast (9 minutes) with the author of The Wall Street
Journal piece, and my impression was this was done as an investigative piece
to see if they could find any bad actors using the system Gmail. they weren't
able to find any specific actors, but they spelled out how the system was used
and potentially how it could be abused.

Podcast: [https://pca.st/9jFw](https://pca.st/9jFw)

------
0xCMP
I'm not sure what the point here is? Aren't they just basically just reporting
that Gmail offers a nicer API to read email than IMAP and App Developers have
been misusing it (maybe)?

~~~
FreakyT
Yeah, this article is apparently blaming Google for the crime of...having
APIs. Everything described here would also be possible with IMAP.

The _actual_ news story that this is based on (which, for some reason, is
completely ignored by this article), is that there are several third-party
mail clients engaging in questionable behavior[1]. This is not limited to
Gmail, but any of the services that the apps are compatible with, including
such classic standbys as IMAP and POP3.

[1] [https://www.macrumors.com/2018/07/02/third-party-email-
apps-...](https://www.macrumors.com/2018/07/02/third-party-email-apps-reading-
user-emails/)

~~~
kbenson
The sad thing is that the technically literate might come across as "this is
overhyped", because in a way it is (in that it focuses on one company), when
the real sentiment is " _this_ is what gets you alarmed now? This problem is
_rampant_ all over the place and we've been harping on it for _years_ ".

------
crazygringo
Serious question... why does this story have 100+ upvotes (so far) when
virtually all the comments seem to indicate this is FUD and how API's are
designed to work?

~~~
ucaetano
Because Google bashing is important for some people, regardless of the claims
being true or not.

~~~
ledriveby
I'm amazed nobody's talked about Reader. The Google bashing thread graph
always terminates in a Reader cycle.

------
plink
It's a surprise that giving one's username and password to these plugins
abdicates one's privacy?

What's more surprising is the ability to earn a living by pinning one-sentence
opinions to synopses of other writers' articles.

------
randomsearch
Why are people saying "this is obvious"? I'm a gmail user and I don't find it
obvious. I just checked and I've never granted third-party access, but I would
have make the mistaken assumption that Google would _never_ allow an app to
request permission to read my email.

They were very clear when they introduced ads based on your email that only a
machine would read it. But by opening up access to third parties, they can no
longer guarantee that. So this betrays their users and the expectations they
have encouraged.

It would have been so easy for me to click through a permissions request, as I
would have assumed any permissions were pretty weak - use OAUTH to log in,
maybe get my gender or age etc.

If you've had cause to use some app that relies on email analysis then maybe
you knew about this, but I'm guessing the vast majority of gmail users are
like me, and have no idea an app could request the permission to read their
email, and thus provide access to employees at third parties.

The fact that this is being downplayed is disappointing, because it's not
dissimilar to Facebook's behaviour in allowing third parties to read messages.

I thought Google were different; I was wrong.

Guess that switch to iCloud mail I was thinking about is now a priority.

~~~
fortenforge
The part that you're missing is that you can't just "click through" a
permissions request since it explicitly would include the line "This app can
read all your emails".
[https://1.bp.blogspot.com/-DiGeWx5UEVQ/WzswMQ9VV1I/AAAAAAAAx...](https://1.bp.blogspot.com/-DiGeWx5UEVQ/WzswMQ9VV1I/AAAAAAAAxW0/sTCakcHOq58KHUqL8FD1GejHYSLQb35bQCLcBGAs/s728-e100/gmail-
apps.png)

~~~
randomsearch
Thanks for the image.

This shows how ridiculously irresponsible Google's decision is - to allow such
a huge permission to be given via a single click in the same way as much less
important permissions - and even worse, mixed in with other requests.

Alternatives they could have considered:

1\. Don't do this at all - keep emails private and in your control. This is
the sane solution. Make the user set up any apps with IMAP access as per a
mail client. The friction here would make it much harder for the user to be
deceived.

2\. Allow it via the app permissions, but have a completely new approval
screen for it to highlight just how important this is. The screen should have
have a suitable graphic for a warning (stripes etc.) and say "WARNING - you
about to...", following by a multi-click path to get around it. Then require a
re-entry of password and TFA. Similar to Safari's certificate warnings when
visiting websites [1].

3\. Build an infrastructure whereby an app can access information without it
leaving Google. A sort of sandbox/walled garden where the only ways in and out
are strict APIs. So a company would be able to extract summary data, but not
individual mails. Don't know if this is possible; depends on the use case.
Would only be partially effective.

[https://www.digicert.com/blog/safari-11-introduces-
improved-...](https://www.digicert.com/blog/safari-11-introduces-improved-ui-
certificate-warnings/)

------
ucaetano
Wow, when users explicitly authorize an app to access their email accounts,
the app can access their email accounts.

What's next? Scientists discover that the sky is blue?

------
throwaway2016a
While I think this is ridiculous. My general take is you gave consent with the
login page, it's not the API providers fault they misused it. You should have
been more careful about who you trust.

But with that said, I often considered it to be a good idea to allow users to
see what data is accessed by apps.

I'm working on an app that as a service to the customer allows them to see
exactly which records each authorized app accesses. And also flags access that
includes fields that are considered personal via GDPR.

It's a way to be able to account for which users you gave access to a specific
customer's data to. I kind of like the feature and all it involves is a
logging operation that gets imported into the database with an app ID, date
and document ID and true/false if any of the field's were sensitive. Though I
suppose if our use case had a lot of read heavy clients it could be a problem
to manage all the data.

~~~
pacala
What if there were a permission to "read and withdraw from your bank account"?
If 1% of the users are cleaned after absent mindedly agreeing to 10+
permissions on a random app, would that not be the API provider fault?

~~~
throwaway2016a
NO!!

No more so than if I gave the app my password directly.

If you give someone the keys to your apartment and they rob you it is the
thief's fault and your fault for trusting them. Not the landlord for making a
copy of your key when you requested it.

As a user I want API access to my data. As do a lot of people. I am going to
be pissed if people like you cause everyone to stop offering APIs because they
think people are two irresponsible to be trusted with access to their own
data.

APIs provide us data freedom. They are a good thing.

The villain here is pretty clear to me is the company that is abusing your
trust by withdrawing your money not the company providing the API.

It is educating people that is broken not that APIs. I don't know when we got
to be so trusting that we "absentmindedly" give 10 companies access to our
data by clicking straight through a permission dialog that clearly says what I
am doing. But absentmindedness is not a good reason to put padding on
everything and force everyone to wear kneepads.

~~~
pacala
This is not about API vs. not API. It's about hiding critical APIs among
benign APIs and training users to click "Accept" on a regular basis. This is a
dark pattern if there ever was one, perhaps the darkest of all. It's about the
company formerly led by Eric "If you have something that you don't want anyone
to know, maybe you shouldn't be doing it in the first place" Schmidt.

It's about an ecosystem that requires you to hand out a copy of the key to
your apartment to strangers in exchange of minor services on a regular basis,
and makes it really easy to do so.

I haven't used Android in a while, but here's a quick search that fits my
Android experience of yesteryear. Almost every app I installed asked for this
overreaching kind of permissions. Transcript with a little easter egg.

    
    
          Glympse 
          needs access to
        * Identity
        * Calendar
        * Contacts
        * Location
        * SMS
        * Phone
        * Photos/Media/Files
        * First Born
        * Wi-fi connection 
          information
                      ACCEPT
    

[http://openattitude.com/wp-
content/uploads/2015/06/m-permiss...](http://openattitude.com/wp-
content/uploads/2015/06/m-permissions-02-glympse.png)

[https://www.howardforums.com/showthread.php/1865181-A-Massiv...](https://www.howardforums.com/showthread.php/1865181-A-Massive-
Disappointment-App-Permissions-on-Android-M)

------
dbasedweeb
It’s been axiomatic for a while that if you care about privacy and security, a
generally paranoid outlook is helpful where telecommunications are concerned.
Just assume that unless it’s e2e encrypted and you trust the recipient to be
as paranoid, that someone else is reading your communications. Assume that if
it has a microphone and an internet connection someone else could use it to
listen in. Assume 5-Eyes partners archive absolutely everything and may
someday have a smart enough system to really use the data. Assume FB and
Google and your ISP are spying on you and building profiles of you.

I’m not sure what else to say, but aside from people who have a stake in
Google, or take skepticism to illogical extremes, this news can’t be
surprising.

------
navjack27
_Sarcasm_

Man I really learned something about what to do about this horrible issue of
APIs.

I really hate articles like this that don't have a point or provide a
solution. "Be scared of this please okay thanks bye" hit piece garbage.

------
drb91
This seems fairly similar to the Cambridge Analytica revelation—it seems
they’re reporting on access specifically granted to these apps by the user,
but the data is not technically restricted from access the way you might
expect when humans are involved. That is, the person isn’t authorized on
access beyond having the app credentials. Does anyone else understand this?
Does that sound correct?

If I am correct, we’re going to be facing a long list of shocking APIs. I also
wonder why the article doesn’t mention SOX, which might provide some liability
for public companies looking at PII.

~~~
kowdermeister
The Google oauth page does say that the third party will be able to read,
delete your mail. It will boil down to user's assumptions if said third party
consists of humans :) Then they will be obviously able to read it. That's why
I never provide access to my gmail.

------
bb88
Ebates does this apparently.

> Connect with Google

> When you connect your Google accounts, Ebates automatically matches email
> receipts and displays them in your Cash Back Activity.

And then the permissions required are:

* View/Send/Delete Email

------
richardw
SMTP had been letting servers talk to each other in cleartext forever. How
many email providers send to each other over a secure connection? Certainly
not all.

~~~
AstralStorm
Almost all nowadays as Gmail rejects insecure input. On other servers
unsecured mail input gets big spam scores.

Perhaps some internal ones take plaintext from local machines, but inter
server is almost always TLS.

------
CryoLogic
Are we talking gmail-integrated apps or say a browser plugin? it doesn't
really specify. I know browser plugins have stolen gmail emails in the past.

~~~
Alex3917
The article is about apps using the Gmail API and Gmail Add-ons, both of which
using Gmail OAuth. Browser plugins have the same privacy issues, but it's hard
to attribute any blame to Gmail there.

------
bitmapbrother
Wait, are you saying if I install a third party app, like you know a third
party email client, and give it explicit access to my Gmail account I'm giving
it the ability to read my emails? The horror.

This isn't journalism. It's an ignorant hit piece by a paper owned by Murdoch.
Forbes and The Verge should also be ashamed of just regurgitating the WSJ BS
and not doing their due diligence.

------
auslander
Apple iOS does not have permission for apps to access emails at all, if I'm
not mistaken.

------
solomatov
I don't understand a legitimate use case where an app needs to have an access
to a user's inbox. I understand, when you need to send email, access contacts,
but not inbox.

------
kyrra
WSJ reported this first, as linked to by Forbes.

[https://www.wsj.com/articles/techs-dirty-secret-the-app-
deve...](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-
sifting-through-your-gmail-1530544442)

Non paywall link: [http://archive.is/CZFiG](http://archive.is/CZFiG)

------
haglin
Don't be evil.

The greatest trick the Devil ever pulled was convincing the world he didn't
exist.

------
stephenr
tell me again why anyone ever thought an email “client” that’s running on
someone else’s server was a good idea?

------
kerng
Well, ready to be amazed every day. It's pretty clear that one cant trust
cloud providers with these sorts of things, especially when their business
model depends on it...

------
rhacker
I'm just as pissed off about reading contacts as someone reading emails. For
some reason, about 10 years ago, apps started to get permission to read local
contacts, and then just upload them to third parties and use that information.
When did we let all this happen.

~~~
AstralStorm
Security is almost never a priority no matter how easy would it be to fix such
leaks...

------
sraw3
I'm also not sure what is the point. Does this article means those third-party
app can access our email without consent?

