Knew It All Along: Your Gmail Is Being Spied Upon

by Paul Arnote (parnote)

Background

I can remember back in 2004, when Gmail first launched publicly. Some thought it was an April Fool's joke, since the public release date was April 1, 2004. Back then, it was in beta and only available by invitation (it was, in fact, considered "beta" until 2009). I remember asking everyone I knew if they had a Gmail account, and if they did, to please send me an invitation. Users could each send out either 50 or 100 invitations (I forget the actual number) to friends and family (initially, it was three invitations, and then increased to six, before the loftier 50 or 100 invitations). It took me a few months to finally get my invitation, since some people I knew weren't freely handing out their "allotment" of invitations. In fact, some users were "selling" Gmail invitations on Ebay for as much as $150 (U.S.). The selling of Gmail invitations is what prompted Google to increase the number of invitations to the much higher number of 50 or 100, blowing out that "market."

Gmail's chief architect was Paul Buchheit, the 23rd employee of Google. He started working on Gmail in 2001 in an almost Skunkworks fashion. Gmail was kept hidden from all but a few select Google engineers. By 2004, virtually all Google employees were using Gmail for internal email communication. In addition to Gmail, Buchheit also developed the original prototype for Google AdSense, as well as suggesting Google's former company motto of "Don't be evil" back in 2000 at a meeting to discuss company values. Buchheit left Google in 2006.

Gmail was a bit different back then. Almost no one back then worried about whether "Big Brother" Google (or anyone else) was reading their emails. One early feature (that started showing up as early as 2006) was a configurable "news feed" bar at the top of the Gmail inbox mail list window that users could customize with RSS news feeds that appealed to their interests. Sadly, that feature is one of many that have been lost through the years and many Google redesigns of Gmail.

You'll notice that the early Gmail did not include a contacts manager. The earliest reference I can find for Gmail having a contacts manager is 2006.

Don't be fooled. Google makes money from Gmail by targeting ads to its users. That's one of the reasons Buchheit helped lay the foundation for Google AdSense, so he could help monetize Gmail for its public release. Today, those ads occupy the space formerly occupied by the RSS news feed ticker (unless you use an ad blocker, like UBlock Origin or AdBlock Plus).

As of April, 2018, Gmail is offered in 72 languages around the world, and boasts 1.4 BILLION users worldwide (yours truly, included).

Where The Doubts Start

Once Gmail started targeting ads to users in earnest, the questions started. It turns out that Google was electronically scanning users emails using an algorithm to discover the interests of individual Gmail users. Google has claimed all along that a) no human eyes at Google ever see your email, and b) things like medical conditions, sexual orientation, race, creed, religion or any other potentially discriminatory data were never used. But, by scanning the email of Gmail users, the ads appearing in Google AdSense would be targeted to that specific user's interests, as indicated by the content of their emails.

Understandably, this literally freaked out a lot of users. Trust in Google plummeted (even more), since despite Google's admission that no human eyes have ever or would ever routinely read any user's emails, doubts remained in a good number of users minds. Tons of questions and red flags remained, such as: Google can keep unlimited amounts of information on a user forever, that information could be used to build profiles of individual users, emails sent by users of other email services get scanned without the sender ever having agreed to Google's privacy policy or terms of service, Google's ability to change its privacy policy unilaterally, and they can make minor changes without ever notifying the end user.

Granted, there are a whole slew of people who really couldn't give two nickels about their privacy. But then, there are a whole lot of people who are legitimately concerned about their privacy, and work hard to protect it. I have to admit that I've seen a lot more people concerned about their privacy in the Linux community than I ever saw in the Windows world. But then too, I've not spent any significant time in the Windows world for much of the past decade that I've been running Linux.

Google ceased the scanning of the emails of Gmail users in 2017. Instead, they collect their user data from individual user's use of Google's other services.

The Current Dilemma

While Google itself has stopped scanning the emails of Google users, there are a lot of third party apps that still do. This revelation was revealed in a July 2, 2018 Wall Street Journal article (subscription required). Of course, the news spread quickly, and far and wide. Hardly a news outlet spared any time at all getting word out to users. In some cases, it was reported that users intimate and private emails were being read by another human.

Several news outlets immediately posted information on how to limit the damage by monitoring which apps have access to your Google accounts, and how to rescind any access to apps that you may have previously given permission to. Even Google, in their response to the news on their blog without directly addressing the WSJ article, directed users on how to limit the damage.

Basically, travel over to your Google accounts page, and select "Apps with account access" from the menu on the left side of the screen. From there, you can change access permissions for any app listed.

While any platform that can access Gmail is at risk, the risk seems to be much higher for Android users. Pay particular attention to the specific access permissions for any and all apps you install. I use an Android phone and tablet, and I'm always scrutinizing the permissions and access that apps are asking for, both when they are installed and when they are updated. If an app asks for permissions I'm not willing to provide, that app doesn't get updated or installed. Instead, it gets deleted from my phone or tablet. There's no reason for a game (trust me ... I don't have many, and none that anyone would consider popular, like Candy Crush) to have access to my photo storage, my email, my contacts, or any other personal and private data that might be on my phone or tablet.

Google claims to vet the third party app developers rigorously and thoroughly to insure that only the data necessary to achieve the third party app's goals is accessed. As an Android user, I have to say that doesn't seem to be the case, judging by some of the dubious permissions that are requested when I install an app through the Google Play store. Given the volume of apps in the Google Play store, there doesn't seem to be any good, surefire way to police all those apps to make sure they are playing by the rules.

So why would these third party apps need access to your email? To quote the Business Insider article on this issue:

Google has long allowed software developers the ability to access users' accounts as long as users gave them permission. That ability was designed to allow developers to create apps that consumers could use to add events to their Google Calendars or to send messages from their Gmail accounts.

But marketing companies have created apps that take advantage of that access to get insights into consumers' behavior, according to the report. The apps offer things such as price-comparison services or travel-itinerary planning, but the language in their service agreements allows them to view users' email as well. In fact, it's become a "common practice" for marketing companies to scan consumers' email, The Journal reported.

It isn't clear how carefully Google is monitoring such uses. Many consumers may not be aware that they've given apps such access to their accounts.

Summary

I don't know about you, but I prefer to keep nosy apps out of my calendar and email accounts. I'd rather make my own entries and send my own emails, thank you very much. In fact, I'd rather keep as many eyes out of all of my accounts as is humanly possible. It is MY data, and no one else has any rights to it.

Remember, your private and personal information IS the currency d'jour. It is up to you to keep it secure, and to limit who has access to it. Even then, it should only be limited access, limited by only what is necessary to complete the task at hand.