Google has confirmed that private emails sent and received by Gmail users can sometimes be read by third-party app developers, not just machines. People who have connected third-party apps to their accounts may have unwittingly given human staff permission to read their messages.
Google’s argument, as reported in this BBC News story, is that it’s entirely within their guidelines. That’s true. It is fully within Google’s terms for third-party app developers to allow employees to read the emails captured by their apps as long as it’s compliant and the user has granted permission.
But that doesn’t mean that it’s OK. This isn’t a technicality that Google can’t get around. The company has quite reasonably alter its agreement with developers so that apps can request two types of permissions: “Automated systems to manage your emails” and “Humans to manage your emails.”
I doubt — and Google has the money to run user tests to confirm this — that many of Google’s users think that they’re granting third-party inbox access to humans when they approve the Gmail “manage emails” permission. When we (because, let’s face it, I’m also a Google user) grant acess to third-party apps from Google’s stores, we think we’re granting permissions to machines and software, not the employees of the company behind them. A separate prompt, “Allow employees of developer UsefulGmailScript to read, manage and delete your email,” would give Google users a heads-up that avoids this problem altogether — and Google can enforce this as a term in their third-party developers agreement, and cut off any apps that they discover to violate their terms.
You’re Google. It’s not like this a tiny company with little leverage that needs this ecosystem of apps to survive. Last I checked, Google wasn’t at risk of bankruptcy and collapse. It’s fairly reasonable to expect Google to do the right thing and stand up for its users in cases where it matters.