Google Hit By Allegations Of Third-Party App Access ‘Leaks’

Google Hit By Allegations Of Third-Party App Access ‘Leaks’
Image: Google

Like Facebook earlier this year, Google is facing scrutiny as users report their data being misused by third parties. And while the advertising giant says it doesn’t scan emails in order to personalise ads, third parties can still get access to your data as long as you give permission. The problems start after that.

There are a number of apps and services that can be granted access to “read” your email. For example, one of my favourite apps, TripIt, can do this. But it requires my permission before its APIs can delve into my inbox to locate travel plans such as flight bookings and hotel reservations. Google’s problem, according to a report by the ABC, is that those third parties may be playing fast and loose with your data once they get access to it.

Just to be clear, while I don’t give TripIt access to my email, I don’t believe they’re implicated in this.

The ability to have some intelligent software scan and help manage email is not new. There are dozens of services around that will do things like look at an email address and tell you about the sender. For example, Sales Navigator for Gmail (formerly known as Rapportive) is a Chrome extension that grabs social media information for anyone who sends you an email so you can almost instantly get a view of a new contact or what’s going on with people you know.

It’s up to you to decide whether the benefit of the app outweighs the level of access you’re granting it.

The ABC’s sensationalist headline, “Google confirms external apps can scan your emails: here’s how to check”, is a statement of the bleeding obvious to anyone who has ever installed a Gmail plug-in or app. Whenever an app wants access to your Gmail account, it asks for permission and tells you what it wants access to. It’s a headline designed to confect outrage and completely misses the point about what the problem actually is.

Google said, in a new blog post, that they “review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not”. And before apps are allowed into the Google ecosystem they undergo “a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does”.

Google isn’t off the hook. It’s up to them to ensure the developer continues to use the data you have given them permission to access in the same way you agreed. This is the real problem.

For example, if I used a Google add-in to send me information about meeting attendees in my calendar so I’m prepared for meetings, I wouldn’t want the provider of that app to suddenly use those names and email addresses from calendar invitations to build a list of senior executives from IT companies they they can on-sell to marketing companies.

If you’re concerned about third-party apps that have access to your Gmail account go to the Security Checkup and look at what apps you’ve granted access to your Google account and make a decision about whether that permission is still required.

Image: Anthony Caruana/Lifehacker

I did that. I had two apps with access to my Google account. One was an old app I no longer use so I removed its access.


  • Google has sent me persistent security review reminders for more than 6 Months now… At some point, there responsibility becomes my own to actually act on this and stop blaming there service right?

  • The article, as usual from a lot of the media. Is blown waaaay out of proportion.

    Google only allows apps to access your emails after they have passed tough personal checks that google does themselves on the company.

    Once the company has passed that the end user is still required to agree to allow the app to access your emails.

    The ABC article is just heresay and accusations without any concrete documented fact to back up their assertions. Id expect this kind of quality of article in Murdoch publications.

    The article essentially boils down to “These companies could misuse your data, But we dont have any proof they have. So we are going to infer that they have insead”

Log in to comment on this story!