back to article Not API: Third parties scrape your Gmail for marketing insights

Although Google stopped mining Gmail accounts for data useful to advertisers last year, it left an API open allowing others to do just that, the Wall Street Journal reports. Employees at third-party developers were permitted to operate on real Gmail emails to improve their systems, a practice described by one former employee …

  1. Sammy Smalls

    Well colour me surprised.

    Use something for 'free'? Expect to pay somehow.

    However, what I didn't see in the article was anything about paid for accounts. Now that would be a shitstorm.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well colour me surprised.

      You know you have to sign up ("connect") to these 3rd party services right?

      Don't associate your account (which of course needs a sign in) and you have nothing to worry about.

      This "news" days more about brain-dead cretins that just click any old prompt thrown at them, rather than Google or 3rd parties using its API.

  2. RyokuMas Silver badge
    Stop

    Legal loophole

    "Although Google stopped mining Gmail accounts for data useful to advertisers last year, it left an API open allowing others to do just that...

    ... and thus created a nice little loophole for themselves - any complaints about privacy can neatly be foisted off onto the third party developers...

    1. Daggerchild Silver badge

      Re: Legal loophole

      where it.. belongs..?

      Seriously, if you have to explicitly grant that third party the API access to your email, what else should Google do in order to not be pitchforked for allowing the app to access your mail, when you want the app to access your mail?

      Is the problem that the API exists, and can be misused by apps that lie, so Google should remove the API? But shouldn't similar APIs be removed too? Messaging? Contacts?

      What are people demanding here?

  3. James 51 Silver badge
    Flame

    Can I be the only person who has negative reactions to on line ads? Every time a video auto plays I become very angry. Popups are disabled, if an ad is obstrusive enough for me to notice it then I get angry again at the poor design choices that are introducting friction into my task. Every time I go onto facebook I make a point of liking stuff I don't like, I go into ads and point out better bargins elsewhere or criticise the product. I know I am probably in the minority but the more people push back by attacking the ads and poluting the process by which the data is gathered the sooner (hopefully) companies will realise that a lot of online exposure is doing them more harm than good.

    1. Dabbb Bronze badge

      > Can I be the only person who has negative reactions to on line ads?

      Yes.

      Everyone else uses adblock.

      1. James 51 Silver badge

        @Dabbb Sites like crackberry won't even load if you use an adblocker. There are a few sites where adblocking if you want to access the content isn't an option.

        1. JohnFen Silver badge

          My solution to that problem is to not use those sites.

        2. iron Silver badge

          @James51

          And those sites are banned from my browser, computer, phone, etc. If your site won't work without 150+ trackers from advertising companies then I don't want it anywhere near my computing equipment.

          1. Kev99 Bronze badge

            Re: @James51

            Even tho' I have all my browser set to Do Not Track, far too many sites have figured out how to ignore the setting. Kind iof like the extremely effective (cough, cough) Do Not Call Registry.

        3. Jamesit

          Extensions like No Script will block the adblocker blocker.

      2. Anonymous Coward
        Anonymous Coward

        re. Everyone else uses adblock

        what's "adblock"?

        ...

        (google)

        I see, well, what an intersting idea!

        (goes back to wanking his mobile over new fb likes)

      3. Mr Dogshit
    2. Doctor Syntax Silver badge

      "Every time I go onto facebook"

      I think you'll find that's where your problem is.

      1. James 51 Silver badge

        With far flung friends and family it's the only realistic way to find out what is going on in people's lives short of spending several hours on a phone every week.

        1. JohnFen Silver badge

          "it's the only realistic way to find out what is going on in people's lives"

          Aside from using email, setting up a low-cost website, texting, and all the other common forms of communication.

        2. Warm Braw Silver badge

          it's the only realistic way to find out what is going on in people's lives

          It's certainly one way for some people to promote the unrealistic things they say are going on in their lives without being challenged and for others to pretend they're interested in people they can't actually be bothered to speak to directly.

          In the goold old days it was perfectly acceptable to send far-flung friends and family a card every Christmas.

          1. onefang Silver badge

            "In the goold old days it was perfectly acceptable to send far-flung friends and family a card every Christmas."

            Today that works well enough for my family, birthday emails, unless there's something specific we need to chat about.

        3. Anonymous Coward
          Anonymous Coward

          Not heard of email? Not heard of hangouts.

          You basically want to stalk those people without having to interact with them....

      2. Sphynx
        Facepalm

        Is GMAIL raping you?

        I will second that. Seems to me that Facebook, Google and certainly other social media services turned to human trafficking to make money. Why should this be legal??

        1. Anonymous Coward
          Anonymous Coward

          Re: Is GMAIL raping you?

          You seem to have failed at understanding the point of this story, Google aren't giving your emails to anyone, you are granting permission for others to access it.

          Stop being a cretin and granting everything you dont understand.

          Review what YOU granted in the past here:

          https://myaccount.google.com/privacycheckup

          1. Sphynx
            Facepalm

            Re: Is GMAIL raping you?

            No, I understand. The point - which YOU can't seem to understand - Google, Facebook and other social media services are, IN FACT the collectors, and distributors of your data to third parties such as Cambridge Analytica for one, the shady data firm who, loved to rape data that unsuspecting people left on Facebook. Google does the same with peoples' data with their own analytics and others'. Here is the point: The surrendering of authority by Google, Facebook, and other social media to third parties is not ethical even though their terms and conditions tricks you to agree to their shady 'moral principal'.

          2. Chris Fox

            When did those who don't use Gmail grant permission?

            If I don't use Gmail, and don't have an account with Google, at what point did I "opt-in" to (or more likely, fail to "opt-out" of) allowing Google and others to access the content of email that I have sent to individuals who happen to use Gmail? How do I find out what permissions others have granted to Google et al. to access and use *my* data? And how do I even know for certain whether a given recipient is actually a Gmail user, given that some corporate email addresses may be Gmail in disguise, and some individuals may use Gmail to aggregate email from non-Gmail accounts?

            This looks like a clear breach of the GDPR. The only real question is, who is committing an offence: Google, for allowing access to my data; third-parties for using the data for purposes for which they haven't obtained specific consent; or Gmail users, for granting Google and others access to my data without my consent? I suspect Google has the greatest liability here, for running a data processing system that fails to have GDPR-compliant mechanisms in place for safe-guarding third-party data.

            Google seem to be presupposing, incorrectly, that all data associated with a particular account is the account holder's data. This is the same error in reasoning that Facebook make in their justification for shadow profiles, i.e. unlawfully holding and processing personal data relating to individuals who are not users, and refusing to protect against abuse of such data, by claiming, obtusely, that the data and the right to consent both "belong" to the account-holder who provided the data to Facebook, rather than the person whose data it is under the law.

  4. Doctor Syntax Silver badge

    "There is no evidence that any of the devs have misused data."

    Is there any evidence they haven't?

    1. JohnFen Silver badge

      Perhaps the devs haven't misused the data -- although as you point out, there's no way to know -- but Google sure misuses it by allowing third parties to access it in the first place.

      1. Daggerchild Silver badge

        "Google sure misuses it by allowing third parties to access it in the first place."

        Do you understand you just demanded Google get exclusive monopoly access to people's personal data on Android?

    2. pleb

      Misuse would imply the reading of your email was not covered by a 'permission'. So on a technical level this is not misuse. But by any common understanding, well, did the users properly understand the permissions? Did anybody really suppose they had understood, or rather is this enterprise predicated on their expected ignorance?

      To me they read like you are giving permission for the application itself to read your emails, artificial intelligence, not flesh and blood.

  5. AJC

    Gmail and e-mail block lists

    As far as I can tell Gmail expends zero effort in keeping their outgoing relays out of e-mail block lists and never(?) attempts to remove them.

  6. Teiwaz Silver badge

    Geee-male.

    Well, if they are mining my e-mail for the ideal ads to push at me, they are mining for cornish cotted cream and scones.

    The 'targeted' ads at the top of my e-mail have been and continue to be wide of the mark (if they wre astro-navigating to Mars, it's be 'Lost in Space').

    I don't know why anyone would buy their services - I certainly wouldn't, have seen the result from the 'target' end.

    I've been getting a lot of dating ads recently, although I've not been looking (ever, on gmail) - and I refuse to believe the lack of romantic e-mail is what they are picking up on (I might be a catholic bishop).

    1. Alistair Silver badge
      Coat

      Re: Geee-male.

      (I might be a catholic bishop).

      And just why do you think the church is in such a mess these days?

  7. onefang Silver badge

    "Unfortunately some companies take personalization to an extreme, but an online experience devoid of personalization would feel oddly generic to the average consumer,"

    Where can I sign up to feel oddly generic web sites? Considering that dark text on light backgrounds are the current fashion, I much prefer light text on a dark background, and most sites don't offer a dark theme, I do all my web site personalization in my browser. I also personalize my online advert experience, by removing most of them.

    It's not a good look to refer to everybody as consumers though.

    "Google has argued that nothing is proprietary, and like AMP, it's all based on open-source and open published standards."

    Like how their chat system started off being a somewhat well behaved Jabber / XMPP thing, but has drifted away?

  8. JohnFen Silver badge

    A very poorly kept secret

    I honestly thought that this was common knowledge. It's why I don't use GMail (outside of my workplace, where I'm forced to), and I don't send email to GMail accounts when at all avoidable.

    Fortunately, I only personally know a single person who still uses GMail for their private email.

  9. Daggerchild Silver badge

    Selectivity, again...

    "If the emails were indeed being read without the author's explicit and clear consent, this would likely be unlawful under GDPR"

    Well, let's just leave this worry hanging here.

    "Again, if no consent were obtained, it would contravene Google's own developer agreement, which requires explicit opt-in consent when a user's "non-public content is obtained through the APIs"."

    And let's double down on it instead of investigating the answer.

    "In a statement published on its website, Return Path founder Matt Blumberg said his firm had co-operated with the reporter but expressed dismay that the report was "extremely and somewhat carelessly selective"."

    Can someone confirm if this user-facing API permission request is in fact the selectively omitted thing?

    Apparently it's in the source article. Evil applications can get at your data, if you explicitly allow them to.. ?

    1. pleb

      Re: Selectivity, again...

      Well, if I give "Sample APPLICATION" permission to read my emails, I expect the reading to be done by Sample Application. So that would be an algorithm, artificial intelligence, a machine - not a person. There is a difference.

      1. onefang Silver badge

        Re: Selectivity, again...

        Yes there's a difference. I never gave the GMail app that came with my phone permission to do anything, in fact I disabled it and installed K-9 Mail instead. K-9 Mail has all the permissions it asked for, I trust it, that's why I picked it. If K-9 Mail starts sending emails to third parties, a permission it never asked for, a lot of people will be very surprised, likely we'll read about it on El Reg, it's quite popular. So the only entities reading my emails are me, K-9 Mail, my email server/s, any email servers between me and the recipient, and the recipient (and what ever software they use), perhaps the ISP / government / Gmail / wife / husband / 12 year old offspring at their end if they are not quite as paranoid as me, and perhaps any nasty people or TLAs snooping on our wires...

        Sigh, might as well just tell world+dog these days if its email.

      2. Doctor Syntax Silver badge

        Re: Selectivity, again...

        "So that would be an algorithm, artificial intelligence, a machine - not a person."

        And what does Sample Application then do with the data? Sell it on? Use it as a basis for spear-phishing? Although the article says there's no evidence this has happened what we should be more interested in is the absence of evidence that it hasn't. Yes, I know finding evidence to prove a negative can be difficult or impossible but if companies want to be trusted simply saying they don't know something bad hasn't happened isn't really going to cut it.

        1. Daggerchild Silver badge
          WTF?

          Re: Selectivity, again...

          So, Google stand accused of NOT having monopoly access to the user's personal data, and irresponsibly allowing the user to *choose* who they trust?

          Exactly what kind of dictatorship powers are people demanding Google give themselves here?

  10. g00se2

    <i>Fortunately, I only personally know a single person who still uses GMail for their private email.</i>

    What's "private email" (unless you're running your own mail server)?

    1. ratfox Silver badge

      What's "private email" (unless you're running your own mail server)?

      Not sure if serious, but: Private email as opposed to work email.

      Many people have an email account provided by their employer, and only use it for work. They have a separate "private" account, which they use for their communicating with friends and family.

      Some people even have a "work" mobile phone, and a "private" mobile phone.

  11. Mark 85 Silver badge

    "Unfortunately some companies take personalization to an extreme, but an online experience devoid of personalization would feel oddly generic to the average consumer," he wrote.

    So where is the problem? When I can't use adblock, etc. (work computer) I ignore ads. I guess I'm not normal according to them. Don't need, don't want "personalization". The computer is a tool, not my friend.

  12. Alistair Silver badge

    gah

    Equally relevant to this article, and I'm lazy bastard today after a wonderful long weekend.

    I'll leave this here, my comment on another advertising industry "but we're doing our *job*!!!" whine.

  13. Anonymous Coward
    Anonymous Coward

    'Google was lax about enforcing the rule.'

    Bring on the GDPR NOYB lawyers to concentrate minds @ Google cult.

  14. Anonymous Coward
    Anonymous Coward

    Families using Gmail or the Google-Stasi (Android)...

    Feels like parents are condemning their kids them to some god awful future Stasi-like state-surveillance / interference... For what? Some convenience / cheap tech today. Its a pretty dangerous tradeoff. At least go down to the crossroads and get killer guitar chops if you want to trade with the devil etc...

  15. Kev99 Bronze badge

    I'll gladly take the "oddly generic" web over unwanted, irrelevant ads any time. Why do you think I run ad block. Just wish they'd develop a way to spoof sites that have a hissy fit if you're running an ad blocker. And all my browsers are set to wipe ALL history when closed, and I regularly use the Google Three-finger Salute - CTRL-SHIFT-DEL.

  16. Anonymous Coward
    Anonymous Coward

    I wonder what "insights" were gathered.....

    from James Comey's Gmails?

    https://www.theregister.co.uk/2018/06/15/fbi_boss_comey_private_email/

  17. ninjakidd

    Hosted my own email server because of this crap

    This is exactly why I decided to use the following guide to build and host my own email server -

    https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/

    Slightly outdated, but still valid once you tweak a few elements like choosing different CA or DNS provider. Or you can do it the lazy method and use iRedMail - https://www.iredmail.org/ which is scripted.

    If a Linux begineer like myself can do it, anyone who is fairly computer savvy can.

    1. cd

      Re: Hosted my own email server because of this crap

      Or a cheap shared hosting account often comes with email capability. Domain needed either way. And there are Protonmail and Fastmail.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019