Email not secret? Well, doh!

News just in that other people are reading your Gmail.

First rule of email. Treat it like a postcard in the snail mail, with one difference: At every post-office and sorting centre along the way someone takes a photocopy of your postcard message.

Danny Bradbury from Naked Security explains what is going on: Quote.

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.

We?re not talking about Google employees. We?re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.

Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.

A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.

That doesn?t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.

Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.

Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.

There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn?t only give the third party company?s software access to your email. It gives developers inside those companies the ability to manually access them too.

One such company, Edison Software, allowed employees to review emails from hundreds of users to help it build out new features in its software, the WSJ said. Developers at another company, email marketing optimization Return Path, read over 8,000 email messages as they tried to better train its software to distinguish between personal and commercial emails, the report added.

Google?s privacy policy says it may share information with third parties. However, the policy doesn?t explicitly say that humans may manually read those mails, and the opt-in message that it displays when you connect an external app to the service doesn?t say so either.

There?s another twist to the WSJ story. It explains that Return Path not only accesses emails when users sign up for its own apps, but also when they sign up for apps operated by other companies. These companies partner with Return Path via its Context.IO subsidiary, which collects email data to help it improve its services.

One such partner app is Earny, which scans users? email for receipts and claims refunds to help them save money. […]

Google gives you some privacy information when you grant a third party app developer access to your mail, but leaves you to deduce for yourself that humans may read your email too.

To properly protect yourself, it seems that you must then check that third party developer?s own privacy policy if you want to be sure about what it?s doing. You may then need to check still more privacy policies from other partners if you find that it is sharing your mail with them.

This raises several questions. Is it reasonable to expect users to go through this process? Is there a better way to handle it? Should Google be more clear about exactly what people can do with the information that it shares? Where does the user?s responsibility end and the app developer?s begin? What about the app developer?s partners?

Perhaps the first question Gmail users should ask, though, is who has access to their emails and other Google data today.

To find out, you can visit the accounts permissions page. It may explicitly list some apps as having email access, but be on the lookout for apps listed as having access to your Google account. These have permissions to read your email along with lots of other data that Google holds about you. If you decide that you?re not happy with this, you can revoke access. End of quote.

Remember, when the service is free you are the product being marketed.

All this interconnected convenience comes with a cost. It may not be dollars and cents but there is no such thing as a free lunch.

When you have “trusted” someone with your location, photos, email, cloud storage and Internet search history, is it a surprise to learn that Google could deliver a complete dossier on you, delivering all this information, and you would be none the wiser?

Also, why accept the easy way and sign in to other services with your Facebook or Google or whatever account?? Sign in with a new account to everything as this slows down the behind the scenes linking.? If you sign in to other services with your Facebook or Google account and do not read the zillion page terms & conditions then you have no idea what data is being shared with whom.