The search giant Google confirmed recently that third-party apps that integrate into Gmail have the ability to scan users' email. While the company stopped its controversial practice of scanning the email of its 1.4 billion users in order to serve ads, it admitted in a letter to United States senators that developers of third-party extensions that manage tasks like trip planning and auto-replies have access to the content of user emails. Google provides access to these third-party apps to scan your email.
The only requirement for the developers to be able to do so is that the third party developer communicate what they are doing and "are transparent with the users about how they are using the data," according to the letter, drafted by Susan Molinari, Google's VP of Public Policy.
This transparency comes in the form of privacy policies that the the end user has to accept in order to use the extensions.
Google noted in its letter that it is able to stop "a majority" of apps before they are able to access user email data that falls outside of their declared privacy policies, but has declined to provide any real figures on what this means, either in terms of the number of apps it has stopped, how many apps this would entail, or how much user data they have been able to access. Given the company's omerta-like levels of secrecy, neither the Senate nor Gmail's user base should be holding their breath for further disclosures.
Even more troubling is the assumption that users are knowingly granting the app developers access to their emails via privacy policies. Privacy policies have in general been found to be problematic since their inception, because--duh--barely anyone reads them: A study conducted a decade ago found that it would require 244 hours per year to fully read each of them, a number which has swelled in the post-GDPR internet.
The revelation about Gmail's potential lack of privacy coincides with Google's warning to U.S. senators who use its flagship email product that foreign hackers are actively targeting their accounts, primarily via phishing attempts. If the Senators are using third-party apps and have clicked "agree," it's possible that their information has already been compromised.