‘Should I trust Google?’ *types into search bar*

All views expressed in this blog are purely for the purposes of an assignment at the Harvard Kennedy School and should only be interpreted in this context.

Google Trends did not have sufficient data for the term “Should I trust Google?” or other privacy related phrases which was interesting given that this topic even has its own wiki page. The above represents the output for the term “Is Google moral?” accessed 20th Oct 2020.

It’s July 2018 and the Wall Street Journal just broke this story : 3rd party developers have unlimited access to Gmail user data. In the first part of this blog post I explore how Google should respond to the WSJ’s claims before stepping out of the role to see what Google actually did, whether it was sufficient and to address the elephants in the virtual room.

What’s the issue and how did we get here?

Last year, we announced that we will no longer scan the Gmail accounts of personal users for the purposes of targeted advertising. A few days ago the WSJ published an article claiming that third-party developers are essentially given unlimited access to user data, when their apps integrate with the Gmail API. This follows on from the New York Times’s article about the app Unroll.me which was found to be selling user data obtained in this way to Uber.

Users are now extremely concerned that their data privacy is still at considerable risk.

Users have always been and are one of our top priorities — they’re one of the two main relationships in our company’s overall business model and Gmail’s business model (see Appendix A1 below for this). In fact, we allowed third party integration for the sole purposes of enhancing the Gmail platform so that our users have the best experience possible. We need to address the privacy concerns of one of our priority stakeholders and investigate whether the current processes concerning third party app integration are sufficient.

How should we respond?

We need to conduct an urgent internal review of the process, we believe the following recommendations indicate the likely outcomes of this review, we’ve provided them to you to support your thinking on next steps.

• We need to restrict the access of third-party developers. They shouldn’t be allowed to have access to user data they don’t need to improve or perform their functionality.
• Users need to have a clear understanding of what third-party apps have access too and they should be able to easily revoke/ manage access.
• We need to address the issues within the Unroll.me case; we can’t allow third-parties to sell user data — even if it’s “anonymised” — there’s now a significant body of evidence that suggests that this type of anonymisation i.e. “de-identification” doesn’t really anonymise data¹; there is too much publicly available data that makes this impossible; data from two different “de-identified” data sets can be linked and persons can be re-identified.
• We don’t allow any employees to actually read users emails (and if they do they must get the user’s consent)- we have to try and ensure third-party apps also follow this protocol. From our previous issue of scanning emails for targeted advertising we know that users believe that personal email should hold a ‘special status’ when thinking about privacy and it should be inviolable.
• We must ensure that we have sufficient capability to enforce these new requirements, we have been reported as not having the capability to do this.

Why should we do it?

i) The Strategic Case

We’ve been castigated throughout the past two decades on the way we handle privacy issues, Microsoft claimed in 2013 that privacy is our kryptonite. Technology companies are increasingly being subject to public scrutiny, note Facebook’s Cambridge Analytica issue. Governments and states are pushing back, in May this year that EU’s GDPR came into force and this month the California Consumer Privacy Act will come into action. We cannot strategically afford to stay silent on this issue, in particular with Gmail -we already know our users give privacy in this domain a special status. We know that by taking action on this matter we would be seen as adopting a ‘regulatory’ kind of role but we must take our users’ privacy seriously and we must demonstrate that we’re not like other technology companies and stay true to our motto. Through handling this issue and setting minimum standards, we could strengthen our relationship with our key user base and be seen as an example for other tech companies.

ii) The Commercial Case

We don’t foresee an impact on either the company’s overall business model or Gmail’s business model (see Appendix A1.) by setting standards on third-party app integration into Gmail. We’re responsible for a significant share of the email market, for this reason we don’t envision that third-party apps will be discouraged from integrating into Gmail (although we must consider a stakeholder consultation to ensure any new policies will not have this effect). We are certain that we can continue with Gmail’s current business model , safeguard users’ privacy and continue to ensure third-parties contribute to the enhancement of the platform. Essentially, we believe that policy action in this space will critically improve our reputation with little to no-cost impact.

Recommendation: Conduct an urgent internal review to inform next steps.

What did we do?

Stepping out of the role of a product policy adviser, I investigated what Google actually did…turns out they’ve done quite a few things similar to the argument above and actually closed a lot of loopholes I was hoping to find. The following was taken from the Google APIs Terms of Service , Google API Service User Data Policy , Google’s third party access policies (which were surprisingly easy to read for a non-techie) and the blog post released by Google in response to the WSJ article.

1. All apps need to go through a verification process before they’re able to integrate. The Gmail API is referred to as “restricted scope”, so the process is a bit longer than for other APIs. All apps need to only request the data they need in order to perform/improve their main function. Gmail apps in particular need to directly improve email functionality. Some apps may even be required to do annual security assessments to ensure they’re able to store and manage data safely.
2. Apps must make their actions very clear to the user (see Appendix A3) and they must have comprehensive privacy policies.
3. Google closed the Unroll.me loop hole - you can’t data harvest, aggregate data or sell it to others even if you anonymise (de-identify) it (although it’s unclear as to how this is enforced).
4. Users can perform a security check up and control app access through the “manage account” pages (Although I’m not sure what happens if there is a dodgy app that is accessing your data; why would it have passed the verification process?). Google also offers users tips on how to manage third party access.
5. Google’s policies state that third-party developers shouldn’t allow other humans to scan emails, it must be a computer, if and when they do, they must get consent from the user.
6. If apps go ahead an integrate without completing the verification process — their app will appear with an “unverified” banner to the user and will be automatically limited to 100 users.

In many ways Google seemed to adopt many of the principles that filtered into Academia after the Belmont Report on what to consider when experimenting on human subjects. The above requirements are in line with the following notions²:

• ‘Data minimisation’ (don’t ask for data you don’t need),
• ‘Your experiment needs to be approved by an internal review board’ (the verification process) and-
• ‘There is some sense of justice/ the notion of doing no harm’ considered in the experiment (not selling data on/aggregating/humans shouldn’t scan emails).

So is everything sorted?

Addressing the elephants

If you read the actions above and Google’s privacy policy it seems like everything is okay, they’ve got all these extra layers to protect the user from devious third-party developers, they’ve retained their dominance in the email market and when ever google scans your data they only do it to make things better for you. But- and there’s a lot of buts….

i) What about Google? What do they do with our data? Do they adopt the same principles from the Belmont review that it pushes out to third-parties? Do we have any control or real understanding of what Google does to our data? As ‘accessible’ as their own privacy policy is to read, it doesn’t really show any evidence of the above notions being adopted internally.

ii) Isn’t it just weird that a company which has no democratic accountability is acting as a semi-regulator? Yes tech companies are increasingly being forced by public opinion and governments to do this, but it still feels odd that Google had the ‘choice’ to do this…it also means that there is no real industry wide standard — this is determined by when any tech giant feels like doing something…it’s still ad-hoc and unclear what privacy rights a user should have/ are enshrined (independently of belonging to a particular country)…

iii) Do users actually understand what’s happening to their data or privacy? Google themselves suggested that users don’t really understand privacy, which leads to infeasible asks/concerns, more generally I do think this is important because I’m not sure how many users (myself included) truly know how to critically think about their data privacy- see the screen in A3. below, it seems simple enough- but firstly do we know from this whether we should let the app have our info or not? We generally would just click yes because we would assume it requires it for functionality purposes and I doubt most users will even read the privacy policy.

A few parting thoughts-

It seems like users’ privacy was protected from third-party apps but in the bigger picture sense nothing really was solved- broadly speaking I’m not sure how many users actually know what’s happening with their data or how much control they have over it and I’m not sure what Google does with my data, I don’t think in a meaningful enough sense we have any more control over our data than before this whole fiasco…although I did take the opportunity to disable everything from my Google account and that seemed like a small step forward.

____________________________________________________________

References

¹Shmatikov, V. and Narayanan, A. (2010) Privacy and Security “Myths and Fallacies of Personally Identifiable Information”

²Professor J. Waldo’s Lecture October 12th 2020 on Data Science (can be accessed via Canvas)

Appendix

A1. Gmail’s Business Model

A2. Stakeholder Map (from the point of view of the Gmail policy team)

A3. 3rd Party Apps requesting Access