Google readily admits to sharing data on its 1.4 billion e-mail users with outside app developers, but told senators inquiring about its security practices that it only does so when affected Gmail accountholders agree.
“We continuously work to vet developers and their apps that integrate with Gmail before we allow them the ability to request access to user data,” Susan Molinari, the firm’s vice president for government affairs in the Americas and a former GOP congresswoman from New York, wrote to Senate Commerce Committee Chairman John Thune. “Our main goal is to prevent abuse before it happens.”
Thune, a South Dakota Republican, joined Roger Wicker, chairman of the subcommittee on communication and the Internet, and Jerry Moran, chairman of the subcommittee on consumer protection and data security, in a July 10 letter inquiring into a Wall Street Journal report that hundreds of developers had been given access to Gmail accounts for purposes such as identifying ad markets.
Not only are users potentially unaware of what’s happening, the senators said, the article reported that one data firm had given 8,000 unredacted e-mails to its data analysts to hone its algorithms.
“While we recognize that third-party e-mail apps need access to Gmail data to provide various services, and that users consent to much of this access, the full scope of the use of e-mail content and the ease with which developer employees may be able to read personal e-mails are likely not well understood by most consumers,” the senators said.
Thune has scheduled a committee hearing next week on data privacy as Congress takes an increasing interest in how how large businesses protect users’ information.
In late 2017, credit bureau Equifax revealed that hackers had stolen personal identification data, such as birth dates and Social Security numbers, for nearly half the country.
In brutal congressional hearings afterward, lawmakers suggested the company had failed to adequately guard a “digital Fort Knox.” Personal identification data is much more difficult to alter than stolen credit card numbers, for instance, and it’s used by lenders considering loans to cover everything from homes to automobile purchases.
This spring, social media giant Facebook confirmed that Cambridge Analytica, a political consultant for President Trump’s 2016 campaign, had improperly accessed data on 87 million of its users.
“The potential misuse of personal data held by large Internet platforms and shared with third-party developers is a matter of particular concern,” Thune wrote. “Though no allegations of misuse of personal email data akin to the Cambridge Analytica case have surfaced, the reported lack of oversight from Google to ensure that Gmail data is properly safeguarded is cause for concern.”
A Google representative is joining executives from Apple, Amazon, Twitter, and AT&T, who are scheduled to testify at the Commerce Committee’s Sept. 26 hearing.
The Mountain View, Calif.-based company said it built its policies for outside access to data around prevention, rather than punishment after the fact.
Outside developers must be honest and transparent with Google and its users about the types of data they want and what they plan to do with it, Molinari said. If the information is sensitive, they must a publish a privacy policy that fully explains what’s happening.
Next, Google staffers manually review the policies to ensure they’re accurate, and the company continuously monitors compliance through artificial intelligence. When violations are found, Google users see an “Unverified App” warning screen and the company restricts that app’s ability to use its services, she added.
Google also tightly controls which of its staffers can see personal e-mails and when, Molinari said.
“No humans at Google read users’ Gmail, except in very specific cases where they ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” she wrote
Not only is the number of people who can take on such tasks strictly limited, their access is both documented and audited routinely, Molinari said.
