[BUG] inaccurate info about gmail

[sourcefrog]

Describe the bug

https://github.com/Lissy93/personal-security-checklist#emails

The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving third parties full access to user emails and also tracking all of your purchases.

In my view the two stories you link here are misleading clickbait:

1. Third party apps get full access to the user emails if the user explicitly tells gmail to grant access. You can see the access is granted and you can revoke it. It's like being "caught" having an IMAP interface. "Before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does."

2. The 'purchase tracking' is just a summary view of emails about purchases, analogous to a saved search.

https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#encrypted-email

Email is not secure- your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties.

Google does not use mail content to target ads, and does not sell mail content to third parties.

Source: https://www.blog.google/technology/safety-security/ensuring-your-security-and-privacy-within-gmail/

Additional context

I work in Google Security Engineering, but not on Gmail.

[matkoniecz]

Third party apps get full access to the user emails if the user explicitly tells gmail to grant access. You can see the access is granted and you can revoke it.

Nope. At the very least NSA and other USA security entities have full and de facto unlimited access, with no option to revoke this by user.

Google does not use mail content to target ads, and does not sell mail content to third parties.

They claim this. Note that there are several ways to have this text be technically true while still sing mail content to target ads or leak their content.

And that assumes that they are not lying outright (though unlike Facebook, Google seems to be more about misdirection and not stating some concerning things rather than outright lies like FB did with 2FA phone numbers).

[sourcefrog]

Third party apps get full access to the user emails if the user explicitly tells gmail to grant access. You can see the access is granted and you can revoke it.

Nope. At the very least NSA and other USA security entities have full and de facto unlimited access, with no option to revoke this by user.

You're quoting me out of context here: this was in response to link to a story about access to Gmail content by third-party commercial apps. This was with user consent to add the third-party app, and it's misleading to suggest otherwise.

(There are interesting usable-security questions about whether typical users could really understand the consequences of sharing data with these apps, and whether Google should have earlier proactively imposed governance restrictions on these apps, but that's a different and more subtle issue.)

That aside, although laws give the US (and other governments) access to user data, I think "full and de facto unlimited" is overstating it. From this FAQ:

Does Google give governments direct access to user information?
No, we require that requests for user information be sent to Google directly and not through any sort of "back door" direct access by the government. Our legal team reviews each and every request, and we have taken the lead in being as transparent as possible about government requests for user information.

On this topic there is an interesting site at https://transparencyreport.google.com/user-data/us-national-security showing how many accounts had different types of data disclosed and many of the request letters. Google has a strong track record of resisting overbroad government requests.

Every business is subject to security laws in the countries they operate, and by international treaties. Governments increasingly assert a right to control where and how data on their citizens or residents is processed. For example Proton Mail, recommended in this doc, has also disclosed data in response to legal requests: https://www.thedailybeast.com/secure-email-provider-protonmail-handed-over-user-data-to-europol.

Google does not use mail content to target ads, and does not sell mail content to third parties.

They claim this. Note that there are several ways to have this text be technically true while still sing mail content to target ads or leak their content.

And that assumes that they are not lying outright (though unlike Facebook, Google seems to be more about misdirection and not stating some concerning things rather than outright lies like FB did with 2FA phone numbers).

So how I see the situation is:

• Google is subject to a lot of regulatory and public scrutiny, and so would be at considerable jeopardy if caught in an intentional lie. Even mistakes such as wifi packet collection or Buzz suggestions had very expensive consequences and taught powerful lessons.
• In my personal experience, the engineering culture is strongly oriented towards security, privacy & safety commitments and compliance being watertight.
• Google has made a public commitment that email content isn't sold or used to target ads.
• There's no specific allegations or reporting to the contrary.
• So, my assessment is this probably isn't happening. At any rate, it is no more likely than that any other provider would be lying in their privacy statement, and given the incentives I'd assess Google is less likely to lie than smaller companies. (See for example https://www.theregister.com/2020/07/17/ufo_vpn_database/.) The same theory about "they might be secretly evil" applies equally well to Protonmail, etc.

Obviously it's hard to prove a negative, but I think it's unlikely. If you have a strong prior that US companies are more likely to lie, or larger companies are more likely to lie, perhaps you draw different conclusions.

If this FAQ is trying to offer evidence-based advice then I think it would be worth unpacking this and encouraging users to think about their own assumptions and threat model.

If a user expects to be subject to a subpoena from country X, they might want to choose a provider either with a strong record of resisting over-broad requests (like Google), or that does not honor subpoenas from X. In general my understanding is that first-world countries do have mutual assistance treaties and so if X is a first-world country you have an unpalatable choice, and "Switzerland" is not a perfect answer. This assessment should be done in combination with thinking about regulatory regimes that might protect the user, about technical credibility, incentives, and other factors.