Gmail user data still available to app developers

Google says that third parties can access the users’ Gmail data, but they also conduct evaluations and monitoring

Google has responded to questions made by Republican members in the US Senate on how the enterprise monitors and controls the access of app developers to users’ Gmail content, as reported by specialists in ethical hacking.

Last June, the Republican Senate Commerce Committee sent a letter to Google after the alert emerged from a report on third-party software developers accessing users’ Gmail content, a supposedly common practice in Google.

The publication of this report generated concerns about whether Google properly monitors the misuse of Gmail user data to ensure that its users are not exposed, as this lack of access supervision allowed the political consultant Cambridge Analytica acquire millions of data from Facebook users through a third-party developed app.

“Although there have been no allegations of misuse of personal data similar to the case of Cambridge Analytica, Google’s alleged lack of supervision to ensure that Gmail data is properly protected is a matter of concern” mentions a statement published by members of the Senate responsible for questioning the company.

According to experts in ethical hacking, Senate members primarily questioned Google if it was aware of any instance of an application developer who shared Gmail’s user data with a third party for any purpose.

Susan Molinari, from Google, said that the company’s development policies allow this kind of information exchange. “Developers can share data with third parties as long as they are transparent to users about how they are using the data”, said Google’s employee.

Molinari also mentioned that developers must obtain the user’s consent to access their data and must have a privacy policy if they intend to access confidential data detailing how the app interacts with their information. Developers should also inform users if the application makes any changes to their data policy.

When questioned about compliance with the company’s privacy policies, Molinari responded that after approving the Google’s manual evaluation for applications, machine learning is used to monitor the activity of approved developments.

According to specialists in ethical hacking from the International Institute of Cyber Security, if Google detects significant changes in the behavior of the app after it’s been approved, the application is manually reevaluated; if an application is discovered to be unfulfilling Google terms, it will be identified as an “unverified application”.

It is expected that in the coming days there will be an appearance of officials of Google, Apple and AT&T before members of the Senate’s Committee of Commerce.