Email : Do you know who’s been reading yours?

Recently, the Wall Street Journal ran an article about the fact that third-party app developers could gain access to your Gmail without you necessarily understanding the fact that you had authorised them to do so.

The article was picked up by other news sources and has generated quite a wide range of comments, so here is a brief summary of the key facts of the matter.

Gmail is one of the most popular email services out there, which means that there is a wide range of third-party apps for it. It is these apps which have been revealed as allowing humans to access your data rather than Gmail itself.

This is where the waters become a little muddy. According to Google, app developers must obtain express permission from users to access their data. The app developers agree and those that have commented have emphasised that their activities are covered by their terms and conditions to which the users consent when they sign up for their service.

There is, however, a rather large question mark over the extent to which Google polices the activities of third-party developers and the extent to which the app developers provide clear-English explanations of their activities.

This creates what could be a rather interesting situation from the point of view of GDPR, which mandates that data subjects must be provided with full and clear explanations of what personal data will be collected and how it will be used.

In principle, GDPR applies to all organisations that process the data of people resident in the EU, which means that the EU could, in theory, choose to sanction a company regardless of where it was located. Google itself most certainly has a presence in the EU and has previously had dealings with European authorities. It is therefore far from out of the question that the EU will choose to tackle Google on this issue and put pressure on them to police app developers to EU standards.

If you have a Gmail account and you are concerned about who has been reading your emails, verify which third-party apps you have already authorised to access your account and review each of them in turn. Do you absolutely need this functionality? Do you completely trust the company managing it? Does it have a good reputation for online security? Could you do without the app?

Once you have removed everything you don’t need, consider other more generic email security measures like having a very strong password, not leaving yourself logged in on shared computers or phones, and keeping your machines protected with great anti-virus software and regular scans. In addition, always take care when clicking links or opening attachments in emails you weren’t expecting, or from people, you don’t know; don’t do either of those things if you can possibly avoid them!