By Suzanne Frey, Director, Security, Trust, & Privacy, Google Cloud
We make it possible for applications from other developers to integrate with Gmail — email clients, trip planners, and customer relationship management (CRM) systems. This is so that you have options around how you access and use your email.
We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access. We also give both enterprise admins and individual consumers transparency and control over how their data is used.
On your Google account, you can visit ‘Security Checkup’ to review what permissions you have granted to non-Google apps, and revoke them if you would like to. For G Suite users, admins can control which non-Google apps can access their users’ data through whitelisting.
Keeping your data secure is our top priority, so we want to provide you with details about our vetting process and user controls for both enterprise and consumer accounts:
Giving Consumers a Choice and Protecting Them from Malicious or Deceptive Apps
A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email. However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process.
In order to pass our review process, non-Google apps must meet two key requirements:
- Accurately represent themselves: Apps should not misrepresent their identity and must be clear about how they are using your data. Apps cannot pose as one thing and do another, and must have clear and prominent privacy disclosures.
- Only request relevant data: Apps should ask only for the data they need for their specific function — nothing more — and be clear about how they are using it.
We review non-Google applications to make sure they continue to meet our policies, and we suspend them when we are aware they do not.
You Control Your Data
Transparency and control have always been core data privacy principles, and we’re constantly working to ensure these principles are reflected in our products.
Before a non-Google app is able to access your data, we show a permissions screen that clearly shows the types of data the app can access and how it can use that data.
We strongly encourage you to review the permissions screen before granting access to any non-Google application.
In addition, we’ve long had data controls that you can use at any time to manage your information. For example, the Security Checkup page in your Google account shows all the non-Google apps that have access to your data and flags potentially risky apps. In fact, you can revoke any previously-granted permissions that you are no longer comfortable with. You can also view and control permissions within myaccount.google.com under “Apps with account access.”
Providing Tools for G Suite Admins
G Suite admins can control the scope of data that users are able to grant to non-Google apps access by whitelisting connected OAuth apps. This ensures that G Suite users can give access only to non-Google OAuth apps that have been vetted and are trusted by their organisation.
Providing Industry-leading Security and Intelligence in Gmail
Gmail has world-class safety features, such as protections that allow us to prevent more than 99.9% of spam and phishing emails from reaching your inbox. In order to deliver these features, we conduct automatic processing of emails. This is standard practice across the industry, and also allows us to give you intelligent features like Smart Reply that help you be more productive.
We do not process email content to serve ads, and we are not compensated by developers for API access. Gmail’s primary business model is to sell our paid email service to organisations as a part of G Suite. We do show ads in consumer Gmail, but those ads are not based on the content of your emails. You can adjust your ads settings at any time.
The practice of automatic processing has caused some to speculate mistakenly that Google “reads” your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.
The work of privacy and security is never done, and we’re always looking for ways to better protect our users. For example, we’ve recently introduced more transparency into your Google Account, greater control over your ads settings, and added new OAuth protections to guard against malicious apps.
Article first appeared on the Google Blog.
Lava is an authorised Cloud Partner of Google and is a reseller of G Suite (previously known as Google Apps, Google Maps for Work, and Google Cloud Platform) in Malaysia. With more than a decade of experience in the industry, we’re proud to say we’re one of the leading cloud consultants and service providers in the Asia Pacific region.