What do you think? Leave a respectful comment.

If you have Gmail, here’s who’s scanning your inbox

A year ago, Google’s Gmail said it stopped its practice of scanning users’ inboxes to personalize ads. But it still allows outside app developers to scan inboxes, according to a Wall Street Journal report. John Yang talks with tech reporter Douglas MacMillan, who broke that story.

Read the Full Transcript

  • Judy Woodruff:

    Now, John Yang on what we agree to when we click those "I accept" buttons signing up for e-mail apps.

  • John Yang:

    Judy, if you use e-mail, chances are it's Google's Gmail. It has about 1.4 billion users. That's two-thirds of all active e-mail users around the world.

    A year ago, Gmail said it stopped its practice of scanning users' inbox to personalize ads. But The Wall Street Journal reports that it still allows outside app developers scan inboxes.

    Wall Street Journal tech reporter Douglas MacMillan broke that story and is now with us from San Francisco.

    Doug, thanks for joining us.

    Quickly give us an idea what kind of apps we're talking about and. Why do they want access to the e-mail — to our e-mails?

  • Douglas MacMillan:

    Yes, thanks, John.

    So, Gmail — Google says that Gmail apps make your e-mail more useful.

    A few years ago, the company started opening up e-mail and the data inside it to third-party software developers who are making apps like productivity tools that let you schedule an e-mail to send later.

    There are travel planning apps. There are shopping apps. There's kind of an array of ways to let you kind of superpower your e-mail. But, as we found out in our reporting, the more kind of you're letting these developers access the data in your e-mail, the more you're risking some of that personal data that is all over the inside of your e-mail to fall into the wrong hands.

  • John Yang:

    And are these computers scanning the e-mails, or are these real people reading e-mails?

  • Douglas MacMillan:

    Yes, so, that's one of the most surprising things we found in our reporting for this story, was that in most cases these are computers scanning these messages automatically.

    We talked to one company called Return Path that is hooked up to more than two million users and actively scanning their messages. Mostly, that is computers scanning them. But in some cases we found in order to train those computers, they need to have human beings step in and actually manually review those messages.

    And in the case of this Return Path company, they were having employees manually step in and say, this method is a commercial message, and this message is a personal message. That process needs to be done by a person in order to make sure the computer can do it automatically later on.

  • John Yang:

    And what protections are there to — against the people who are doing this using some of the information?

  • Douglas MacMillan:

    Yes, so the protections here are the privacy policies and the terms of service for the companies who are doing this.

    I mean, first and foremost, that is Google and the privacy policy that they keep with their developers. Now, we talk to a lot of developers who say, even though that Google prohibits developers from doing things like storing data permanently, sharing your data with third parties, that Google doesn't really do much to audit a lot of the developers.

    They can run some checks, and they can they can look to see if there are any extreme bad actors in their system. But they aren't actually going and visiting each of these companies who are obtaining this data.

    In many cases, these are small startups who don't have rigorous privacy practices in place, like you would see at a big tech company like Google.

    So, there's questions around on, are these privacies being followed and questions around, who are these companies who are getting this data at the end of the day?

  • John Yang:

    And what is Google's response? What did they say when you went to them?

  • Douglas MacMillan:

    Google's general response is that it's up to users and that, when you click a button and say, I give my permission for this developer to access my inbox, then you are signing your inbox over to them.

    But I think that that answer is probably not going to carry wait. There's more and more attention on issues of privacy and more awareness of how tech giants have a real responsibility to users to help them make informed choices about their data.

    In this case, I feel like many of the users I talked to in many of the instances which we reported in this story today are examples of how users in some cases are not making informed choices, and that companies like Google could be doing more to help them.

  • John Yang:

    How does this compare to the case of Facebook and Cambridge Analytica, what happened in that case?

  • Douglas MacMillan:


    So, it's similar in the sense that both companies over the past decade have really tried to do what's called in Silicon Valley creating a platform. Microsoft Windows is a great example of the — back in the '90s of building a software platform for other developers to build software on.

    And when you get all these apps going, you get a lot of the users coming to you, and you build ultimately a more valuable product. Apple iPhone also is successful in doing this with the Apps Store.

    Facebook recently had some stumbles in opening up its software to outside developers, like we saw — like you mentioned with the Cambridge Analytical example.

    I think you're seeing Google now maybe is going to have second thoughts about its strategy of trying to turn Gmail into a platform, because people are starting to question whether or not e-mail data is something that should be leaving the bounds and the containers of the Gmail service.

  • John Yang:

    Douglas MacMillan of The Wall Street Journal, thanks for explaining this to us.

  • Douglas MacMillan:

    Thanks, John.

Listen to this Segment