Professional Documents
Culture Documents
Thank you for the opportunity to provide you information regarding Gmail, our
cloud-based email platform.
Google works hard to provide choice, transparency, control, and security for users’
data. Gmail is used by more than 1.4 billion users around the world, and we have had a
long commitment to providing our users with a secure platform. That is why we were
among the first companies to warn users when we believed that their accounts were
targeted by a government-backed attacker. And it is why we launched our Advanced
Protection Program, which integrates physical security keys to protect those at
greatest risk of attack, like journalists, business leaders, and politicians.
Like other email providers, we give users options and choices regarding how they
access and use their email, allowing them to avail of email clients, trip planners and
customer relationship management (CRM) systems. And we remain committed to
ensuring users’ accounts are secure and we help our users to make informed choices
about the data they share.
We continuously work to vet developers and their apps that integrate with Gmail
before we allow them the ability to request access to user data, and we provide
additional warnings to users when they are evaluating whether to give unverified apps
access to their data.
We also insist on transparency: before a developer can access a Gmail users’ data,
they must obtain consent from the user. And they must have a privacy policy that
details how the data will be used.
We then give users reminders about the data they are sharing with developers and
control to remove their access. We were one of the first companies to offer a
centralized data portal when we launched MyAccount in 2015
(https://myaccount.google.com/). MyAccount provides easy-to-use tools to help
manage privacy and security. That includes our Security Checkup (available at
https://myaccount.google.com/security-checkup), which is designed to help users
make informed decisions about security and privacy, including by identifying the apps
that have access to their data and letting them revoke access to those apps.
Our advanced security tools protect our users when they interact with apps. Google
Play Protect, for example, comes pre-installed on all Google-licensed Android devices
and continuously monitors users’ phones, along with apps in Play and across the
Android ecosystem, for potentially malicious apps. It scans more than 50 billion apps
every day and warns users to remove apps we identify as malicious:
1) Does Google require developers of apps requesting access to Gmail data to
conform to any privacy or data protection policies? If so, please describe these
policies.
Developers who access Gmail data are subject to Google’s User Data Policy
(https://developers.google.com/terms/api-services-user-data-policy) as well as our
API Terms of Service (https://developers.google.com/terms/). Our policies and terms
require developers to accurately represent the identity of the application, provide
clear and accurate information regarding the types of data being requested, and be
honest and transparent with users about the purpose of user data requests. For
developers who seek access to sensitive data, they must also publish a privacy policy
that fully documents how the application interacts with user data. If developers
change the way their application uses a Google user’s data, they must notify the users
and prompt them to consent to an updated privacy policy. Developers are also
required to protect against unauthorized or unlawful access, use, destruction, loss,
alteration, or disclosure.
2) In a recent blog post, a Google representative stated that Google manually
reviews developers and apps requesting access to Gmail data to ensure that the
developers and apps accurately represent themselves and only request relevant
data. Please describe this process in detail.
We support our policies with verification, monitoring, and enforcement. Web apps
that request access to sensitive data, like Gmail data, must complete a verification
process, described at
https://developers.google.com/apps-script/guides/client-verification. That process
involves a manual review of the app’s privacy policy to ensure that it adequately
describes the types of data it wants to access and a manual review of the suitability of
permissions the app is requesting. This process is designed to prevent apps from
misrepresenting themselves to users or accessing data that they do not need in order
to perform their function. If an app is not verified by Google, we display a prominent
warning to users that they are using an “unverified app” and strongly discourage them
from proceeding. Usage of an “unverified app” is limited to 100 users (which, among
other reasons, permits developers to test their apps before completion of the
verification process). Unverified apps would also be flagged to users by our Security
Checkup tool described above.
In addition to our proactive review, we use our advanced security tools and
enforcement mechanisms to continuously protect our users when they interact with
apps. Google Play Protect, for example, monitors users’ phones, along with apps in
Play and across the Android ecosystem, for potentially malicious apps. We also act
promptly on user reports about privacy and security issues. We reward researchers
and developers who flag privacy and security issues, and we engage in research and
community outreach on privacy and security issues to make the internet safer.
3) That blog post also stated that Google reviews apps' compliance with
Google's policies and suspends them if they fall out of compliance. Please
describe this process in detail. In addition, provide a list of all instances in which
Google has suspended an app in this way, with an explanation of the
circumstances for each.
As discussed above, to protect our users, web apps that request access to Gmail user
data must go through a verification process. Once they have been given access, we
use machine learning to monitor those apps. If we detect significant changes in the
behavior of the app after it has been approved, we will once again manually review the
app. If that review determines that the app is violating our terms, the “Unverified App”
screen is displayed to users and we restrict the app's ability to use our service.
In the majority of cases, we are able to detect and suspend apps that misrepresent
themselves or are not transparent with how they use user data, for example, before
they are given access. Malicious apps are suspended and access is removed. We also
work with non-transparent apps to ensure that they clarify their practices for our
users. If those apps accept our recommendations, the developer’s app may ultimately
be approved.
● Lack of transparency to users, including that the developer did not sufficiently
identify the purpose of the app to the user;
● Attempts to manipulate our anti-spam detection systems in violation of our
policies;
● Failure of the developer to accurately represent their identity and intent; and,
● Requests for permissions that were not relevant to the purpose of the app.
4) Does Google allow its own employees to access the content of Gmail users'
personal emails? If so, what safeguards does Google have in place to ensure that
personal email content is not misused or shared more broadly?
Google has long-standing policies tightly restricting our own employees’ access to
the content of our users’ Gmail accounts. No humans at Google read users’ Gmail,
except in very specific cases where they ask us to and give consent, or where we
need to for security purposes, such as investigating a bug or abuse. We enforce our
policies through a number of safeguards, including: (i) restricting access to user data
to a very limited number of individuals; (ii) requiring documentation of when access is
granted; and (iii) routine auditing of access.
5) Is Google aware of any instance of an app developer sharing Gmail user data
with a third party for any purpose? If so, describe any such instance and the
parties involved, as well as any action Google has taken to recover such data.
Our main goal is to prevent abuse before it happens. That’s why we designed
verification processes to stop abusive apps from ever gaining access to user data.
When we detect anomalous behavior, we investigate. And when we suspend apps, we
warn users to remove the apps’ access to their data.
Developers may share data with third parties so long as they are transparent with the
users about how they are using the data. Our verification process described above
reviews the privacy policy and works to ensure that developers’ requests for access
to user data make sense in light of those disclosures. As illustrated in the consent
screens above, we make the privacy policy easily accessible to users to review before
deciding whether to grant access.
Sincerely,
Susan Molinari, Vice President, Public Policy and Government Affairs, Americas
Google Inc.