Hey Google! How much privacy do I have?
This article is written as an assignment for HKS Class DPI 662B: Digital Government.
ISSUE
At the beginning of 2017, Gmail started receiving pushback for its ad business, wherein G-Suite corporate clients and privacy advocates raised concerns about Google scanning individual user emails that contained personal information for the purpose of serving targeted ads. While third-party vendors are also allowed to scan emails, in 2017, one developer named “Unroll.me” surreptitiously collected Gmail users’ email content pertaining to their purchase of Lyft rides and sold that information to Uber without the awareness of most Gmail users. This raised several privacy concerns for all stakeholders and a reputational risk to Google. Further considerations include legal ramifications and product policy changes needed as a response to this breach in privacy.
INTERESTS
ANALYSIS
Prior to 2018, the monetization structure of Gmail allowed Google to scans the emails for keywords of the free Gmail email users, and not of the G-Suite clients. These keywords were then used to create a connection between user interests and targeted ads, which in turn attracted advertisers. A third-party vendor named Unroll.me had the right to scan Gmail user data as well. Despite the fact that the users of Unroll.me consented to having their data anonymized and sold, as stipulated in the terms and conditions that users accepted, users were surprised when they learned that their Lyft ride information from their emails were still collected, which included the cost of the ride, GPS locations for the pick-up and drop-off points, and time it took to complete the ride. Although Unroll.me asserted that it anonymized the user data to stay within the bounds of its privacy policy, it is known that it is also possible to re-identify data. With the availability of the Lyft user data in addition to email content containing information on social media accounts, social security, bank accounts, home mortgages, gym memberships, and others that can be scanned by Unroll.me (or any other third-party developer), the data can then be used to re-identify the specific individual using the services. This privacy breach is problematic because it becomes a security issue as user data can be used by bad actors to target and surveil individuals. These bad actors may include state actors (foreign and domestic) as well as private, non-state actors.
Although Google management made the decision to stop scanning emails of both corporate and free-version Gmail users for targeted ads in late 2017, Gmail is still scanning email to prevent phishing attacks. More importantly, the Smart Compose and Smart Reply features in Gmail is a more intrusive utility, wherein Gmail can see exactly what the user is typing in real-time and offer tailored suggestions on what to write next. User privacy concerns remain regarding how privacy is enforced by Smart Compose, i.e. who or what is reading the emails and where this data is stored and if all third-party app developers have access to this scanned data through Smart Compose and Smart Reply.
Google LLC’s practices are not the only one of concern: Apple is one of the largest third-party apps to tag onto Gmail. If a Gmail user uses the Apple mail client, then Apple has access to all Gmail emails, which Apple can scan on their own. The data shared to Apple can then be shared with a host of other third parties catering to Apple, subject to their terms and conditions.
The Wall Street Journal and New York Times have already published articles about Google’s mismanagement of its third-party app developers having access to Gmail data, which have subsequently caused reputational damages. Many users may choose to file lawsuits with the Federal Trade Commission Bureau of Consumer Protection against Unroll.me for deceptively selling user data, and then this may implicate Gmail product policy of some wrongdoing because of the lax vetting criteria for third-party app developers it allows.
Now is the time to intervene and turn this risk into an opportunity to show that Google can effectively regulate the way all third-party developers interact with Google products, especially Gmail, and roll out uniform product policies applicable to all third-party developers; this would mean by way creating a framework for transparency and accountability of the terms and conditions that users sign. Users will in turn not lose trust in Google.
OBJECTIVES/CRITERIA
It is imperative for Gmail to constantly vet and update its list of third-party vendors after auditing them and giving our stakeholders a transparent representation of the technical implementation of the vendors that serve ads. While it is understood that these third-party vendors need access to user data to show tailored ads and generate revenue for their own businesses, the source of user data should not be personal emails and should rather be a user’s Search history or YouTube viewing history.
Given the need to further vet these vendors, three specific criterions for the third-party vendor that will appease the Gmail users in addition to all other stakeholders include:
§ Privacy and Security: This is the inherent value for privacy and security relevant to all Gmail users and other stakeholders at the end of the day
§ Cost: This is the price to be paid by Google for vetting the third-party vendors and rolling out a uniform privacy policy for all third-party vendors to Gmail
§ Value Addition: This aspect would measure minimum viable product margin, meaning the usability/reliability/functionality/design of third-party apps catered to Gmail
POLICY OPTIONS
Given the privacy issues raised by our stakeholders in the aftermath of the Unroll.me privacy breach, Google will need to invest in heavier vetting of its third-party vendors to Gmail across the board, regardless of its tenure with our company. As far as specific policy options are concerned, Gmail should consider the level of access to afford the third-party vendors.
How to define access? Number of vendors that are permitted to serve Gmail and the extent of the user data they can see.
1) Same Access to third-party vendors (as before)
Low Privacy and Security: this does little to assure users of privacy and security; publicly not the right move.
Low Cost: little to no cost (with the exception of heavier vetting costs) to give the same level of access to the same number of vendors as before.
High Value Addition: having the same access as before gives the third-party apps the space to innovate and serve users better; this may encourage more vendors to enter the third-party app market.
2) Restrict Access to third-party vendors
Medium Privacy and Security: reducing the number of vendors and limiting the vendors to only see Search and YouTube history would placate users of vendors reading their personal emails.
Medium Cost: relatively higher vetting costs to Google for vetting vendors.
Medium Value Addition: Gmail users may lose some functionality from not being able to use as many apps as before but it may also force users to use apps that are more reliable and properly vetted.
3) No Access to third-party vendors
High Privacy and Security: in the short run, users will not have their data read by any party other than Google, which is a huge plus for privacy and security.
High Cost: revoking access to third-party apps means Google will have to pick up the cost of catering to users’ add-on needs, troubleshoot system glitches and vulnerabilities, etc.
Low Value Addition: stifles innovation for the Gmail product as it is not constantly improving and serving an expanding appetite for user needs.
RECOMMENDATION
I recommend the “Restrict Access to third-party vendors” option because the hypothesis is that a policy move towards stronger privacy protocols and vetting will satisfy all stakeholders involved. The “Restrict Access” is recommended because:
ð This is the most viable option as it allows Gmail to innovate with third-party vendor support and Google is not tasked with innovating in-house. This will ensure that Gmail retains its 65% share of the email market.
ð However, some privacy and security concerns will remain about the extent of third-party vendors’ access to user data. Here, it will be important for Gmail and Google to delineate the technical implementation of the third-party product, how it collects and stores data and how the data is used.
IMPLEMENTATION
Cheaply testing the functionality of Gmail as a product will be at the forefront of our policy implementation considerations. That being said, an agile approach that has the tenets of an iterative approach (to determine extent of restrictions that should be applied) can be implemented on small randomly selected subsets of Gmail user populations in different countries over a 6-month period to see the effectiveness of the “Restrict Access” policy option. This will ensure a globally applicable policy for Gmail third-party vendors. The subsets of populations should include users that already use some third-party apps, to see the level of uptake and usability for such apps and how these apps utilize their access to user data. This information on access metrics will need to be readily available for users to view in their Google Account page where they can also tweak their privacy controls to their liking.
The only caveat to regulating third-party apps would be for Apple and Microsoft as they offer mail client services to our Gmail users, which means they have the ability to scan emails and monetize the way their privacy policies see fit. For Apple and Microsoft, the policy could be to limit their usage of scanned user data through various cease and desist legal clauses.
Measuring the effectiveness of the “Restrict Access” would include asking for direct user feedback and rating on the third-party app page and/or from a pop-up message while using Gmail. Based on the responses, we can see how the policy option is working to assuage concerns over privacy and security. Example, the benchmark could be that 50 percent or more users are satisfied with the new privacy changes. We will also contact our media partners to take a pulse of the privacy and security features and see if we are satisfying our customers, which they can later report in the news. If the public and user responses are mixed or negative, we will need to re-evaluate the restriction levels through our iterative process or revamp our policy options completely.
Lastly, our overarching policy should be to keep our free version of Gmail free because privacy should not be a luxury good. It is in our best interest to let users uncheck the box on data sharing and targeted ads if they want. Customer satisfaction should be our highest priority.
