/ Technology

Are you concerned your emails might be read by a third party?

Google search

How do you feel about your email being scanned, and possibly even read by the employees of third-party companies, asks Kate Bevan…

A report in the Wall Street Journal on Tuesday alleged that Google had allowed some companies to do just that with Gmail accounts.

It was reported Google has been allowing developers from companies providing add-ons to Gmail access to those people’s emails – both by automated scanning and, more alarmingly, in some cases by employees.

It’s not that long since Google pledged to stop scraping your inbox for information to personalise the adverts you see when you use Gmail, so the news that it was letting third parties scan your email conversations went down like a lead balloon.

The Cambridge Analytica scandal drew back the curtain on how data brokers can mine personal data for insights, focusing anger on how Facebook had let that company plunder the data of your friends without their consent.

Facebook actually stopped allowing third parties to access friends-of-friends’ data back in 2015, but the sense that the social platform is an all-seeing panopticon made many people very uneasy.

Now the focus has switched to Google and what access it allows third parties to your information.

Who’s reading your emails?

Google explained in a blog post that it “make[s] it possible for applications from other developers to integrate with Gmail – like email clients, trip planners and customer relationship management (CRM) systems – so that you have options around how you access and use your email,” and added: “Before a published non-Google app can access your Gmail messages, it goes through a multi-step review process … to ensure it is a legitimate app”.

It’s worth pointing out that whoever your email provider is, your emails will be scanned to some degree.

Spam filters work partly by scanning for keywords in emails known to be associated with spam. Anti-malware software scans for dodgy links and malicious payloads – and that can be done both on your email provider’s server and, if you use software such as Outlook or Thunderbird, also on your computer.

Corporate email is also scanned by IT departments for malware, spam and compliance reasons.

And if you use a free email provider such as, yes, Gmail, but also Yahoo! or Outlook.com, your emails could also be scanned so that the adverts you see are more relevant to you.

Email isn’t very private, and it’s wise to assume that what you say in an email could in theory be read by someone else, and that especially applies to your work email.

Third-party oversight?

While the companies themselves are very different, the issues with Google are the same as those that dogged Facebook with Cambridge Analytica: first, how much access do the big tech companies we rely on allow to companies we’ve never heard of to our information; and second, how much oversight do the big tech companies do of those third parties?

The Wall Street Journal alleged that there had been very little oversight of what those firms were up to once they’d passed Google’s certification tests.

Google is at pains to point out that as a user, it’s always up to you to whether or not you let a third party access your data. However, it’s not always very clear what the implications are of the permissions you’re asked to grant when you install an app, and often an app simply won’t work unless you do grant some permissions.

Review your account

It’s well worth using Google’s dashboard to review your account: you can run through a privacy and security check-up and review your settings and permissions from that dashboard.

Our recent report, Control, Alt or Delete? found that consumers don’t have a clear or detailed understanding of how our data is used, and that many were shocked when they learned the truth about the extent of the ecosystem built on the data we provide to big technology companies.

So how do you feel about this latest revelation? Do you think that Google has taken enough care to protect your privacy when you use its email, or has the revelation that the human staff of third parties could access your inbox undermined your trust?

Could the big tech companies like Google and Facebook do more to let us know exactly what they’re up to, or should we make more of an effort to inform ourselves? And most importantly, are you still comfortable using the free apps and services that rely on the data you provide?


I use E. mails daily as an alternative to writing letters. No one has asked me whether I would be willing to share them with anyone other than the recipient. I suspect that because there are terms and conditions attached to the E. mail service it is either a case that they can tap into messages because I have agreed to use their portal, or the permission to tap is hidden in the small print and I haven’t seen it. Either way nothing seems to be private these days and this particular conversation is one of many here that says “Your information is being used by X,Y or Z are you concerned?” The internet is full of traps and nosey institutions. It really is a question of using it carefully and making sure that the advantage of that use outweighs the possible effect of the thieves who steal information for a living. I am hopeful that what I do on the Net is of so little value that people won’t bother about me, and, if they do, I haven’t lost the crown jewels in the process. One either curls up in a cocoon and forgets about anything electronic, or one uses it because it’s there and sod the consequences. There’s a happy medium somewhere in all that.

Once money is transferred it must remain in the receiving account for 24 hrs before being transferred again. This would allow money to be retrieved if a scam is found out early.

I presume you get what you pay for – in the case of most email providers, its free so you are not paying for any security. I’m quite happy with my email provider, have never, to my knowledge, had any problems and if anyone is interested in what I put in my emails then they have far too much time on their hands, are very sad, or are wasting valuable equipment. I have nothing to hide.

I understand there are paid-for email services that purport to offer much higher levels of security? Perhaps those who contact customers requesting legitimate payments should be obliged to use such services to help defeat the scammers? Or is that being naive?

However, its a wicked world and many people try to do nasty things to others. I’d rather have surveillance that helps stop this than quibble about privacy. If I want to send truly private information I can send it by registered snail mail (and trust it is not intercepted on the way).

I’ve always avoided web-based email, and security is just one of the reasons. The only real problem I’ve had with email is when people have deliberately or inadvertently passed on email that was intended for them. On more than one occasion I have been shown a reference that I have written for a potential employer, who has passed it on to the candidate. If you assume that anything sent by email could be read by anyone you will not go far wrong and it’s probably best to be circumspect in what you write.

That’s too true, and with ‘blind copies’ you can never be sure that the sender has not also sent it to someone else, or that other recipients have not forwarded it to other parties who themselves might have copied it to even more people.

Obviously, people can [and do] copy and circulate letters sent in the post [especially since so many of us have printers that will photocopy] but the simplicity of doing it with e-mails makes it much easier and there is no cost or effort involved, so it pays to be very cautious with sensitive correspondence.

Yes, bcc can cause plenty of fun but hopefully most people understand what it does and the risks involved.

I mainly use bcc to send messages to a group because it avoids the recipients seeing other email addresses.

Once you’ve sent an email, you’ve no control over where it goes after that, so it is always good to be careful about what you put in any email.

GDPR advises all organisations to bcc. mass emails.
The danger with emails, like phone messaging, is when you send it ti the wrong people. This is an occasion where it would be nice to put nit into a holding folder for review before you actually despatch it into the ether.
There are a number of reports in PEYE of emails gone wrong.

One way of making sure that everyone reads an email is to retract it. 🙂

I always insert the addressees in the ‘To’ box last. That way they can’t go anywhere until I am satisfied all is OK.

My first step is to attach any attachments which makes sure that I don’t have to send another email with the missing attachment.

Thanks Kate. I do remember informing people that I thought that their accounts had been hacked after receiving strange emails from their accounts. Yahoo is the one that sticks in mind but I thought that other free services had been hacked.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, as someone not engaged in terrorism, espionage or political subterfuge against the UK, I’m not convinced that I need protection against GCHQ.

This comment was removed at the request of the user

Sorry, what dogma’s that…

This comment was removed at the request of the user

Is this what you are referring to Duncan?


This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, thanks for that link.

Gmail passed all three checks, so it is configured to use , does use a valid certificate, and is on the STARTTLS Preload List.

Excellent organisation, EFF. The Amnesty International of the internet.

There are some great tips above to prevent the usual faux pas – forgetting attachments, premature email dispatch by accidental pressing of Ctrl Return etc. I would add to this list that, for important emails requiring care, two golden things I used to do when at work.

1) I typed deliberately the words “safety net” in the “to” field before composing anything. Of course, hitting “send” didn’t work as the name was not resolved. It did remind me though that this was a sensitive email and that I needed to read through it again.

2) – a golden rule I tried to impress on my crew, particularly those who had a knee jerk as strong as my own.. Write the email the night before, and reread it in the morning before pressing “send”. It’s amazing how many you chose simply to delete instead of sending – although the odd one may get emphasised further and then sent!

I turn now to the Google thing on privacy. We all know email transport is insecure and that that is why it is such a hot topic since GPDR came of age. I see that the regulars, Duncan in particular, identifies issues with the usual suspects. From my perspective neither of the two big free transport mechanisms (gmail and outlook) are watertight – in particular clicking on nefarious links can open up all sorts of problems.

I recognise the simple POP3/SMTP arrangements ISPs offer are not military lockdown either. However, what they do offer is simplicity, and maintenance of one’s own data on one’s own private storage – after deletion from the server, received emails are not accessible to others unless already sent to them. Similarly, sent emails after transmission has successfully been acknowledged are deleted from the server too (or should be).

This comment was removed at the request of the user

Fly-by malware’s been around for a long time, Duncan, which is why many email clients turn off remote images by default. As always, however, Malware shows no sign of letting up.

This comment was removed at the request of the user

Yes, Duncan, you did, and there’s no ‘quick fix’ for this malware, like much, because – as I said – it’s not letting up and constantly evolving. But there’s a huge amount of accurate information regarding malware already out there.

However, educating the public about how to deal with any malware is a difficult task and has to be approached systematically. And it needs to reach a far, far wider audience than W?Cs

This comment was removed at the request of the user

why does Which Convos contain so many cries for help on computer subjects ?” I can’t say I’ve seen that many compared to comments on other topics requiring help – consumer rights for example. Which? do offer a service to people who have computer problems.
Our friendly team can help you with one-to-one support, so you can make the most of your computer, phone, TV and other devices – free of frustration.

I see this thread has already featured Duncan’s usual responses towards supplementary questions and attempts at constructive criticism, i.e. antagonistic replies

Duncan – thanks for posting this news.

I think it shows why folk should always get the best internet security software that they can afford, so that they are projected against this type to threat.

This comment was removed at the request of the user

Which? Tech Support. I forgot to mention this charges Which? members £60 a year, and others £72. I wonder how many would see this as worthwhile?

This comment was removed at the request of the user

“narrow-minded dogma /negative thinking/criticism for criticisms sake”

Is that how you view comments that don’t align with your perceptions, Duncan?

This comment was removed at the request of the user

I’d suggest its time for a truce on these sorts of comments. I hope I am not on my own. I appreciate all sorts of comments; some I will agree with, some I won’t. Some I ignore. I will sometimes interject a comment that may be a little provocative to shed a different view on a topic. And I am not a paragon in this respect.

What I think we should all avoid is directing criticism at each other. I see it as unhelpful and will put off potential new “regulars”. It is not an easy line to follow when you see someone with a very different view, someone who seems to oppose your view on principle (they probably don’t always mean it), and someone who challenges dearly-held opinions. Offensive, off-topic and such comments are dealt with by the moderators and we can report these.

It’s Sunday – a day of goodwill to all men…

Duncan, when it comes to so called “engineering topics” it seems to be quite common for other posters to comment on your posts.

Some of those comments come from other engineers.

Some of those comments come from folk who would not claim to be engineers, but are still entitled to comment, from whatever viewpoint they may have.

Given the formal basis of W?C as a forum for debate, any thought provoking post is likely to attract comments.

Most of the things we discuss on here are not simple facts that must be either simply true or untrue.

Given the support for free speech on here, this forum should be operated so as to allow reasonable and courteous debate.

I’m disappointed by the number of offensive comments that result in a discussion rather than simply clicking on ‘Report’. If a few of us do that then the comment disappears until it has been moderated.

I thought you’d gone for a walk 🙂 Ah – mobile? I think the degree of offensiveness – and some people are more easily offended than others – would determine the best action. Sometime it seems pertinent to counter, in a non-offensive way, an unpleasant comment to explain the reasoning. It can be done without it becoming personal.

It is a bit like a thumbs down – rather than just showing your disagreement it is far more helpful to say why.

On YouTube, there is a thumbs up/down system, but you have to be logged in to use it and actions are reported to the OP (original poster).

It seems to be used a lot to save having to simply post “I agree” or “yeah that” when no further comment is needed.

It has been suggested in the past just to have a thumbs up, so if you disagree you need to explain. If we are to continue with thumbs in both directions I’d prefer to return to the system where the scores were recorded separately. and not where one can negate another. That does not reflect any strength of feeling and serves little purpose (in my opinion).

I’ve used rent-a-thumb (@carneades) once recently to show how it seems to be abused.

Gee; I’ve got a job title at last 🙂

Malcolm – What I was referring to was reporting posts that are clearly offensive. I reported one a few days ago and someone else said they had, but there was a discussion. We have been asked more than once to report rather than discuss posts of this kind.

I see nothing amiss with politely and constructively commenting on a post that might also have an offensive element. It takes time for reports to accumulate and be processed so flagging up concerns in the Convo seems sensible.

Where you are so concerned that a post should be immediately could be addressed by reporting it three times yourself. Does that still work? I can’t find one to try it out on, as they are fortunately very very few and far between, except when Which? goes viral.

I am simply passing on advice that we have been given by Patrick Steen etc. Yes multiple reporting works and the more times this is discussed the greater chance it will be misused.

We must also crack Ian’s thumb secret.

Shall I pop round to his house and get out the thumb-screws?

I’ll ask my grandparents where he lives.

Just follow the yellow brick road…

fiendish cackle…

My current day job sometimes involves the production of safety briefings. Sometimes the target audience for those will be everybody in the company, so I always need to present the issues in a clear and simple way. [Just imagine how many people I could upset if I didn’t do that…]

Thankfully, I don’t have to do this alone – colleagues always “peer check” what I write before anything is published.

I think Which? (and journalists in general) face similar issues, in that anything that they publish should be clear, fair and objective.

Here on W?C, I expect that most posters won’t be getting friends, family and colleagues to peer-check their posts before hitting that big orange button. Hence, it think we must rely on other posters to raise the sort of technical and editorial queries that will help us get right to the heart of each subject.

This comment was removed at the request of the user

This comment was removed at the request of the user