/ Technology

Are you concerned your emails might be read by a third party?

Google search

How do you feel about your email being scanned, and possibly even read by the employees of third-party companies, asks Kate Bevan…

A report in the Wall Street Journal on Tuesday alleged that Google had allowed some companies to do just that with Gmail accounts.

It was reported Google has been allowing developers from companies providing add-ons to Gmail access to those people’s emails – both by automated scanning and, more alarmingly, in some cases by employees.

It’s not that long since Google pledged to stop scraping your inbox for information to personalise the adverts you see when you use Gmail, so the news that it was letting third parties scan your email conversations went down like a lead balloon.

The Cambridge Analytica scandal drew back the curtain on how data brokers can mine personal data for insights, focusing anger on how Facebook had let that company plunder the data of your friends without their consent.

Facebook actually stopped allowing third parties to access friends-of-friends’ data back in 2015, but the sense that the social platform is an all-seeing panopticon made many people very uneasy.

Now the focus has switched to Google and what access it allows third parties to your information.

Who’s reading your emails?

Google explained in a blog post that it “make[s] it possible for applications from other developers to integrate with Gmail – like email clients, trip planners and customer relationship management (CRM) systems – so that you have options around how you access and use your email,” and added: “Before a published non-Google app can access your Gmail messages, it goes through a multi-step review process … to ensure it is a legitimate app”.

It’s worth pointing out that whoever your email provider is, your emails will be scanned to some degree.

Spam filters work partly by scanning for keywords in emails known to be associated with spam. Anti-malware software scans for dodgy links and malicious payloads – and that can be done both on your email provider’s server and, if you use software such as Outlook or Thunderbird, also on your computer.

Corporate email is also scanned by IT departments for malware, spam and compliance reasons.

And if you use a free email provider such as, yes, Gmail, but also Yahoo! or Outlook.com, your emails could also be scanned so that the adverts you see are more relevant to you.

Email isn’t very private, and it’s wise to assume that what you say in an email could in theory be read by someone else, and that especially applies to your work email.

Third-party oversight?

While the companies themselves are very different, the issues with Google are the same as those that dogged Facebook with Cambridge Analytica: first, how much access do the big tech companies we rely on allow to companies we’ve never heard of to our information; and second, how much oversight do the big tech companies do of those third parties?

The Wall Street Journal alleged that there had been very little oversight of what those firms were up to once they’d passed Google’s certification tests.

Google is at pains to point out that as a user, it’s always up to you to whether or not you let a third party access your data. However, it’s not always very clear what the implications are of the permissions you’re asked to grant when you install an app, and often an app simply won’t work unless you do grant some permissions.

Review your account

It’s well worth using Google’s dashboard to review your account: you can run through a privacy and security check-up and review your settings and permissions from that dashboard.

Our recent report, Control, Alt or Delete? found that consumers don’t have a clear or detailed understanding of how our data is used, and that many were shocked when they learned the truth about the extent of the ecosystem built on the data we provide to big technology companies.

So how do you feel about this latest revelation? Do you think that Google has taken enough care to protect your privacy when you use its email, or has the revelation that the human staff of third parties could access your inbox undermined your trust?

Could the big tech companies like Google and Facebook do more to let us know exactly what they’re up to, or should we make more of an effort to inform ourselves? And most importantly, are you still comfortable using the free apps and services that rely on the data you provide?


I use E. mails daily as an alternative to writing letters. No one has asked me whether I would be willing to share them with anyone other than the recipient. I suspect that because there are terms and conditions attached to the E. mail service it is either a case that they can tap into messages because I have agreed to use their portal, or the permission to tap is hidden in the small print and I haven’t seen it. Either way nothing seems to be private these days and this particular conversation is one of many here that says “Your information is being used by X,Y or Z are you concerned?” The internet is full of traps and nosey institutions. It really is a question of using it carefully and making sure that the advantage of that use outweighs the possible effect of the thieves who steal information for a living. I am hopeful that what I do on the Net is of so little value that people won’t bother about me, and, if they do, I haven’t lost the crown jewels in the process. One either curls up in a cocoon and forgets about anything electronic, or one uses it because it’s there and sod the consequences. There’s a happy medium somewhere in all that.

Thomas Turnbull says:
6 July 2018

Once money is transferred it must remain in the receiving account for 24 hrs before being transferred again. This would allow money to be retrieved if a scam is found out early.

I presume you get what you pay for – in the case of most email providers, its free so you are not paying for any security. I’m quite happy with my email provider, have never, to my knowledge, had any problems and if anyone is interested in what I put in my emails then they have far too much time on their hands, are very sad, or are wasting valuable equipment. I have nothing to hide.

I understand there are paid-for email services that purport to offer much higher levels of security? Perhaps those who contact customers requesting legitimate payments should be obliged to use such services to help defeat the scammers? Or is that being naive?

However, its a wicked world and many people try to do nasty things to others. I’d rather have surveillance that helps stop this than quibble about privacy. If I want to send truly private information I can send it by registered snail mail (and trust it is not intercepted on the way).

I’ve always avoided web-based email, and security is just one of the reasons. The only real problem I’ve had with email is when people have deliberately or inadvertently passed on email that was intended for them. On more than one occasion I have been shown a reference that I have written for a potential employer, who has passed it on to the candidate. If you assume that anything sent by email could be read by anyone you will not go far wrong and it’s probably best to be circumspect in what you write.

That’s too true, and with ‘blind copies’ you can never be sure that the sender has not also sent it to someone else, or that other recipients have not forwarded it to other parties who themselves might have copied it to even more people.

Obviously, people can [and do] copy and circulate letters sent in the post [especially since so many of us have printers that will photocopy] but the simplicity of doing it with e-mails makes it much easier and there is no cost or effort involved, so it pays to be very cautious with sensitive correspondence.

Yes, bcc can cause plenty of fun but hopefully most people understand what it does and the risks involved.

I mainly use bcc to send messages to a group because it avoids the recipients seeing other email addresses.

DerekP says:
6 July 2018

Once you’ve sent an email, you’ve no control over where it goes after that, so it is always good to be careful about what you put in any email.

GDPR advises all organisations to bcc. mass emails.
The danger with emails, like phone messaging, is when you send it ti the wrong people. This is an occasion where it would be nice to put nit into a holding folder for review before you actually despatch it into the ether.
There are a number of reports in PEYE of emails gone wrong.

One way of making sure that everyone reads an email is to retract it. 🙂

I always insert the addressees in the ‘To’ box last. That way they can’t go anywhere until I am satisfied all is OK.

My first step is to attach any attachments which makes sure that I don’t have to send another email with the missing attachment.

Thanks Kate. I do remember informing people that I thought that their accounts had been hacked after receiving strange emails from their accounts. Yahoo is the one that sticks in mind but I thought that other free services had been hacked.

Your right the others HAVE been hacked https://www.engadget.com/2016/05/04/gmail-hotmail-yahoo-email-data-breach/ and https://www.infosecurity-magazine.com/news/one-million-stolen-gmail-yahoo/ I could add much more if required . I have been a Proton Mail subscriber since near its inception as I posted a short while ago . It has been attacked twice by GCHQ/NSA . I can supply really technical details of all the hacks into Gmail if you want .

GMail along with the others allow third parties to collect your data https://boingboing.net/2018/07/03/if-you-use-gmail-know-that.html only one email service completely protects you from everybody including GCHQ and the NSA – server in a deep vault in Switzerland and that is Proton Mail which I joined early on . More on GMail http://mrwebsecurity.in/blog/2018/07/04/reminder-third-party-gmail-apps-can-read-your-emails-allow-carefully/ I can supply a full list of all email services and how much they allow third party access . Look I use Waterfox it used to proclaim it didn’t allow third parties to gather your info –not now I have had to spend some time in -about :config to stop Google etc gathering my info even stopping tracking API,s etc anybody using FF should know they are helping Alphabet .Inc ( owner of Google ) 1600 amphitheatre parkway -Mountain View , CA 94043 to become even bigger nearly all websites including this one has dealings with Google .

DerekP says:
6 July 2018

Duncan, as someone not engaged in terrorism, espionage or political subterfuge against the UK, I’m not convinced that I need protection against GCHQ.

Maybe not Derek but Proton mail does -attacked twice . I am not engaged in any of the three either but to me thats not the point why be sub-servant to a dogma that is always at war and wants to crush those that have a different political point of view ? Its easy to cry Repression against countries that that have not attacked or invaded you and then use that as an excuse to wage war.

DerekP says:
6 July 2018

Sorry, what dogma’s that…

The ongoing , continuous, never-ending war of attrition against any country that doesn’t obey the Commandments of Biblical proportions spewing forth from the Emperor of the West and the Near World helped by this country (covertly in many cases ) . Hold on somebody knocking at my door — sorry Big D Turnberry is on the other coast. Whats that ? —the R & A have blackballed you from their Open series , money obviously doesn’t talk in St Andrews — Big D – sanctions -sanctions ! Whats that ? I thought you said sanctuary well you wont get it at Holyrood and not Menie as they are building an off shore wind farm right in front of your golf course there just to spite you Aberdonians are like that . Word of advice dont visit Glasgow tomorrow as their welcoming “kiss ” will knock your hair piece off.

Is this what you are referring to Duncan?


Sorry Beryl my security apps block You Tube I will try it on a small open browser.

Instead of me just pointing out deficiencies I will try to be positive , I forgot to mention the EFF,s new app for email services STARTTLS Everywhere . If you read it it also tells why several posters on the banking convo got their emails intercepted and lost £1000,s . I will post that part on the banking convo. Read https://www.eff.org/deeplinks/2018/06/announcing-starttls-everywhere-securing-hop-hop-email-delivery

DerekP says:
7 July 2018

Duncan, thanks for that link.

Gmail passed all three checks, so it is configured to use , does use a valid certificate, and is on the STARTTLS Preload List.

Excellent organisation, EFF. The Amnesty International of the internet.

There are some great tips above to prevent the usual faux pas – forgetting attachments, premature email dispatch by accidental pressing of Ctrl Return etc. I would add to this list that, for important emails requiring care, two golden things I used to do when at work.

1) I typed deliberately the words “safety net” in the “to” field before composing anything. Of course, hitting “send” didn’t work as the name was not resolved. It did remind me though that this was a sensitive email and that I needed to read through it again.

2) – a golden rule I tried to impress on my crew, particularly those who had a knee jerk as strong as my own.. Write the email the night before, and reread it in the morning before pressing “send”. It’s amazing how many you chose simply to delete instead of sending – although the odd one may get emphasised further and then sent!

I turn now to the Google thing on privacy. We all know email transport is insecure and that that is why it is such a hot topic since GPDR came of age. I see that the regulars, Duncan in particular, identifies issues with the usual suspects. From my perspective neither of the two big free transport mechanisms (gmail and outlook) are watertight – in particular clicking on nefarious links can open up all sorts of problems.

I recognise the simple POP3/SMTP arrangements ISPs offer are not military lockdown either. However, what they do offer is simplicity, and maintenance of one’s own data on one’s own private storage – after deletion from the server, received emails are not accessible to others unless already sent to them. Similarly, sent emails after transmission has successfully been acknowledged are deleted from the server too (or should be).

Its now the third time I have been notified that a comparatively new type of email attack is on the rise , its the fact that instead of clicking on a document etc on emails to get malware infected all users of emails services should scan or check out (but not by clicking on ) any images presented in emails as they are now a growing platform for malware . The latest malware of this sort targets Google sites . The meta data of images uploaded on trusted Content Delivery Network (CDN) of Google have been embedded with malicious code by hackers to compromise websites . This approach is indeed damaging because users NEVER scan images for malware . The injected malware uses EXIF (exchange image file ) format to hide . It goes on but I think the Regulars and posters here should be warned about those “pretty pictures” on emails could contain not so pretty malware . As I have said before my email client blocks them by default as commerce already uses them to gather your data and track you JUST by downloading and looking at the images well now hackers are putting them to worse use. Even sweet old Gravatar uses images to gather data , but relax even the Russians are gathering commercial data -Sovenik.market being one on Yandex at least its not Google.

Fly-by malware’s been around for a long time, Duncan, which is why many email clients turn off remote images by default. As always, however, Malware shows no sign of letting up.

And did you understand the latest malware Ian that hasn’t “been around for a long time ” and Google hasn’t overcome it by any “quick fix ” download and dont you get the point, this convo is aimed at the public as well , did I not mention PUBLIC in my post ?

Yes, Duncan, you did, and there’s no ‘quick fix’ for this malware, like much, because – as I said – it’s not letting up and constantly evolving. But there’s a huge amount of accurate information regarding malware already out there.

However, educating the public about how to deal with any malware is a difficult task and has to be approached systematically. And it needs to reach a far, far wider audience than W?Cs

Ian you are beginning to sound like one of my school teachers at Grammar school. What,s that saying ? from small acorns doth a large oak tree grow — Rules of Enterprise -section 1- line 1 . Why do the public come here ? for help if it was as easy as you say why does Which convos contain so many cries for help on computer subjects ?

why does Which Convos contain so many cries for help on computer subjects ?” I can’t say I’ve seen that many compared to comments on other topics requiring help – consumer rights for example. Which? do offer a service to people who have computer problems.
Our friendly team can help you with one-to-one support, so you can make the most of your computer, phone, TV and other devices – free of frustration.

DerekP says:
22 July 2018

I see this thread has already featured Duncan’s usual responses towards supplementary questions and attempts at constructive criticism, i.e. antagonistic replies

DerekP says:
22 July 2018

Duncan – thanks for posting this news.

I think it shows why folk should always get the best internet security software that they can afford, so that they are projected against this type to threat.

Thank you Derek .

Which? Tech Support. I forgot to mention this charges Which? members £60 a year, and others £72. I wonder how many would see this as worthwhile?

If I spent so much time condemning “Favorites ” by other Regulars I would be heavily condemned but it shows me how narrow-minded dogma /negative thinking/criticism for criticisms sake prevails here . Look if Which asked me to “go it alone ” now after all this negativity I would jump at the chance .

“narrow-minded dogma /negative thinking/criticism for criticisms sake”

Is that how you view comments that don’t align with your perceptions, Duncan?

When it comes to engineering topics Ian which in this day and age are topics which are “irrepressible ” even by the repression of some on Which convo I am right of course ,Which should stick to food thats not “verboten ” here. The Luddites are alive and well , dont mention (the Germans ) Engineering -him of the “funny walk ” so disgusted with adverse criticism that he is leaving Britain and Brexit for good.

I’d suggest its time for a truce on these sorts of comments. I hope I am not on my own. I appreciate all sorts of comments; some I will agree with, some I won’t. Some I ignore. I will sometimes interject a comment that may be a little provocative to shed a different view on a topic. And I am not a paragon in this respect.

What I think we should all avoid is directing criticism at each other. I see it as unhelpful and will put off potential new “regulars”. It is not an easy line to follow when you see someone with a very different view, someone who seems to oppose your view on principle (they probably don’t always mean it), and someone who challenges dearly-held opinions. Offensive, off-topic and such comments are dealt with by the moderators and we can report these.

It’s Sunday – a day of goodwill to all men…

DerekP says:
22 July 2018

Duncan, when it comes to so called “engineering topics” it seems to be quite common for other posters to comment on your posts.

Some of those comments come from other engineers.

Some of those comments come from folk who would not claim to be engineers, but are still entitled to comment, from whatever viewpoint they may have.

Given the formal basis of W?C as a forum for debate, any thought provoking post is likely to attract comments.

Most of the things we discuss on here are not simple facts that must be either simply true or untrue.

Given the support for free speech on here, this forum should be operated so as to allow reasonable and courteous debate.

I’m disappointed by the number of offensive comments that result in a discussion rather than simply clicking on ‘Report’. If a few of us do that then the comment disappears until it has been moderated.

I thought you’d gone for a walk 🙂 Ah – mobile? I think the degree of offensiveness – and some people are more easily offended than others – would determine the best action. Sometime it seems pertinent to counter, in a non-offensive way, an unpleasant comment to explain the reasoning. It can be done without it becoming personal.

It is a bit like a thumbs down – rather than just showing your disagreement it is far more helpful to say why.

DerekP says:
22 July 2018

On YouTube, there is a thumbs up/down system, but you have to be logged in to use it and actions are reported to the OP (original poster).

It seems to be used a lot to save having to simply post “I agree” or “yeah that” when no further comment is needed.

It has been suggested in the past just to have a thumbs up, so if you disagree you need to explain. If we are to continue with thumbs in both directions I’d prefer to return to the system where the scores were recorded separately. and not where one can negate another. That does not reflect any strength of feeling and serves little purpose (in my opinion).

I’ve used rent-a-thumb (@carneades) once recently to show how it seems to be abused.

Gee; I’ve got a job title at last 🙂

Malcolm – What I was referring to was reporting posts that are clearly offensive. I reported one a few days ago and someone else said they had, but there was a discussion. We have been asked more than once to report rather than discuss posts of this kind.

I see nothing amiss with politely and constructively commenting on a post that might also have an offensive element. It takes time for reports to accumulate and be processed so flagging up concerns in the Convo seems sensible.

Where you are so concerned that a post should be immediately could be addressed by reporting it three times yourself. Does that still work? I can’t find one to try it out on, as they are fortunately very very few and far between, except when Which? goes viral.

I am simply passing on advice that we have been given by Patrick Steen etc. Yes multiple reporting works and the more times this is discussed the greater chance it will be misused.

We must also crack Ian’s thumb secret.

DerekP says:
22 July 2018

Shall I pop round to his house and get out the thumb-screws?

I’ll ask my grandparents where he lives.

Just follow the yellow brick road…

fiendish cackle…

DerekP says:
22 July 2018

My current day job sometimes involves the production of safety briefings. Sometimes the target audience for those will be everybody in the company, so I always need to present the issues in a clear and simple way. [Just imagine how many people I could upset if I didn’t do that…]

Thankfully, I don’t have to do this alone – colleagues always “peer check” what I write before anything is published.

I think Which? (and journalists in general) face similar issues, in that anything that they publish should be clear, fair and objective.

Here on W?C, I expect that most posters won’t be getting friends, family and colleagues to peer-check their posts before hitting that big orange button. Hence, it think we must rely on other posters to raise the sort of technical and editorial queries that will help us get right to the heart of each subject.

I seem to be subscribed to a new spyware and virus help website without me subscribing but I am not complaining as it seems quite good , its American . The owner informs me that the Arran Brewery in Scotland ( isle of Arran -Firth of Clyde ) which I have visited several times downloaded an email purporting to come from a job applicant which included a PDF . The employees made a big mistake in opening it and their whole system was encrypted and a demand for 2 bit-coins was issued , they refused to pay , luckily the owner knew a software engineer who spent some time decrypting the code and succeeded (it cost ) . It was the Dharma ransom ware , which relocates to India, not only that the spyware website supplies the unlocking code . Any female users of the fashion website- Shein ? if so its been hacked and your data taken -6.4 million users .

As you know I am pro BT but just in case anyone thinks that effects my judgement on giving advice to the public on Which ? then let me put them straight . I get emails from BT for various things like buying from their shop but also asking me to “turn on ” their virus protection etc as its part of my bundle. That I cannot do as their virus protection isn’t compatible with Arch LInux . Why am I posting this ? because today I got another one or two both were stripped of HTML by Thunderbird to stop snooping , on checking the URL was kosher so just so I could advise on it I clicked on the more info button . I was taken completely by surprise when my newest and best non commercial blocker completely blocked the web-page and gave me a long spiel why -it was malware infected ! one of the problems was Double Click while seemingly innocent its anything but and in its worst state takes over your mouse . There were others even worse . So this is a warning to ALL Windows users especially do NOT click on this email from BT –its dangerous read https://malwaretips.com/blogs/ad-doubleclick-net-virus/ . The other email wasn’t just as bad only stuck many trackers on your computer . I cannot believe a massive $Billion company could stoop so low as to try and make even more money at their customers expense . Without any blockers the ordinary public would not know about this and get infected . Guess who designed the malware app ? —Google . You have been WARNED !!