Worried about Gmail snooping? Here's Google's advice on keeping your account secure

Google issues a defense of Gmail-security following a report into third-party firms accessing users' emails.

Google has posted a defense of Gmail's privacy protections after a Wall Street Journal report found the service was allowing third-party companies to read personal emails.

The WSJ reported that employees at firms offering personalized services, such as shopping and travel suggestions, are accessing and reading Gmail users' messages.

While not referencing the story directly, Google Cloud's director of security, trust and privacy, Suzanne Frey, published a post in the wake of the report, in which she outlined Gmail's privacy protections.

"We continuously work to vet developers and their apps that integrate with Gmail before we open them for general access, and we give both enterprise admins and individual consumers transparency and control over how their data is used," she wrote.

Before a third-party app can access Gmail messages, Frey says the software is submitted to "a multi-step review process that includes automated and manual review of the developer, assessment of the app's privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does".

A key part of this review is ensuring that apps only collect data they need and don't misrepresent how they are using this data, according to Frey.

How to keep your Gmail secure

Third-party apps need to have been given explicit permission by the user before those apps can access personal data, Frey said, adding that these permissions can be revoked using the Security Checkup page in the user's Google account.

Those concerned about third-party access to their Gmail account can also visit myaccount.google.com and select the Apps with account access page, from which they can revoke any previously-granted permissions.

Business users enjoy a wider range of protections, with G Suite admins able to screen connected OAuth apps to limit the data access that individual users are able to grant.

Google ceased scanning consumer Gmail messages to personalize ads to users in June last year, a point that Frey stressed in her post yesterday.

"We do not process email content to serve ads, and we are not compensated by developers for API access. Gmail's primary business model is to sell our paid email service to organizations as a part of G Suite."

Public awareness of privacy issues has been heightened recently, following the Cambridge Analytica scandal, in which the data firm was accused of using the personal information of millions of Facebook users to try to change election results.

Despite Google's assurances, David Emm, principal security researcher at Kaspersky Lab, says the WSJ's findings show how important it is for individuals and businesses to pay close attention to the permissions they give third-party apps.

"We have a right to privacy - but we need to be aware of what terms and conditions we are agreeing to when signing up for free email and social-media accounts, especially regarding the rights we are waiving or the access to data that we are giving away," he said.

"We should also think twice before allowing third-party apps to connect to our accounts."

The big takeaways for tech leaders:

·         G Suite admins can screen connected OAuth apps to limit the data access that individual users are able to grant.

·         Those concerned about third-party access to their Gmail account can visit myaccount.google.com and select the Apps with account access page, from which they can revoke any previously-granted permissions.