Privacy Matters: Modernizing Gmail’s Approach to Third-Party Data Access

Issue

How should Gmail respond to privacy and security-related concerns regarding developer sales of user data to third parties, in light of the 2017 Unroll.me scandal?

Stakeholders

• Gmail customers: Our customers are the most important stakeholder — any strong policy should be tailored to their needs, from privacy to email functionality. The diversity of our customer base should be considered; corporate vs. personal customers may be affected disproportionately, as might users with varying levels of digital literacy.
• Third-party developers: Developers using our platform offer valuable applications that build on our base services. We will need to balance developer freedom to serve our customers with the need to regulate data privacy in a standardized fashion. Currently, developers have differing privacy standards; some sell de-identified user data as Unroll.me has.
• Regulators: While there are significant gaps in government regulation of data privacy, we need to consider existing standards such as the 2013 OECD Privacy Guidelines and the EU’s General Protection Data Regulation (GDPR). The global nature of our business requires us to account for these international standards. We should also consider how our privacy policy decisions may impact our standing in future public regulatory decisions. On one hand, policies we implement now could influence privacy norms; on the other hand, failure to mitigate future privacy violations could incentivize the government to regulate our operations more stringently.
• Competitors: Given increasing public attention to privacy issues, we need to track against our competitors’ privacy standards and position ourselves as a leader in this area. Apple has been taking public commitments to tightening security:

“We at Apple believe that privacy is a fundamental human right. But we also recognize that not everyone sees things as we do. In a way, the desire to put profits over privacy is nothing new… We at Apple are in full support of a comprehensive federal privacy law in the United States.” — Tim Cook

Criteria

• Data protection: To what extent does this policy uphold data privacy norms, and protect users from hazardous access to their data?
• Platform openness: To what extent does this policy allow Gmail to serve as an open platform for developers to build upon?
• Impact on user experience: How does this policy impact the Gmail user experience? For example, does it allow for greater user choice in customizing their Gmail experience? What is the impact on cost to users?
• Cost to Google: Are there significant investments needed to implement this policy? To what extent does this policy affect Google’s revenue streams (e.g. selling data storage/Gsuite solutions to Gmail customers)?
• Operational feasibility: To what extent can this policy be implemented in a timely fashion? What are the resource requirements? How complex is implementation?

Options

1. Maintain current policy: Continue allowing app developers to access and utilize Gmail data as they currently do. This may include selling user data to third parties.
2. Increase user understanding of privacy terms: Mandate that users indicate their data-sharing preferences through a survey that can be updated at any time. Alert users when they download an app that violates their privacy preferences. Create a standardized, simple, and transparent language for privacy terms and conditions that is featured on the main page of app listings (examples for inspiration here). This addresses the concern arising from the Unroll.me case that users were unaware of how their data was being used.
3. Implement stricter policies for free apps: Impose a standard, stringent privacy policy on free Gmail apps, including a ban on non-developer access to user data. To gain revenue, some developers sell user data instead of charging for their apps. This option would eliminate that possibility, and force developers to profit from direct app sales instead of potentially pernicious data hawking.
4. Ban non-developer access to user data: Ban all developers from allowing third parties to access user data. This would eliminate the possibility of an Unroll.me scenario occurring again (legitimately).
5. Ban email scanning by developers: Ban developer access to user email content entirely. This holds developers to the same standard that we have imposed on ourselves, following Gmail’s decision to end all email scanning. Apps would be limited to those that interact with metadata or the Gmail interface.

Recommendation

We at Google should pursue a combination of Options 2 (increasing user understanding) and 3 (stricter policies for free apps). The combination of these policies will demonstrate a firm commitment to our users that we care about their privacy, while offering developers the leeway to continue profiting from the use of the Gmail platform. Increasing user understanding can also offer follow-on benefits if the recommended programs are implemented throughout Google’s product offerings. By shaping the everyday language used to communicate about data privacy, we can lead in shaping data privacy standards.

Prior to implementing, we should conduct user research to validate the effectiveness of these initiatives and identify potential obstacles. For option 2, we can take a design thinking approach to rapidly iterate on new language and interface design, ideally with focus groups representative of our broad user base. For option 3, a more involved process design is required to understand what it will take to roll out and enforce the new standards. We should conduct a pilot audit of a sampling of apps before scaling up. Developers should also be given a grace period to make a decision about whether to transition to a paid model, or maintain their free app status, before we begin auditing their services.