Some Third-Party Email Apps Let Employees Read User Emails

[ArtOfWarfare]

Which has nothing at all to do with this.

Of course it does. People are acting shocked and outraged that someone is possibly (although almost certainly not) reading their email. Is it really that employees of these specific companies are reading their emails that concerns them? Would they rather it was a totally random person they knew nothing about? Of course not.

It's always been the case that your email was potentially being read by someone other than who you meant to send it to. I find it unlikely that the odds have even significantly changed. These companies are probably dealing with billions of emails per day. Probably a few times a month they pick a few dozen to have a human being actually look at. So the odds are somewhere on the order of 1 in a billion that one of these employees actually read your email.

 

[barthrh]

Wouldnt the burden fall on the user who signed up to use this app?

No, the burden is on the sender. The sender has possession of the PHI and it's their responsibility to safeguard it (i.e. don't put it in an unencrypted email).

 

[Arran]

This is the reason I always use the built in Apple apps wherever possible (plus it’s just easier since they’re installed by default of course, and are linked to iCloud). Yes, you can find alternatives to Mail, Safari, Maps, Messages, Notes, and just about everything else that have some nice features.

But Apple takes privacy seriously and they are doubling down on it in recent years. I’m not saying it’s impossible that some bug doesn’t leak my data from an Apple app, but I always feel confident they are doing the best they can to protect my data, are not selling it to anyone, and will not use it for nefarious purposes. These days that’s a huge selling point for me.

I’m of the same opinion. Apple has its reputation at stake. Fear of reputational damage triggering huge financial loss is what keeps them honest.

These little tech start-ups OTOH? They’re mostly about a few founders making a quick killing and cashing-out. Rinse and repeat. Open and honest isn’t in their game plan.

 

[cobracnvt]

Probably a few times a month they pick a few dozen to have a human being actually look at. So the odds are somewhere on the order of 1 in a billion that one of these employees actually read your email.

Don't assume this - You have to also keep in mind how development teams work. There is likely a number of huge database files containing all this email, that have been copied to every developer's local software development environment, both on-shore and off-shore for creation of the email tools. There are also likely developers that work from home, so they have a local copy on their laptop, likely not encrypted since it's just email. The smaller the development company developing these email products, the more likely that nobody is keeping track of how many copies of this email data exist, nor where it exists or whom has the task to delete it when done. There's probably similar copies floating around in their QA testing environments, again, probably local and off-shore as well.

 

[adamjackson]

I'm honestly surprised this isn't exploited more. Consumers are dumb and will grant access to anything.

This is my thought. When you OAuth something, you're giving a 3rd party access to your data. To present your emails to you within your app, they are touching every bit of them. Google/Facebook/Flickr and many other services responsibly tell the user "You are giving access to this app of your Info, Contacts, Messages, Phone number, Birthdate, NewsFeed, etc, etc, etc" and you click "OK"

What they do with that data after, especially if that app is free to use is up to them. The only way to own your email without any one accessing it is to prop up your own VPS with WHM or another software and lock it down with a private key and use 1st party applications from Apple or Microsoft..heck even Thunderbird would work. By using someone else's server for your email and not paying them anything for that access, you can't be pissed when someone can access your data.

 

[nsayer]

I see. So server-to-server (not just client to server) uses SMTP that can use SSL, and SMTP will call back to the relevant server to verify the sender address, so that's safe. I think that wasn't the default for a while because I used to be able to send spoofed emails to myself, but I forget which provider I was using. Oh yeah, and my private email had that issue, lol.

Well, the server-to-server comms can use SSL, but SMTP has no particular authentication for that. The best we can do is include DNS information for a domain listing the conditions required for email received “from” that domain to be deemed legitimate. For example, it must come from particular IP addresses and be signed with DKIM using a particular key pair. That can eliminate forgery (assuming everyone pays attention), which forces spammers to use their own domains, but they go through them too quickly. The best you can do is just wholesale block new top level TLDs entirely because they’re just 100% spam, but even those are now proliferating too rapidly to keep entirely up-to-date.

Hmm, then I don't understand all the complaints in this thread saying the protocol is insecure. It's sometimes insecure by default / silently insecure in cases of misconfiguration, is all. But in theory it's the same security as anything else if you do everything right.
[doublepost=1530601480][/doublepost]
You can't use S/MIME with the Gmail client*, but you can with your own client and Gmail servers, right?
* except enterprise customers

The problem with email is that all of the security amounts to kludgey bolt-ons that remain mostly optional and are reputational in nature. Spammers just buy throw-away domains like toilet paper, and if you take a default-block posture, you get too many false positives.

 

[Defthand]

Ok, I just read the privacy policy on Edison’s site.

The email app is a front isn’t it?

Really what they’re doing is making a ‘cool’ and useful app - and marketing it as such - and using access to your account to then scrape loads of data from your email receipts about what you’re buying, what marketing emails that you’re getting and reading etc. and selling that data onto their partners.

There’s no mention in the App Store that that is what they’re doing.

And why is Apple letting them into the app store when the primary functionality - an email client - is basically a front to hide their true intentions?

Good point. An app's description in the App Store should have a privacy rating. Apple could easily read an app's privacy disclaimer, or audit the backend's protocols, and stamp qualifying apps as safe or risky. In fact, the qualification process could be a paid feature. Devs could pay Apple to audit the app. An earned approval stamp would give potential users peace of mind.

 

[DNichter]

I am not sure why it matters. Google has full access to all of your emails no matter what application you use. Anything to collect more data and monetize their users.
[doublepost=1530629434][/doublepost]

Good point. An app's description in the App Store should have a privacy rating. Apple could easily read an app's privacy disclaimer, or audit the backend's protocols, and stamp qualifying apps as safe or risky. In fact, the qualification process could be a paid feature. Devs could pay Apple to audit the app. An earned approval stamp would give potential users peace of mind.

I like this idea a lot.

 

[Naraxus]

What else would they be selling? Your data is all they've got.

The don't sell your data. That's an Apple talking point to confuse what both companies do. Google sells what are called Targeted Ad Slots which are completely anonymous. It's also what Apple did & does with its App Store recommends and the now-defunct iAds.

 

[DNichter]

The don't sell your data. That's an Apple talking point to confuse what both companies do. Google sells what are called Targeted Ad Slots which are completely anonymous. It's also what Apple did & does with its App Store recommends and the now-defunct iAds.

You’re right, but those targeted ad slots come from their customers’ data. That’s what makes them targeted. In the end, your personal data is the primary revenue source of the Google advertising company. Apple does it to some degree, but it doesn’t make up 95% of their revenue.

 

[Michael Goff]

You’re right, but those targeted ad slots come from their customers’ data. That’s what makes them targeted. In the end, your personal data is the primary revenue source of the Google advertising company. Apple does it to some degree, but it doesn’t make up 95% of their revenue.

A) 86%
B) That's still not selling your data. Google has the data, they hoard the data, it does not get sold.

 

[bwintx]

"Customers concerned with how their emails are handled by third-party apps should stick with first-party apps such as Gmail or Inbox by Gmail for Gmail users."

That just kicks the can a little further down the road. Google admits freely that they read all your e-mail if you use gmail.

I run my own mail server.

Yes, it's a lot more work, and not everyone can do it properly, but it pretty definitively solves the privacy problem.

Any recommendations you might have? Hardware, OS, email server s/w, anti-spam remedy, etc.?

 

[kdarling]

You’re right, but those targeted ad slots come from their customers’ data. That’s what makes them targeted. In the end, your personal data is the primary revenue source of the Google advertising company. Apple does it to some degree, but it doesn’t make up 95% of their revenue.

lol so you want to give Apple a pass because it makes less money trying to doing exactly what Google does?

Perhaps you don't remember that Apple thought its ad slots, targeted using their private Apple customer data, would be worth much more than Google's targeted ad slots using web data... and so Apple started out enforcing a minimum million dollar buy-in.

Unfortunately for Apple, their customers turned out to not be such a good investment for advertising, and Apple had to continuously reduce their ad costs, until they finally gave up. At least with those kinds of ads. They still use our private data to sell app ad slots.

 

[DNichter]

A) 86%
B) That's still not selling your data. Google has the data, they hoard the data, it does not get sold.

Ah I hadn't looked in a while, I am showing 90% in 2017, but it could have certainly gone down. I mean, you can word it anyway you want, but in the end - Google only exists to collect user data and serve up ads.

 

[826317]

thats one stupid thing to say. if you use apple mail with edison they can read your apple mail too.

From what I gathered Edison is merely an email application not an email service. So how can one use Edison WITH Apple's mail application??? Please correct me if I'm wrong, but I don't see how that would work...

 

[DNichter]

lol so you want to give Apple a pass because it makes less money trying to doing exactly what Google does?

Perhaps you don't remember that Apple thought its ad slots, targeted using their private Apple customer data, would be worth much more than Google's targeted ad slots using web data... and so Apple started out enforcing a minimum million dollar buy-in.

Unfortunately for Apple, their customers turned out to not be such a good investment for advertising, and Apple had to continuously reduce their ad costs, until they finally gave up. At least with those kinds of ads. They still use our private data to sell app ad slots.

No, I said they do it to some degree, but their entire company isn't built on collecting their users' data and selling ads. There is a difference.

 

[Michael Goff]

Ah I hadn't looked in a while, I am showing 90% in 2017, but it could have certainly gone down. I mean, you can word it anyway you want, but in the end - Google only exists to collect user data and serve up ads.

In the same way that Apple exists primarily to sell iPhones, yes. I can't argue against the idea that Google makes most of their money from Advertising.

 

[kdarling]

No, I said they do it to some degree, but their entire company isn't built on collecting their users' data and selling ads. There is a difference.

I think the fact that ads are not even Apple's primary business, (not to mention their pointing fingers at other companies), makes it even less possible to excuse their continued attempts to make money by selling access to us via our private data.

 

[KanosWRX]

This is real scary and completely irresponsible for Google to allow this.

Its not just Google that does this though, any app that could display your emails could potentially do this, even on Apple I am guessing. Unless you stick with the built in mail app of course. So if you didn't want anyone reading your email on Google, just stick with Gmail and don't let any other apps access your mail.. nothing surprising or frighting here, if you give people access what do you expect..

Honestly, I feel news sites blow this stuff up way out of proportion just to get clicks or eyeball's... Sometimes the media does go to far and makes things up without reporting an honest story with perspective from both sides.

 

[DNichter]

I think the fact that ads are not even Apple's primary business, (not to mention their pointing fingers at other companies), makes it even less possible to excuse their continued attempts to make money by selling access to us via our private data.

It comes down to a personal decision. I trust that Apple doesn't sell my personal data to advertisers based on their privacy policies and somewhat, motive. I prefer not to use Google's products or services because they only exist to collect user data and sell ads. I see this as problematic in the future, while Apple seems to be standing firm on privacy and moving in the other direction (not perfect, don't get me wrong).

 

[bluecoast]

Can anyone recommend a really good - and powerful - email service that will never scrape your data?

Ditto an email app.

I know that Apple won’t, but iCloud email is pretty basic. Ditto Apple Mail.

P.S. I do understand that it’s apps and not necessarily email services that are scraping emails.

 

[DNichter]

In the same way that Apple exists primarily to sell iPhones, yes. I can't argue against the idea that Google makes most of their money from Advertising.

Absolutely. I would rather support a company that sells a product opposed to a company that sells ads. It's just a personal preference, but I find their data mining policies creepy and problematic to society in the future. A lot of people are more than happy to give all of their data to Google for a free service. It's just not for me.

 

[bwintx]

From what I gathered Edison is merely an email application not an email service. So how can one use Edison WITH Apple's mail application??? Please correct me if I'm wrong, but I don't see how that would work...

Have read comments from people who use Edison for Gmail notifications only (because Gmail doesn't do iOS push) and then read the email with the iOS stock app.

 

[Michael Goff]

Absolutely. I would rather support a company that sells a product opposed to a company that sells ads. It's just a personal preference, but I find their data mining policies creepy and problematic to society in the future. A lot of people are more than happy to give all of their data to Google for a free service. It's just not for me.

I can totally understand what you're saying. We all just need to know what our privacy and personal information is worth to us and whether or not we're okay with whatever company having it in exchange for whatever product we use. I'm two months away from deciding whether I'm sticking with Android or going back to iOS myself. But that's more of a "do the new iPhones interest me" sort of thing.

 

[DNichter]

I can totally understand what you're saying. We all just need to know what our privacy and personal information is worth to us and whether or not we're okay with whatever company having it in exchange for whatever product we use. I'm two months away from deciding whether I'm sticking with Android or going back to iOS myself. But that's more of a "do the new iPhones interest me" sort of thing.

Yup, it all comes down to what's important to the individual user. My viewpoint is certainly not like everyone else's and I know there is a ton more work to do in this area. Apple have at least, on the surface, shown that they value privacy more than other tech companies. That's interesting, why the change? Or are you just waiting to see what Apple introduces in the fall?