DPI 662

Memo 3

To: Sundar Pichai

From: Product Policy Team

Subject: Privacy concern of Gmail related to third party vendors

Date: October 20, 2020

Owning 65% of the email market and serving more than 1.4 billion users, Gmail has already grown beyond an email application. Gmail and third-party applications constitute a service and business ecosystem. While Gmail acts as a digital platform, these applications have improved and expanded Gmail's existing components, attracting new users to our email service. However, as a less regulated part of the ecosystem, third-party vendors also raise privacy concerns for Gmail users.

 

The privacy concerns related to third party vendors

 

Third-party vendors who build Apps on Gmail can drag Google down in terms of privacy issues. The intentional or unintentional misuse of customer data by third-party vendors can raise significant privacy concerns among our Gmail users and harm the whole ecosystem. One recent case of misuse is Unroll.me, a third-party application that helped users unenroll from email lists. This vendor was reported to sell anonymized Lyft receipt data to Uber. Moreover, many third-party vendors are selling anonymized Gmail data. Although the data are claimed anonymized, it is still scary for our users. Furthermore, if we take no action, it will impact our reputation among users of the free version of Gmail and make corporate customers less confident in the security of our products.

 

Possible strategies to address the new privacy concerns

 

Before coming up with strategies to address privacy concerns related to our third-party vendors, we need a clear principle. It is the balance between cultivating a vibrant business ecosystem and protecting our users’ privacy to the extent that it does not become a concern. Following this belief, our team proposes the following strategies for your consideration:

 

  1. More rigorous regulations for using customer data. Anonymization is far from enough. One example is the scandal of a leaked anonymized location dataset (see this New York Times piece: https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html). We need all customer data accessed from Gmail de-identified, although de-identifying a dataset is now very challenging. Thus, to support a more rigorous practice of using customer data, I urge the engineering team to work with us to release a de-identification standard.

  2. A bonus-malus system for a higher cost of misusing customer data. Keeping a vibrant service and business ecosystem does not mean we should connive the activities taking advantage of our users and misusing users’ data. While offering rigorously anonymized and de-identified data to third-party developers, we may create a list of developers and vendors identified as misusing customer data. These developers and vendors are then limited in their capacities in the Gmail ecosystem.

  3. Requirements on a more clear statement of the use of customer data in the terms of service. An average user may find it hard to understand all the conditions in the terms of service by these third-party vendors, leaving some loopholes for data misuse. In addition to the existing terms of services, we can require our vendors to include a more concise and visually clear statement about how they are going to use customer data.

 

All these proposed strategies will not negatively impact the resources and opportunities of the third-party vendors who practice rigorously but introduce extra protections to users’ privacy. We believe these strategies can help keep a vibrant and healthier ecosystem.