If you’re one of hundreds of millions of people using the Gmail app on your iPhone, then Google’s stark new data harvesting disclosures should serve as a serious warning. You should delete the app from your phone today—here’s why.
The news this week that Google will not develop secretive new methods to track its users across the internet is very welcome. Ignoring the fact that its existing stance on tracking is now under investigation, it’s good that, yet again, Google is finally hurrying after Apple on the privacy front, before it falls too far behind.
Protecting the privacy of users is a philosophy—a fairly binary one at that. You either believe it’s the right thing to do, or you don’t. And if you appear to be ticking boxes, with times changing around you, then it comes across as fairly hollow. Whether you’re an Apple or Google fan, iPhone or Android, Safari or Chrome, you’ll know that privacy is core to Apple’s DNA—that simply isn’t the case when it comes to Google.
As ESET’s Jake Moore points out, “Apple is ramping up its privacy claim, firing on all cylinders to keep their users’ data protected. With data firmly being the currency of the 21st century, Apple, as ever, is thinking outside the box with how it operates.”
More evidence of this in recent days, as Google has belatedly started adding privacy labels to its most popular titles on Apple’s App Store—including YouTube and Gmail, with more to follow. I’m sure it’s just an unfortunate coincidence that Google stopped updating these apps at the exact time Apple mandated that any updates needed to carry such labels and is only now putting those in place.
These privacy labels have become a game-changer in a world where smartphone users and their information has become a product fueling the staggeringly sized mobile marketing industry. As alarming as browser tracking might be, when an app on your phone can tap into all of the information it carries, and then use that to algorithmically determine how best to manipulate you into buying goods and services, that’s worse.
Some have suggested that Google might have been carrying out work behind the scenes to tone down its data harvesting. I doubt that’s true at any scale. And so, here’s a different theory. If you need to cross a minefield, then better someone else goes first. The global media storm awaiting the results of Apple’s privacy label launch was just such a minefield, and Google was able to watch (and learn) as Facebook went first.
Not only did Facebook’s various missteps plot something of a path, but they also took the sting out of the media response—privacy labels were news for a while, and then that inevitably faded. There has certainly been no first mover advantage here. Countless articles appeared on the release of Facebook’s (alarming) privacy labels. WhatsApp’s woes, in particular, become something of a viral storm. Google’s delayed and now gradual approach has triggered a much more muted response.
Gmail tops iOS “productivity” installs, but was not updated for months.
Google is a data harvesting machine in the same way as Facebook. And when it comes to platforms like Gmail, which is linked to your Google account and the other services you consume, there are multiple ways to collect your data and monitor your activity.
Gmail’s privacy label is not pretty—you can see it below. The contrast with Apple Mail is stark, and so the comparison with Outlook may be more potent. Not only are Gmail’s labels much longer, but it captures your identifiers in every category. Gmail is also the only one of these three leading iOS email apps that says in its privacy label that it uses your identifier and location data for third-party advertising.
“A picture is worth a thousand words,” security researcher Sean Wright points out. “Contrasting the apps makes it pretty obvious what the differences are.”
Apple Mail Vs Microsoft Outlook Vs Google Gmail
In response to this story, Google told me that the data it collects is used to “provide helpful and personalized experiences in Google products, including faster searching and automatic recommendations,” and that users “can control what activity gets saved to their account or delete their activity at any time.” The company also pointed out that “Google will no longer use the Identifier for Advertisers (IDFA) or other information in scope of Apple’s App Tracking Transparency policy on iOS for personalized advertisements and ad-related measurement in the near future.”
Google also pointed me to comments made by CEO Sundar Pichai: “We don’t sell your information to anyone, and we don’t use information in apps where you primarily store personal content—such as Gmail, Drive, Calendar and Photos—for advertising purposes, period.” Full details on its data privacy policies, Google said, can be found within its online help centre.
Gmail can gather most of the information on its privacy label from your use of the platform itself, whichever app or browser or client you use, and remember the difference between actual content “in apps” and the metadata around that. There are also data fields your phone provides that Google may not have been given access to—your location, your contacts, your search history, for example. And while the privacy labels are just an indicator of the most harvesting an app can do—they don’t tell us exactly what’s being taken and for what purpose, it tells us what we need to know.
Tommy Mysk, one of the researchers who caught TikTok snooping on iOS clipboards and Facebook downloading user links, explains that “while the Gmail app might be able to collect more info than Gmail in a web browser, the majority of the issues highlighted by the privacy labels still apply anywhere you use Gmail. Google has gigantic computing capabilities. They can infer all the data on their backend service.”
Clearly true. But if we don’t pick and choose the apps we install based, at least in part, on the data they collect from us, then we send the message that it’s open-house on our information, that anything goes. If you access Gmail on your iPhone using a browser or through Apple’s own mail client, then Google is collecting less of your data and you are exercising more control. You are sending a message. As for the fact that Google collects so much data at the backend—well, that might be a reason to ditch Gmail altogether.
Absent any controls, Cyjax CISO Ian Thornton-Trump warns that “the ‘collection’ of all these data points may be fed into an AI model which may spawn a host of ethical questions around your inbox. Purchase confirmations could indicate health, marital status, political and religious persuasion, births and deaths… Will AI make suggestions that are crass, inappropriate or even offensive?”
This isn’t a suggestion that Gmail is taking steps in this direction—and Google says it doesn’t mine Gmail content, only metadata. Users can draw their own conclusions as to the algorithms operating behind the scenes based on the ads they receive. “I often wonder if email has become so noisy that it’s now become nearly unmanageable and if there is any profiling for advertising?” Thornton-Trump says.
Gmail isn’t the only Google app now coming under scrutiny following these data disclosures. The privacy label for Classroom, for example, an app many have been forced to use as they homeschool their kids, is pretty depressing given what it’s being used for and that it’s mandated by many schools.
“Google’s primary business model is based on advertising,” Wright says, “and this shows in terms of the amount of data they collect from individuals. You could argue this is somewhat ok if you are not paying for that service, but what for their paid services like Workspace?”
I haven’t included Google’s YouTube, which has an even worse privacy label, because as a marketing platform that’s par for the course. Unsurprisingly, YouTube passes a lot of that data to advertisers. It’s very different with apps used for work and private communications. But, worryingly for Gmail users, it’s the only one of the four Google apps in the chart below that says that it uses your data for third-party advertising.
“It does seem like Google took a bunch of Edward Snowden presentations,” Thornton-Trump says, “and said ‘we should do this. Imagine the marketing and advertising opportunities if we monitor everything someone does online.’”
With Gmail in particular there are parallels with Facebook Messenger. If you know that a company has built a business mining and monetizing your data, then you need to beware the data you make readily available. WhatsApp’s defense against its own privacy backlash was to highlight its end-to-end encryption, the privacy of your actual content. You don’t get that with Messenger. And you don’t get that with Gmail. Albeit Google says it doesn’t mine the content itself.
Andy Yen, Founder and CEO of uber-secure ProtonMail, tells me that “it shouldn’t come as a surprise to see how much personal data Gmail collects. Google’s entire business model revolves around collecting as much private information on users as possible in order to benefit advertisers and other third parties. Even Apple Mail collects more data than it needs. It’s possible to provide reliable email while collecting minimal information.”
According to Moore, “iPhone users with the Gmail app are breaking Apple’s desired ecosystem. But as Apple Mail allows Gmail accounts to be used, this latest revelation may make those people use the native Apple Mail app instead to reduce data leakage.” So, delete the Gmail app on your iPhone. If you’re sticking with Gmail itself, then you can use Apple Mail as the client.
Whether you’re on iPhone or Android, the last two years has seen the biggest ever shift toward protecting our privacy. But only if we use the tools that are in place to disable trackers and limit data capture, and if we judge the apps and services that we use by the liberties they take. What happens next is down to all of us.
“The amount of data connected to us can be extremely powerful and lucrative,” Moore says. “But the more people understand the trade-off behind our apps, the more companies will start to sway in removing such linked data.”
Updated later on March 6 with comments from Google.
Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy issues associated with big tech, social media and communication