The Middle Road is Valuable, Private, and Secure

To Sundar Pichai, CEO of Google, Inc. and Alphabet, Inc.

This memo addresses certain trade-offs to consider from the perspective of Google, its developers, and users as we set policies for ourselves and third-party vendors who are interested in leveraging Gmail data. The Wall Street Journal’s coverage of how sold Lyft’s receipt data to Uber brings to the forefront issues facing this platform, mainly those of value, privacy, and security. This memo recommends pursuing a path in between an outright ban of scanning emails and doing nothing.

What is the value of allowing third-party vendors to interface with Gmail?

The question of value has at least two meanings in this context: monetary value and usefulness. In monetary terms, the data is clearly valuable as demonstrated not only by, but from years of established revenue from Google monetizing data for advertisements. Usefulness is really driving at how value can be created from collecting, working, and analyzing data for users. Gmail’s APIs are the engine that makes the data useful and interactive.

Developers: There is a clear interest in retaining access to the data to just monetize it by repackaging and scraping it. Developers can also build applications for their enterprises on top of the APIs.

Google: Value comes from getting developers to build on the platform and from attracting individual and corporate users. As the manager of the data, we really hold the keys to unlocking the value of the data. Google also charges developers to access the platform and corporate customers for access to Gmail services creating monetary value.

Users: Gmail offers storage space, superior search capability, and a clean user interface. Individuals can get free accounts, while corporate customers must pay for Gmail services.

Generally, there is a question here of who “owns” the data between these various stakeholders. Is it the manager of the data, the ones who build off the data, or those that produce the data?

What are the privacy concerns of allowing third-party vendors to interface with Gmail?

Privacy is a key tenet of this debate. Emails are complex; they can consist of legal documents, sales receipts, love notes, or even spam. Currently, Personal Identifiable Information (PII) is protected, but are those protections enough?

Developers: Developers will really run the spectrum here. Those that care about protecting and respecting privacy versus those that want the most personal information to monetize it. Their own applications may have privacy rules, but it would be too tedious to evaluate this on a case by case basis for Google. Developers have medium power in this as their interests are important to the success of the platform and in drawing in users.

Google: Google stopped accessing this personal content out of consideration for our customers. Google has the ultimate power to set the rules. Over the years, our privacy policy grows longer and more intricate to protect the platform and users.

Users: Users in some studies read privacy policy statements less than 1% of the time and even when they do, they spend only a couple of minutes to skim pages and pages of text. While users could play an active role in engaging with this material, there really are not many options even if they do not agree with the terms. Users have low power in setting privacy terms, but ultimately are the central consideration of whose privacy to protect.

What are the security concerns of allowing third-party vendors to interface with Gmail?

Phishing, spam, clickbait, and viruses are just some of the examples of how Gmail’s security can be compromised. Preserving the user experience is directly in line with ensuring that they continue to feel safe sharing on the platform.

Developers: Developers can be both a provider of security or a threat. They can develop applications that expose sensitive information and compromise security details like passwords. On the other hand, they can develop applications that are meant to secure passwords or provide services that enhance security such as single sign-on access.

Google: Google sets the terms for security. We play an active role in scanning emails for the purpose of protecting against attacks. This is a core part of the value we provide to our users.

Users: Users are looking for a safe environment to house their data. The integrity of the system and its ability to function is directly linked to its security and functionality for users.

What are the options and their impacts?

The options below weigh the benefits and costs to different users based on our three considerations. The relative value of each can be weighted differently by the reader, but it is meant to illustrate the tradeoffs that could be made. A + sign indicates a benefit, a — sign indicates a drawback, and 0 indicates neutral from the current state.

  1. Make no changes.

The effect here is more nuanced. The impact of the WSJ article brings to light issues of what is the value of personal data. While it indisputably great even if we take advertisement revenue as a proxy for the value, it is not clear how long this value can be maintained. If the users decide to leave Gmail as they feel their privacy rights are being violated, then the entire platform is in jeopardy. There is an outside chance that regulators might also feel compelled to act, which could erode value.

2. Prohibit third-party developers from scanning email data.

For developers, limiting access to the email content will have a significant impact on businesses like They are providing a free service in exchange for access to the data that they later repackage and resell. For Google, this begs the question is there any value to interfacing with Gmail besides the email content? Simple actions like sending automated emails, accessing calendars, etc. are other features of the API, but further analysis is required to see where the value actually rests. Other impacts on Google could be that developers would no longer be incentivized to leverage the platform. As for security, applications that developers were creating may no longer be profitable. Google and users will benefit from additional privacy and security as there will be overall less threat to accessing the personal data.

3. Allow email content to be scanned if the third-party plays some role in its creation or active management.

Somewhere between scanning all emails and no emails lies this option. Strategically, Google should be thinking about how it can enable value creation. Targeted email campaigns, testing unique subject lines, developing email signatures, etc. are just some examples of how businesses can leverage Gmail’s API to help users. This is markedly different than, as they created an easy to use the product to simply gain email access so that data could be mined and sold. The impact here is that if done correctly it will only help to further drive the product’s market penetration, while perhaps even generating new users. New rules can be developed to expand the scope of PII. Privacy overall is preserved by limiting access. Managing this will be difficult because establishing how value is created versus data being scraped for resell requires oversight, but it is worth taking this step as it will increase value for all stakeholders.

Please note this posting is part of a class assignment in which I am meant to write as a team member of the Google Gmail Team.