Privacy is the new flavour of the month in Silicon Valley, with many large tech firms looking to add controls and reassure users in the face of scandals and bad publicity. Google holds a lot of personal information on us all, so it needs to act responsibly when granting access to our data. Today it seems there’s a bit of a disagreement with Microsoft over how the company’s SwiftKey keyboard accesses users’ data in Gmail.
Warning Email
Users are today reporting that they’ve received an email from Google informing them that SwiftKey’s access to their account will be terminated in mid-July if they don’t adhere to this practice.
Anyone else had this email from @GoogleUK about revoking access to @SwiftKey??
Assume it's because I've given access to learn from Gmail, to Sync my settings to also.
Have Google decided SwiftKey are up to something with data. Or is this something else? pic.twitter.com/RMWekD4YZm
— James Pearce (@jp_hero) June 26, 2019
SwiftKey uses data that it gathers from your Gmail account to aid in personalisation – it can see words and phrases that you use commonly in your emails, and adjust its suggestions and personal dictionary for you accordingly.
It seems that SwiftKey might be requesting more permissions than it needs in order to do this. When connecting, it asks to “View, manage, and permanently delete your mail in Gmail”, “Create, update, and delete labels”, and “Compose and send new email”.
Risk Reduction
Google has been updating policies around data use of late, mandating that developers only request access to services and features that they need in order to deliver the features they’re shipping to users.
For example, an app shouldn’t request ability to send email if it’s not going to send emails.
It’s a good practice to adopt – if SwiftKey’s systems were compromised, the attackers could gain the ability to send email from the Gmail accounts of everyone connected to it.
SwiftKey’s functionaly doesn’t (as far as we know) require it to send emails, or manage labels in your Gmail account.
Bundled permissions are often a problem in these cases as well – companies might grant access to multiple features under one permission. Looking back at the permissions SwiftKey requests, it’s unclear whether it can continue to read your emails without getting the ability to delete them, for example.
Google has said that interactions with Gmail will require more specific permissions in the future, so perhaps this is an ambiguity they’re seeking to resolve by deprecating the existing blanket permission.
Looming Banhammer?
Google’s email to users states that SwiftKey has until July 15 to update its permission usage, or have its access revoked/limited.
The email is intended to warn users that functionality provided by a connected app on their account may break if the permissions it’s using are revoked, and it does look like it’s an automatic system-generated email, although we haven’t heard of anyone else receiving it for other apps.
It does seem unlikely that two tech giants will allow this to go on without a resolution in the user’s favour, so we’re waiting to see this dealt with, er, Swiftly.
We’ve sought comment from SwiftKey to get their side of the story, and will update when we know more.