Responding to the Unenroll.me Scandal — Combining Platform Benefits with Privacy Protection on Gmail
Allowing Gmail users to share their data with third-party developers greatly improves Gmail’s value proposition. The current product policy allows third-party developers to request Gmail users’ data and use them to provide additional services on the Gmail platform. Gmail can thus address a wider range of customer pains and gains. A large number of third-party apps available and their high up-take by users are evidence of the success of this model.
However, data sharing between users and third-party developers also poses privacy risks which may undermine the trust in and eventually demand for Gmail. The current Unroll.me scandal serves as a case in point. Unenroll.me provided a convenient tool for customers to organize their inbox but also used its access to user data to sell market research insights to other private companies. Unroll.me was compliant with the current product policy by disclosing its intended use of personal in its privacy policy. However, many users were unaware that their data were used in this way, and as emails often contain sensitive information, felt uneasy about the content of their emails sold to other companies. Further, despite being an agreement between users and Unenroll.me, users do not fully differentiate between the Gmail product and third-party app, resulting in reputational cost for Google.
To reap the benefits of the platform approach but also address privacy concerns, I suggest the following two changes to Gmail’s product policy.
Recommendation 1: Ban third-party apps that use user data for purposes other than directly delivering services to users.
Third-party apps may be classified into two categories: (1) Apps that leverage user data exclusively for providing services to Gmail users and (2) apps that leverage user data for providing betters service but also in ways which do not directly serve customers. I argue that we should keep apps in category 1 but ban apps from category 2.
The business model of some of the apps in category 2 is to provide a simplistic service to Gmail users in exchange for wide-ranging access to user data, which are subsequently monetized by selling them to other companies. It is not in Google’s interest to keep these apps on our platform: they do not seek to improve user experience but rather exploit users’ lack of awareness to get access to Google’s unique competitive advantage, our customers’ data. As Gmail itself is currently not monetizing email content through GoogleAds after receiving push back from “G suite” corporate customers, we should not allow other companies to benefit from this trove of data either.
Note that some apps in category 2 do provide genuinely useful services to our customers and merely monetize users’ data to cross-finance these services. Banning them as suggested in this proposal may diminish the features Gmail can offer its customers. However, even if we improve the transparency of data sharing agreements as described in recommendation 2, many users will still lack awareness of how their data is re-purposed by third-party developers, with reputational risks for Google. Further, differentiating between apps that provide genuinely valuable services and apps that use their service only as a gateway to our customers’ data is difficult for Gmail app reviewers to do in practice. However, apps that do provide valuable services to our customers may manage to survive by charging customers directly for their services.
Recommendation 2: Set up common rules for data sharing agreements between users and third-party developers on the Gmail platform.
Even if email data can only be used to improve Gmail product experience, users may still be unaware and uncomfortable with third-party apps scanning their email content.
To improve user awareness of how their data is used, I suggest that Gmail establishes a common framework for third-party developers requesting access to user data. This means that Google classifies user data into different categories (e.g., profile information, email content data, email metadata, etc.), and when third party developers want to access data from one of the categories, users are shown a message that clearly and completely describes how and why the app uses this data. Limiting collection by data type and requiring purpose specification in data requests, which are presented to customers in a consistent look across apps, increase the salience of data sharing agreements to users, especially compared to the status quo where this information is hidden in an often obscure language in long privacy policy documents. The compliance with these rules will be verified in the app review process. The classification also allows Gmail to set up a ‘privacy center’, where users can conveniently view and manage their data-sharing agreements with different third-party apps for different types of data.
In sum, the product policy still operates on the basic principle users can decide to share their data with third-party developers in exchange for services. However, Gmail leverages its platform position to establish common procedures that make it easier for users to understand and manage their data-sharing agreements.
This blog post was was written in response to an assignment for the course DPI-662 Digital Government: Technology, Policy, and Public Service Innovation at Harvard Kennedy School.
