Disclaimer: This is a post responding to a class assignment at the Harvard Kennedy School of Government and responds to a prompt regarding an historical event. The views and opinions expressed in this article are my own and do not necessarily reflect the official policy or position of Google or discussions that occured.

After recent revelations concerning Unroll.me’s use of user data from Gmail, the Global Product Policy team has reviewed our policies concerning third-party developers. After this analysis, we conclude that we must remove and deny third party access to developers that aim to sell the data and that we need a better system for users to approve third party access.

Primary Goal

Policies should be mindful of the broader product’s goal: increase Gmail’s competitiveness in the market. While Gmail is undisputedly the market leader with 65% of the market, the goal is to defend this position and increase the product’s market share in both personal accounts and corporate accounts.

Policy Criteria

There are three main points below each have a role to play in retaining Gmail’s competitiveness.

  • User Privacy — Users are concerned about who has access to their data and how those people are using it. Users are specifically protective of their email data because it feels private compared to other data (e.g. social media).
  • Attractive Features — Tightly related to the competitiveness of Gmail are the features that it provides an enjoyable user experience. Gmail needs to continually deliver innovative features to keep and attract users.
  • Feasibility — While Google is a large, trailblazing company, we still operate with multiple constraints. Significantly, human constraints can limit the enforcement effort for any policy.

Policy Options

Potential policy responses below are organized on a spectrum of completely no access on one side to current access on the other side.

1. Suspend Third Party Access– An option is to shut down third-party access to Gmail.

2. More Restrictions for Third Parties — We can add another limit in our vetting process to understand how third-party developers plan to use the data they receive. If they plan to use it for means that go beyond improving a user’s email experience, they will not be allowed to access our API.

3. More Explicitly Notify Users — Working with user experience researchers, we can alter the way permissions are displayed and granted and require third parties to clearly identify all the information they may collect from users and for what purposes.

4. Status Quo — We can operate as we are now.

Recommendations

Our recommendation is to do options 2 and 3. Both extreme options (shut down and do nothing) do not satisfy the criteria that we discussed. Removing all third-party access is a drastic measure that prioritizes user privacy and feasibility over attractive features. As much as our product team strives to deliver the best email experience, third parties provide additional features that make Gmail users enjoy their time on the product more. Further, it is unlikely that Unroll.me is the only entity selling Gmail data in this manner. Doing nothing will not be an appropriate response to an event that has left many users worried about their privacy when using Gmail.

Options 2 and 3 prioritize user privacy while enabling excellent features in a way that Google can reasonably carry out. Limiting the way entities can use the data also limits the number of other entities that can access the data. Unroll.me and its peers will no longer be able to share data with the likes of Uber for market research. There will likely be some pushback from these developers as they must rethink their business model. We believe that those third-party developers providing features with true value to users will remain. Last, we will require some additional human capital to undergo user research to improve the users’ experience when granting access, and we will likely need to increase the promised turnaround time when vetting third parties due to the additional information that they will provide.