Is Gmail secure from its employees?

The recent essay from Paul Graham, “Don’t Talk to Corp Dev,” reminded me of a question I’ve wondered from time to time over the years: what would stop Google from accessing a startup’s Gmail (or Google Apps) if it were advantageous to their business negotiations? A part of me always cringes at this thought; it’s too paranoid. It goes against their culture. Still, given how bad an internal breach could be, I was curious to see what language Google would use to assure its users that their Gmail was in safer hands than, say, an Uber itinerary.

The first result I came upon in my Googling was a guy (Christopher Nguyen [1]), who on Quora who gives a clear and explicit description of what Google has done to protect Gmail from internal intrusions. The author describes a tough privacy policy that inspired several upvotes, not to mention at least two separate articles from tech sites quoting his answer as proof of “Google’s policy”. Nguyen concludes: “… ultimately, an internal culture of respecting users’ privacy helps keep [us] in check.” It sounded pretty good, like the sort of approach I’d expect Google to take.

My problem with the answer? It’s not from Google. Dropbox is explicit about how employees access data; I find their policies well-thought out and comprehensive. Evernote’s security is moderately explicit [2] that it has more lax policies [3]. Either way, I can evaluate the security of my accounts from an internal employee who might be bored some Wednesday night.

Meanwhile, Google itself is mum on who internally can read my Gmail, and for what purposes. “Gmail security”-related queries yield results ranging from how to secure your account against external entities to how Google keeps us safe from open wifi. They also assure us that they aren’t manually reading every one of our emails to serve us ads (Really?? So do they contract hamsters to pick all those ads? [4]). But nothing in my Googling can locate a Google-authored document that describes their internal Gmail security policy at all.

Does this lack of explicitness matter? I’m torn. Google’s generic privacy policy paints the picture of a company that cares about security. They seemed to get pretty upset when the NSA spied on their users. And yet, I’ve probably had more conversations in Gmail over the past 10 years than I’ve had in the real world. If there were any service I’d like to see a clear, tough, explicit policy on all aspects of data security, it would be Gmail.

I think their policies are probably as good or better than Dropbox, but at this point they are forcing me to assign an awful lot of credibility to that guy on Quora.

 

[1] Christopher Nguyen says he worked at Google between 2003 and 2008.
[2] See the “Customer Account Access” section
[3] “This [admin access] tool allows our customer service and platform administration teams to resolve customer issues.” Which customer support personnel are accessing? What do they access?
[4] Blog sarcasm

2 Replies to “Is Gmail secure from its employees?”

Leave a Reply to James Cancel reply

Your email address will not be published. Required fields are marked *