Tue, 1 Mar 2016 18:30:00 GMT – Updated
This blog post has been revised to more accurately reflect some details. Thanks to Fleep CEO Henn Ruukel for reaching out.
Today – by regrettable oversight – I exported my recent e-mail history to Fleep, a collaboration platform used by a new client, and let their software synchronize future e-mails. I thought I was just signing up, giving up my basic info.
The mistake was all mine. I did not notice that the authentication screen was requesting for permission to allow Fleep to "manage my e-mail". But I did realize the consequences moments later when I saw that many of my contacts and my recent e-mail history had been pulled into their system.
It turns out that Fleep actually only pulls down the most recent 200 e-mails. But this wasn't apparent at all to me because I wasn't expected any of my e-mail to be imported. I had unwittingly allowed an app to download my entire personal correspondence for about a decade.
While I do blame Fleep for using what I perceive to be a euphemism – connect with gmail – and not making it crystal clear that you're not just signing up for a messenger app but actually fully integrating your e-mail account, the bigger problem here lies with how Google makes this possible:
- At all
- Without asking for your password
It's just too easy to give away your personal information on the internet and this needs to be fixed.
We have a similar problem with apps on mobile devices that ask for permission to access all photos in order for you to be able to select just one. I think for the most part you can trust apps to do the right thing – but the way it's currently set up, there is no transparency in what these companies do with the data you have granted them access to.
Legally, I think the EU Data Protection Directive has me covered, but once you have handed over your data to an internet company, it's really out of your control.
Big internet companies, please take privacy seriously and help your users understand the consequences of their actions.