The Dangers of Using Gmail for Board Communication

Nicholas J Price
5 min read
Someone else's curiosity may be killing your board's confidentiality. In the course of your job, if you had the ability to read someone's personal or business emails, would you be tempted do it? Would reading one intriguing email lead you to read another? Those are moral questions that might be difficult to answer honestly unless you were put into that position. That's exactly the situation that app developers encounter in their quest to improve their algorithms.

Google just confirmed that it's possible for real humans to read the third-party emails of people who have Gmail accounts. What's surprising is that it's happening legally. Perhaps what's even more surprising is that Google is aware of it and they continue to allow it.

Your Gmail Account Is Not as Safe as You Think

With around 1.4 billion Gmail accounts, Google takes credit for offering the most popular email service worldwide.

Companies usually have the best intentions of improving their customers' online experience. App developers study the habits of email users, so they can adjust their algorithms. What kind of information are they looking for?

They're looking for correlations between user age and what they respond to. They want to know how the length of emails corresponds to the time of day that people send them, and much more.

In most cases, computers are retrieving this information, but not always. Sometimes there are real humans on the other end who can open your emails, read them and share them if they choose to. According to The Wall Street Journal, one company told them they commonly read Gmail users' emails, referring to it as their 'dirty secret.' In speaking with several other companies, The Wall Street Journal discovered that employees regularly read thousands of private email messages.

For example:

  • Edison Software told The Wall Street Journal that their developers reviewed hundreds of emails so they could build a new software feature.
  • eDataSource, Inc. stated that their engineers had read emails to improve algorithms.

The companies have taken a 'don't ask, don't tell' philosophy, banking on the fact that most people don't actually read the terms and conditions, favoring to quickly check a box in order to bypass the user agreements.

How Gmail Users Allow Access to Gmail Accounts

Everyone wants a good deal if they can get one. Travel planning companies, price-comparison companies, companies that add events to your calendar and other companies can save consumers time and money by accessing their Gmail accounts.

Have you ever attempted to set up a new account with a company, and before you could fill in your name and address, a pop-up ad asked you if you wanted to sign in with your Google or Facebook account instead? After all, you've already given personal information to your social media accounts. When given the choice between inputting all of their personal data to set up a new account or allowing Google to transfer personal data with one click, most users make it easy on themselves and create new accounts using the latter method.

The setup process for a new account may ask you if you can let them read, send, delete or manage your emails; however, that wording may be well-hidden inside lengthy paragraphs filled with legalese. Without realizing it, you may have just given individuals permission to read your messages because you agreed to the terms and conditions.

What Does Google Have to Say About It?

As it turns out, Google has a little to say to its developers and Gmail users about it. Their responses have left security experts scratching their heads.

In their developer policies, Google states, 'There should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Google to suspend your ability to access Google API Services.' That's clearly a message that says developers should not be reading personal emails even if they can.

However, Google narrowed their stance a bit more by stating that they only allowed companies access to personal messages that they had vetted ahead of time, and only when users gave explicit permission for them to access their email accounts.

Overall, Google says that while developers aren't always clear enough about what users are actually giving them permission to do, the developers' actions aren't against Google's policies.

Risks of Board Directors Using Gmail or Other Personal Email Accounts

Board directors who correspond using personal email accounts or email accounts connected to their day jobs are participating in a risky business. Personal and business email accounts lack the necessary security measures to protect sensitive and confidential board communications.

According to an article in the New York Law Journal, almost two-thirds of corporations don't issue company email accounts to their board members. Just under half of their survey respondents said that they routinely send board-related emails using their personal email accounts, whether they had an exclusive email account for board business or not.

Best practices for governance are crystal clear on the issue of board communications. Board directors should never send board communications via accounts that aren't highly secure.

Nonsecure Board Emails Are Highly Vulnerable to Hacking

Hackers prey on unsuspecting board directors of top-producing boards who regularly communicate highly sensitive and confidential information. High-profile board directors are prime targets for cybercriminals looking for ransom in exchange for not releasing private information.

When choosing to use personal or business emails for corporate board business, board directors open the door to phishing scams and cyberattacks that could harm the corporation and its reputation.

The best defense against third parties who steal information from personal and business emails is for boards to turn to electronic solutions that were designed and built with their express purposes in mind.

Today's board directors should be using a secure messaging app like Diligent Messenger. It's a messaging app that is ISO 27001 certified for the highest possible security. Diligent Messenger fully integrates with Diligent Boards, which is another product that's part of Governance Cloud, an ecosystem for a total Enterprise Governance Management system.

'Don't mix business with pleasure' certainly applies when it comes to sharing board business over nonsecure personal or business email accounts. Just one email could jeopardize your company and its reputation.

Get the right tools to conduct every aspect of your board's business and be sure to conduct all of your board's business within the unmatched security of Governance Cloud.