Honorable John Thune 

United States Senate 

Dirksen Senate Office Bldg, 511 
Washington, DC 20510 

Honorable Roger F. Wicker 

United States Senate 
555 Dirksen Senate Office Building 
Washington, DC 20510 

Honorable Jerry Moran 

United States Senate 
Dirksen Senate Office Building, Room 521 
Washington, D.C. 20510 

Dear Chairmen Thune, Wicker, and Moran,  

Thank you for the opportunity to provide you information regarding Gmail, our 
cloud-based email platform.  

Google works hard to provide choice, transparency, control, and security for users’ 
data. Gmail is used by more than 1.4 billion users around the world, and we have had a 
long commitment to providing our users with a secure platform. That is why we were 
among the first companies to warn users when we believed that their accounts were 
​targeted ​by ​a ​government-backed ​attacker. And it is why we launched our Advanced 
Protection Program, which integrates physical security keys to protect those at 
greatest risk of attack, like journalists, business leaders, and politicians.   

Like other email providers, we give users options and choices regarding how they 
access and use their email, allowing them to avail of email clients, trip planners and 
customer relationship management (CRM) systems. And we remain committed to 
ensuring users’ accounts are secure and we help our users to make informed choices 
about the data they share.   

We continuously work to vet developers and their apps that integrate with Gmail 
before we allow them the ability to request access to user data, and we provide 
additional warnings to users when they are evaluating whether to give unverified apps 
access to their data.  
  

 
We also insist on transparency: before a developer can access a Gmail users’ data, 
they must obtain consent from the user. And they must have a privacy policy that 
details how the data will be used.   

 
We then give users reminders about the data they are sharing with developers and 
control to remove their access. We were one of the first companies to offer a 
centralized data portal ​when we launched MyAccount​ i​n 2015 
(​https://myaccount.google.com/​). MyAccount provides easy-to-use tools to help 
manage privacy and security. ​That includes our Security Checkup​ ​(available at 
https://myaccount.google.com/security-checkup​), which is designed to help users 
make informed decisions about security and privacy, including by identifying the apps 
that have access to their data and letting them revoke access to those apps​.   
 

 
 

In addition, our Privacy ​Checkup tool 

(​https://myaccount.google.com/Privacycheckup​) lets our users review and change 
their privacy settings. These tools give users the ability to make smart, informed 
decisions about their data security, who they are sharing their data with, and what to 
expect when they share it.   

Our advanced security tools protect our users when they interact with apps. ​Google 
Play Protect, for example, comes pre-installed on all Google-licensed Android devices 
and continuously monitors users’ phones, along with apps in Play and across the 
Android ecosystem, for potentially malicious apps. It scans more than 50 billion apps 
every day and warns users to remove apps we identify as malicious:   
 
  
 
 

1) Does Google require developers of apps requesting access to Gmail data to 
conform to any privacy or data protection policies? If so, please describe these 
policies. 

Developers who access Gmail data are subject to Google’s User Data Policy 
(​https://developers.google.com/terms/api-services-user-data-policy​) as well as our 
API Terms of Service (​https://developers.google.com/terms/​). Our policies and terms 
require developers to accurately represent the identity of the application, provide 
clear and accurate information regarding the types of data being requested, and be 
honest and transparent with users about the purpose of user data requests. For 
developers who seek access to sensitive data, they must also publish a privacy policy 
that fully documents how the application interacts with user data. If developers 
change the way their application uses a Google user’s data, they must notify the users 
and prompt them to consent to an updated privacy policy. Developers are also 
required to protect against unauthorized or unlawful access, use, destruction, loss, 
alteration, or disclosure. 

 
2) In a recent blog post, a Google representative stated that Google manually 
reviews developers and apps requesting access to Gmail data to ensure that the 
developers and apps accurately represent themselves and only request relevant 
data. Please describe this process in detail. 

We support our policies with verification, monitoring, and enforcement. Web apps 
that request access to sensitive data, like Gmail data, must complete a verification 
process, described at 
https://developers.google.com/apps-script/guides/client-verification​. That process 
involves a manual review of the app’s privacy policy to ensure that it adequately 
describes the types of data it wants to access and a manual review of the suitability of 
permissions the app is requesting. This process is designed to prevent apps from 
misrepresenting themselves to users or accessing data that they do not need in order 
to perform their function. If an app is not verified by Google, we display a prominent 
warning to users that they are using an “unverified app” and strongly discourage them 
from proceeding. Usage of an “unverified app” is limited to 100 users (which, among 
other reasons, permits developers to test their apps before completion of the 
verification process). Unverified apps would also be flagged to users by our Security 
Checkup tool described above. 
 
In addition to our proactive review, we use our​ advanced security tools and 
enforcement mechanisms to continuously protect our users when they interact with 
apps. ​Google Play Protect, for example, monitors users’ phones, along with apps in 
Play and across the Android ecosystem, for potentially malicious apps. We also act 
promptly on user reports about privacy and security issues. We reward researchers 
and developers who flag privacy and security issues, and we engage in research and 
community outreach on privacy and security issues to make the internet safer. 

3) That blog post also stated that Google reviews apps' compliance with 
Google's policies and suspends them if they fall out of compliance. Please 
describe this process in detail. In addition, provide a list of all instances in which 
Google has suspended an app in this way, with an explanation of the 
circumstances for each. 
 
As discussed above, to protect our users, web apps that request access to Gmail user 
data must go through a verification process. Once they have been given access, we 
use machine learning to monitor those apps. If we detect significant changes in the 
behavior of the app after it has been approved, we will once again manually review the 
app. If that review determines that the app is violating our terms, the “Unverified App” 
screen is displayed to users and we ​restrict the app's ability to use our service​.   

In the majority of cases, we are able to detect and suspend apps that misrepresent 
themselves or are not transparent with how they use user data, for example, before 
they are given access. Malicious apps are suspended and access is removed. We also 
work with non-transparent apps to ensure that they clarify their practices for our 
users. If those apps accept our recommendations, the developer’s app may ultimately 
be approved.   

Among the reasons why we have suspended/removed access by apps or provided a 

warning are the following: 

● Lack of transparency to users, including that the developer did not sufficiently 
identify the purpose of the app to the user; 
 
● Attempts to manipulate our anti-spam detection systems in violation of our 
policies; 

● Failure of the developer to accurately represent their identity and intent; and, 

● Requests for permissions that were not relevant to the purpose of the app. 

4) Does Google allow its own employees to access the content of Gmail users' 
personal emails? If so, what safeguards does Google have in place to ensure that 
personal email content is not misused or shared more broadly? 

Google has long-standing policies tightly restricting our own employees’ access to 
the content of our users’ Gmail accounts. No humans at Google read users’ Gmail, 
except in very specific cases where they ask us to and give consent, or where we 
need to for security purposes, such as investigating a bug or abuse.​ ​ We enforce our 
policies through a number of safeguards, including: (i) restricting access to user data 
to a very limited number of individuals; (ii) requiring documentation of when access is 
granted; and (iii) routine auditing of access. 

5) Is Google aware of any instance of an app developer sharing Gmail user data 
with a third party for any purpose? If so, describe any such instance and the 
parties involved, as well as any action Google has taken to recover such data. 

Our main goal is to prevent abuse before it happens. That’s why we designed 
verification processes to stop abusive apps from ever gaining access to user data. 
When we detect anomalous behavior, we investigate. And when we suspend apps, we 
warn users to remove the apps’ access to their data.   
 
Developers may share data with third parties so long as they are transparent with the 
users about how they are using the data. Our verification process described above 
reviews the privacy policy and works to ensure that developers’ requests for access 
to user data make sense in light of those disclosures. As illustrated in the consent 
screens above, we make the privacy policy easily accessible to users to review before 
deciding whether to grant access.   
 
Sincerely, 

Susan Molinari, Vice President, Public Policy and Government Affairs, Americas
Google Inc. 
 

cc: The Honorable Bill Nelson, Ranking Member