« Tired | Main | Musing about cutting back on Facebook »

Giving MIT access to your email


NPR reported today on Immersion, a project from MIT that shows you a graphical view of your email connections to other people.

Short version of this post: If you decide to participate, be aware that you're giving MIT access to the contents of your email as well as the metadata.

The project's main page says that it works by looking at “only the From, To, Cc and Timestamp fields of the emails in the [Gmail] account you are signing in with.” Which I agree is a cool demonstration of how much information you can get by just looking at metadata. For a similarly impressive demonstration, see Using Metadata to Find Paul Revere. See also the Guardian's guide to metadata. I'm very pleased that various projects are making clear that metadata reveals a lot more than you might expect.

However, this particular MIT project seems to me to be a little misleading. Because when you go through their signup process, you're giving them access to a lot more than just metadata.

[Above paragraph changed the next day to correct an incorrect technical statement that I accidentally left in from an earlier draft.]

They say that they only look at certain lines of your email, and I'm willing to believe that's their intent. But if they made a mistake in their coding, or if someone nefarious has access to their system, then they're not limited to retrieving metadata from your account.

Specifically, here's what you're giving them permission to do if you go through their signup process [with notes from me in square brackets]:

  • View and manage your mail [not just your metadata, but your mail]
  • Know who you are on Google
  • View your email address
  • View basic information about your account [name, public profile URL, photo, gender, birthdate, country, language, and timezone]
  • Manage your contacts [presumably including adding or deleting contacts]

The most unexpected item on that list, from a casual user's point of view, is the first one. You're giving the Immersion system access to all of the mail in your Gmail account. It may choose to only look at the metadata, but after you click the Accept button, there's no technical barrier preventing Immersion from looking at the actual data, the contents of the mail. Including any private correspondence other people may have sent you, any business correspondence, any receipts from online ordering, and so on.

(Also, I believe that gives them the ability to delete your mail, mark it as spam, etc.)

You may be fine with that, in which case go ahead. And it's conceivable that I'm wrong about this, and that there's some way that they're actually prevented from reading anything other than the metadata. I don't know of such an option, and the permissions screen seems to suggest that you're granting full access to your mail, but I could be missing something.

But more generally, anytime that any system asks you to enter your username and password to give them access to anything, it's worth thinking about whether the access you're granting is the access that they told you they were asking for, and whether you're willing to grant them that access.

Tech folks who are interested in more info about access to Gmail, search for [Gmail API]. If you're interested in how the authentication and authorization process works, take a look at the Google Identity Cookbook.

Another issue is that Immersion doesn't seem to me to provide info about how to revoke its access to your data; I think it could continue to have access indefinitely. If you've granted Immersion (or anyone else) access to your account and you decide you want to revoke that access, see Google's help page about revoking third-party access.


If you give them your username and password, don't they have access to your entire Google account? I mean, they say they wouldn't use that, but in the nefarious-employee scenario, what's to stop someone from logging in as you and doing whatever they want?

That was what I initially thought they were doing, but it turns out you're not actually giving them your username and password; you're signing in through Google, using the standard authentication system. So the good news is that Immersion never sees your username or password; the bad news is that you're granting them permission to do whatever they want with your email.

(Which, I should have added, also probably gives them permission to delete your email if they're so inclined, or mark it as spam, or whatever.)

I see now that I misphrased part of my entry; I did talk about giving them your username and password. I'll fix that.

Ah, ok, that makes sense.

As has been noted elsewhere (not about this specific project, but in general), if someone has access to your e-mail, they pretty much have access to everything, at least if it's the e-mail address you use for other things. e.g. they can submit password-reset requests and use those to get access to your other accounts, potentially even very serious things like bank accounts.

Post a comment