← Email
F

Gmail

Fail
Google · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.google.android.gm
Manufacturer: Google LLC

⚠️ The bottom line

Google said they stopped reading your email in 2017. They didn't — they just changed what they read it for. Now their AI reads it too, enabled by default. The machine scanning your inbox got an upgrade, not a removal. Gmail encrypts your email in transit — then decrypts it on Google's servers where they can read everything. There is no end-to-end encryption for regular users. 'Confidential Mode' is a lie — Google can still read those emails too.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Tuta Mail instead
Encrypts subject lines, fights 75% of government requests
See report →
7Contradictions
4Critical
3High
0Medium
6Sources
Findings by concern
Spying 2/4 MODERATE 1 finding
⚡ highpolicy claims vs app permissions
Gmail asks for your location, camera, microphone, contacts, and permission to start when your phone boots. Why does an email app need your GPS coordinates? Because it's not just an email app — it's a Google data collection tool.

What they claim: Gmail requests only permissions needed for email functionality

What we found: Gmail Android requests 66 permissions including fine location, contacts, phone state, camera, audio, and boot-on-startup. Exodus reports zero trackers — because Gmail IS the tracker. All telemetry is first-party Google code, invisible to third-party analysis. The email app that reads your messages also knows your location, contacts, and starts running before you do.

Data Sharing 3/4 HIGH 3 findings
⚠️ criticalpolicy claims vs firmware analysis
Google said they stopped reading your email in 2017. They didn't — they just changed what they read it for. Now their AI reads it too, enabled by default. The machine scanning your inbox got an upgrade, not a removal.

What they claim: Google says it 'stopped scanning email content for advertising' in 2017

What we found: Gmail still scans every email for Smart Reply, Smart Compose, nudges, travel cards, package tracking, event extraction, and payment detection. In late 2025, Google enabled Gemini AI to read emails by default — requiring opt-out across two separate settings pages. Google stopped scanning for ads but never stopped scanning. The machine reading your email just got smarter.

⚠️ criticalpolicy claims vs regulatory findings
The NSA has been reading Gmail since 2009 via PRISM. Google handed over data on 235,000 government requests in just 6 months. The FBI can search your emails without a warrant under FISA. Google is legally forbidden from telling you.

What they claim: Google's privacy policy says they 'keep your data safe and secure'

What we found: Google is a confirmed PRISM participant since January 2009. NSA documents show 98% of PRISM production came from Yahoo, Google, and Microsoft. Google complied with 235,000+ government data requests in H1 2024. Under FISA Section 702, reauthorised April 2024 with expanded authority, the FBI can search Gmail content without a warrant. Google cannot tell you it happened.

⚡ highfirmware analysis vs firmware analysis
Gmail's free tier shows ads disguised as emails in your inbox. France fined Google EUR 325M because 53 million users couldn't tell the difference between ads and real messages. Free email isn't free — you're the product.

What they claim: Gmail's free tier provides email to 1.8 billion users

What we found: Free Gmail shows ads in the Promotions and Social tabs. In September 2025, France's CNIL fined Google EUR 325M because these ads were designed to look like real emails — deceiving 53 million users. The free email service is funded by advertising designed to trick you into clicking ads disguised as messages.

Security 3/4 HIGH 1 finding
⚠️ criticalfirmware analysis vs regulatory findings
Gmail encrypts your email in transit — then decrypts it on Google's servers where they can read everything. There is no end-to-end encryption for regular users. 'Confidential Mode' is a lie — Google can still read those emails too.

What they claim: Gmail uses TLS encryption to 'protect your email in transit'

What we found: TLS encrypts email between servers but Google holds the keys and can read every email at rest. Gmail has NO end-to-end encryption for regular users. Confidential Mode is not E2EE — Google can still read it. Client-Side Encryption exists only for enterprise Workspace customers with organisation-controlled keys. 1.8 billion users have no way to send an email Google can't read.

Honesty 4/4 EXTREME 2 findings
⚠️ criticalfirmware analysis vs app permissions
In 2018, journalists discovered that Google let hundreds of outside companies read your Gmail. Human employees at those companies were reading private emails. Google's response: it was in the fine print.

What they claim: Gmail is presented as a secure email service that protects your data

What we found: In 2018, the Wall Street Journal revealed that third-party developers including Return Path and Edison Software had human employees reading Gmail users' emails. Google had granted these companies API access to scan inboxes. Google's response: this was covered by the developers' terms of service. Hundreds of companies had access to read private emails.

⚡ highpolicy claims vs firmware analysis
Google's terms give them the right to 'create derivative works' from your emails. That's exactly what Gemini AI does — it reads your email and generates responses. Your private messages are training material for Google's AI.

What they claim: Gmail's Terms of Service say Google needs a license to 'provide the services'

What we found: The license grants Google rights to 'host, reproduce, distribute, communicate, and use your content' including to 'modify and create derivative works.' Google's Gemini AI uses email content to generate Smart Replies, summaries, and suggestions — creating derivative works from your private communications. Your emails train Google's AI.

What happened to real people
Documented incidents involving Google products and user data.
Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]
PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]
Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]
What your data is worth to governments
Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.
Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources