The AI Surveillance You Already Said Yes To: Auditing Your OAuth Grants
You switched to a local LLM. You use Proton Mail. You reviewed Ollama's privacy policy before you pulled your first model. You are, by any measure, someone who thinks carefully about AI privacy.
And every single day, a collection of apps you authorized between 2019 and 2023 is scanning your email, reading your calendar, indexing your files, and now — because every SaaS product added AI features in 2024 — summarizing and analyzing that data with models you never agreed to use.
You did not fail at privacy. You simply never looked in the right direction.
The threat that serious privacy people miss is not the tool they are carefully evaluating today. It is the pile of OAuth grants they accumulated during the era when "connect your Google account" was just how software worked — before anyone understood what AI features would eventually do with that access.
What OAuth Grants Actually Give Away
OAuth is the protocol behind every "Sign in with Google" and "Connect your account" button you have ever clicked. When you authorize a third-party app through OAuth, you are not giving it your password. You are issuing a credential that gives the app specific, ongoing access to your account — access that does not expire when you stop using the app, close the tab, or forget it exists.
The permissions vary. A calendar app might request read access to your Google Calendar. A productivity tool might request read and write access to your Gmail. A code review tool might request access to your GitHub repositories. And a file organization tool might request access to your Google Drive.
None of that was alarming in 2020. It was just how software worked.
Here is what changed: in 2023 and 2024, virtually every SaaS product embedded AI features into their existing product — and those features operate on whatever data the app already had permission to access. The calendar app you authorized in 2021 added an "AI scheduling assistant." The Gmail productivity tool added "smart reply suggestions powered by AI." The file organizer added "automatic tagging using AI."
You never consented to AI processing. You consented to the app. The app later added AI. The original grant covers the new feature because it already had access to your data.
This is not a gray area. It is explicitly how these features are designed to work. The apps are not doing anything wrong by their terms of service. But your threat model almost certainly did not account for it.
The Typical Grant Stack You Don't Know You Have
A software developer or technical professional who has been working in tech since 2018 has, on average, 35 to 70 active OAuth grants across Google, GitHub, Slack, and Microsoft accounts. Most of them were issued in single moments — signing up for a tool, connecting an integration, trying a productivity app at a previous job — and have not been thought about since.
Here is what that stack typically looks like.
Google account: The average Google account with professional use has 15 to 30 active third-party app grants. These include: project management tools with full Google Drive access, email productivity apps with full Gmail read/write access, calendar scheduling assistants with read/write calendar access, and various one-time utility tools that requested broad permissions "just in case." Google's OAuth dashboard shows you the list but not the last-used date, making it difficult to know which grants are still active in any meaningful sense.
GitHub account: GitHub OAuth grants typically include code review tools, CI/CD integrations, and productivity apps that requested repository access. In 2024 and 2025, many of these tools added AI code review features. If you granted a code review tool access to your private repositories in 2022, it may now be sending your code to an AI model for analysis — under the same grant you issued three years ago.
Slack workspace: Slack's app directory grants work at the workspace level, but individual users also authorize apps through direct message integrations. These often include AI meeting note tools, task management apps with channel read access, and productivity assistants that can read your message history. Slack AI, launched in 2024, operates across all workspace data — but third-party apps with existing Slack grants also added AI layers.
Microsoft account: If you use Microsoft 365 for any work accounts — even former employers — OAuth grants to that account may still be valid. Microsoft's AI features (Copilot) are embedded across the entire 365 stack, and third-party apps with 365 OAuth access can also trigger on that data.
The pattern is consistent: you granted access to a tool, the tool added AI features, and now the AI feature operates on your data under the original consent.
How to Audit Every Major Platform
This takes thirty minutes and will almost certainly surface something you did not expect.
Google: Navigate to myaccount.google.com/permissions. You will see every third-party app with an active OAuth grant to your Google account. For each one, click through to see exactly what permissions were granted — "See, edit, create, and delete all of your Google Drive files" is a common one that most people do not remember authorizing. Revoke anything you do not actively use. Be ruthless: if you have not opened the app in six months, revoke it.
GitHub: Go to github.com/settings/applications, then select "Authorized OAuth Apps." This shows every external application with access to your GitHub account. Check the scope column — "repo" means full access to all your repositories, including private ones. Separately, check "Authorized GitHub Apps" for more granular integrations.
Slack: In any Slack workspace you belong to, open your workspace settings and navigate to "Connected apps" or check your direct message history for bots you have authorized. For workspace-level apps, a workspace admin controls the list, but you can see what you have individually authorized.
Microsoft 365: Navigate to myapplications.microsoft.com and look under "Apps & Permissions." This shows applications registered against your Microsoft account. This is often the most surprising audit for people who have held multiple jobs using Microsoft infrastructure.
Apple ID: Go to appleid.apple.com and check "Sign in with Apple." While Apple's OAuth grants are generally narrower than Google's (Apple does not give apps access to your email content, only a relay address), any apps with expanded permissions via Apple business accounts warrant review.
The AI-Specific Grants to Revoke First
Beyond the general audit, there are specific categories of grant that carry the highest AI privacy risk right now.
AI writing assistants with email access. Tools like Grammarly, Superhuman, and various "AI email" products typically request Gmail read access to provide suggestions and summaries. These tools have direct pipelines to cloud AI models — your email content is what trains and informs their suggestions. If you use any of these tools but have moved to Proton Mail for sensitive communications, check whether the Gmail grant is still active and what historical data they have already processed.
Project management tools with Drive access. Notion, Asana, Monday, ClickUp, and similar tools often request Google Drive access to allow file attachment or "context-aware" features. Most of these tools added AI summarization in 2024. Your project documents, client proposals, and internal notes may be within scope.
Meeting tools with calendar and audio access. Otter.ai, Fireflies, and similar transcription tools have both OAuth calendar access (to know about meetings) and audio/transcript data from every meeting they have attended. Their AI features operate on both. This is a particularly high-risk category for anyone in professional services or legal work.
AI research tools connected to your accounts. Browser extensions and research tools that offer AI-powered features often have broad host permissions that allow them to read page content — including the authenticated content of your email and cloud storage when you browse those services.
Where to Move After You Revoke
Revoking grants solves the ongoing access problem. It does not address the data that has already been processed. But it stops the accumulation.
The longer-term answer is to move your primary communications and file storage to services that are architecturally isolated from the third-party app ecosystem that caused this problem.
Proton Mail operates outside the Google OAuth ecosystem entirely. Third-party apps cannot request OAuth access to Proton Mail because Proton does not offer the same kind of broad-scope OAuth grants that Google does. Your email is end-to-end encrypted; even Proton cannot read it, which means an app with a Proton OAuth grant cannot read it either. Proton also offers Drive, Calendar, and VPN — migrating to the full Proton stack isolates your primary data from the third-party grant ecosystem at the infrastructure level.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
The goal is not to eliminate all integrations — it is to be deliberate about which ones you maintain and to understand what each one can see.
The Broader Principle: Your Consent Was Issued Without Context
The privacy community spends a lot of energy evaluating new tools. Privacy reviews of AI assistants, local vs. cloud comparisons, VPN provider audits — these are all valuable. But they are evaluating decisions you are making today with information you have today.
The OAuth grant problem is different. It is about decisions you made years ago, with the information you had then, that now carry implications you could not have anticipated. The apps you authorized in 2021 did not have AI features in 2021. Your consent was real, but it was issued without the context that makes it meaningful.
That is why this threat is not on the radar of most privacy-conscious users. It is not a new attack. It is not a newly discovered vulnerability. It is an accumulation of individually reasonable past decisions that have quietly compounded into a substantial exposure.
The audit takes thirty minutes. The migration takes a few hours spread across a week. But the leverage is significant: you can eliminate dozens of active surveillance relationships in a single afternoon, relationships that your current privacy tools — your local LLM, your VPN, your encrypted messaging app — have no ability to protect you from.
Your privacy stack protects your present. This audit is how you clean up your past.
Start Here: A Thirty-Minute Audit Protocol
- Open four browser tabs: myaccount.google.com/permissions, github.com/settings/applications, your Slack workspace settings, and myapplications.microsoft.com.
- For each, revoke every app you have not used in the past sixty days.
- For apps you do want to keep, click through to verify exactly what permissions they hold. Revoke any that have more than they need.
- Document what you revoked in a private note. You will want to remember this in six months when you do the audit again.
- Set a calendar reminder to repeat this audit quarterly — every time a major platform announces AI features, the risk profile of existing grants changes.
If you find yourself wanting a research tool that does not require a Google account connection, Perplexity offers AI-powered search without requiring OAuth access to your existing accounts. It is not a private tool by default, but it is architecturally separate from the email-and-Drive ecosystem where most of the grant risk lives.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
The most dangerous privacy risks are not the ones you are thinking about. They are the ones you stopped thinking about three years ago.
Last updated: 2026-06-24
Stay one step ahead. Subscribe to PrivateAI's weekly digest — practical privacy moves, tool reviews, and threat model updates, delivered to your inbox. No tracking pixels, no third-party analytics.