Third-party app developers are reading Gmail users’ emails, sometimes without redactions, according to a report by the Wall Street Journal.
The WSJ reported on Monday that employees of Gmail app developer Edison Software personally read the emails of hundreds of users to build a new feature; employees of another developer, Return Path Inc, reportedly read about 8,000 unredacted user emails to help train algorithmic software.
According to the report, these apps did not “[ask] users specifically whether it could read their emails”—although the companies contend this activity was covered by their end-user license agreements. Google maintains that an app cannot access user information without explicit consent. Connecting an app to Google is supposed to return a permission screen that alerts users if an app is requesting the ability to view inbox messages, like this:
To see which apps you’ve given email permissions to, you can use Google’s Security Checkup for Gmail. To remove these permissions, go to your Google account settings, select “sign-in and security,” navigate to “apps with account access,” click “manage apps,” and then click on your linked apps and hit “remove access.” (Scroll to the bottom of the post for step-by-step screenshots illustrating how to do this.)
The privacy dust-up over companies reading emails is reminiscent of the recent Facebook data abuse scandal involving Cambridge Analytica—although not because there’s any evidence that the companies mentioned in the WSJ report have done anything untoward with their access to people’s emails. Instead, both incidents point to concerns about how much oversight companies have when it comes to third parties collecting people’s data and what they do with it afterwards.
Google vets developers by examining their policies and testing the apps. Google requires that apps function as advertised; according to the WSJ report, its developer agreement also prohibits app makers from storing data in a database and making permanent copies.
But as the Cambridge Analytica saga showed, agreements restricting data use might not mean much to developers with other plans. The academic who collected the Facebook data that Cambridge Analytica ultimately used in an attempt to boost the Trump campaign was not allowed to transfer that data to another party, but so it goes.
Google is not an independent auditor that goes in and looks at developer systems. The company did not comment further on what auditing procedures it may have, if any. It is unclear if Google is looking into new practices similar to Facebook, which has pledged to audit app developer’s data practices in response to the Cambridge Analytica scandal.
How to see which apps can read your Gmail
1. Go to your account settings and click "apps with account access" under "sign-in and security."
2. Click "manage apps."
3. Click on an app to expand the menu and click "remove access." You're done!
Get six of our favorite Motherboard stories every day by signing up for our newsletter .
This article originally appeared on VICE US.