A report by the Wall Street Journal brought to light this week a concerning privacy and email security issue: third-party developers may read Gmail user's emails, a claim that wasn't disputed by Google.
When you sign up for and agree to the terms of an app that requires access to your Gmail account or your Google account, such as customer relationship management (CRM) systems, you are granting it permission to access your email. That means that its employees may manually access and read your messages too.
According to the newspaper, two companies admitted their employees read hundreds of Gmail's users personal messages. One claims it did it in order to gather data to build new features, and the other to train its machine learning system. In both cases, the companies said the practice was covered by their privacy policies and user agreements. The newspaper, though, noted that none of those policies “mentions the possibility of humans viewing users’ emails.”
After the report was published, Suzanne Frey, Director of Security, Trust, & Privacy for Google Cloud, addressed in a blog post the issue of security and privacy when using Gmail, but made no mention to the report. She noted that "no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse."
She didn't say, though, that the same applies to third-party developers. She said that the company vets all apps before allowing them access to Google accounts through a "multi-step review process". Frey also added that Google shows a permissions screen before a non-Google app is able to access your data and that she "strongly encourages you to review the permissions screen before granting access to any non-Google application".
Maybe what Google and developers should be discussing is how to make privacy terms more palatable and clear to users. Google permissions screen, for example, doesn't clearly mention the possibility of humans reading your emails, as opposed to an algorithm scanning it for automatic processing.
By the way, if you want to check which apps have access to your Google account and remove any granted access that you regret, you can visit your account permissions page.