Google Gmail Inboxes Scanned and Read by 'Hundreds' of Software Developers

The Google internet homepage is displayed on a product at a store in London, Britain January 23, 2016. REUTERS/Neil Hall

If you think your Gmail inbox is safe from prying eyes, think again.

The popular Google email client—used by more than 1.4 billion users—is reportedly letting hundreds of software developers scan inboxes and, in some cases, even read conversations.

According to the Wall Street Journal, users of third party applications offering email-based services, including price comparison tools or productivity software, may not be aware that the permissions they have granted are actually letting computers and humans access their personal messages.

Marketing company Return Path and email organization tool designer Edison Software were both name-checked in the newspaper's investigation this week, which revealed that some automated systems had the ability to analyze 100 million emails every day. Both companies have used their email access to enhance their products and build new technology, representatives told the Wall Street Journal.

There is no suggestion that the named tech companies have misused email data.

While developers did not explicitly advertise to users that they are able to poke around email inboxes, the companies stressed that the practice is covered in their user agreements. Like many technology products and applications, personal information is collected—and sold—to keep the service free.

Google said it only reads emails in "cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse." The Alphabet offshoot, which did not immediately respond to a request for comment, did not disclose how many apps have Gmail access.

Developers use software called an application programming interface (API) to create and connect applications with Google's services. Like Android phone applications, when a user signs up to a service or platform they will be shown a message that asks permission for access to a range of data.

According to The Verge, Return Path and Edison Software did not acknowledge that in some cases humans will have access to emails. Online, Google has published strict developer policies.

"Don't request access to information that you don't need," it warns developers using its API Services.

"You may only request access to the Google user data that is necessary to implement existing features or services in your application," it continues. "Don't attempt to 'future proof' your access to user data by requesting access to information that might benefit services or features that have not yet been implemented. You are not permitted to access, aggregate, or analyze Google user data if the data will be displayed, sold, or otherwise distributed to a third party conducting surveillance.

"Overall there should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Google to suspend [access]."

It is believed that other tech giants, including Microsoft, have similar policies in place.

In June last year, Google announced that it would no longer scan Gmail inboxes for advertising personalization. "Users can remain confident that Google will keep privacy and security paramount as we continue to innovate," Diane Greene, CEO of Google Cloud, said in a blog post at the time.

Anyone concerned about what apps have access to data can check their permission settings.

The logo of Google is pictured during the Viva Tech start-up and technology summit in Paris, France, May 25, 2018. REUTERS/Charles Platiau