App Developers Could Be Reading Your Gmail
by John Lister,
July 6, 2018

Google has confirmed that third parties may be able to read your Google email (Gmail) messages. The resulting controversy comes from a lack of clarity over its permission settings.

The issue isn't about Google itself reading email messages. Previously, Google servers would scan email messages for keywords, then use targeted advertisements based on those keyboards whenever users logged into Gmail to read their emails. However, Google has dropped this policy last year and instead bases its ads on other information, such as Google web searches and YouTube viewing.

The latest controversy relates to human operators at third-party companies accessing the emails. In this case, it deals with app permissions typically used on Android smartphones and tablets, and even Chromebooks. With the app setting permissions, users can give access to app developers so they can use a range of tools; these can include travel planners that automatically retrieve details from flight confirmation and hotel booking emails. They also include shopping price comparison services.

Permissions Could Be Misunderstood
When linking Gmail account to such tools, users have to grant permissions such as "Read, send, delete and manage your email." No doubt many people click these without reading the details, but it was widely assumed that this referred to entirely automated access with computers checking through emails remotely rather than human looking through messages. (Source:

A Wall Street Journal investigation found that in some cases third-party app staff were manually reading messages, with the companies concerned saying it was done to improve software features and algorithms. They said such behavior was covered by the user's permissions, something Google has now confirmed.

Google Stresses Review Process
After the news broke, Google stressed that companies cannot link to Gmail accounts unless they've passed a review process. These include proving that the app accurately represents which organization is accessing the data and how it will use it, and that it only requests data that is relevant and necessary for the stated purpose. It hasn't commented on whether the companies in question have breached these rules. (Source:

If you're worried about third-parties reading your Gmail, you can check your account at Google's Security Checkup page. Here you will find a section detailing "Third-party access". Clicking on this will list which apps can access your account and what level of access they have. You will also be able to click to remove this access.