Google has responded to Monday's Wall Street Journal report detailing how Google gives hundreds of developers privileged access to Gmail inboxes once users have signed up to a third-party app.
The special access gives approved developers, such as marketing and data-mining firms, the ability to read and analyze Gmail messages.
While much of the analysis is by machine, according to the report, one developer said it was "common practice" for companies to let employees read Gmail user email. And instead of gaining explicit consent from the user, permission is only obtained via general user agreements.
Former employees of data-mining companies told the paper that it was common for them to use free apps and services to convince people to give access to their inboxes and that the apps don't clearly explain what data they collect, nor what they do with it.
While third-party access has been known about for years, the practice has come under the spotlight due to Facebook's Cambridge Analytica scandal, which put millions of users' data in the hands of the controversial political consultancy.
"Gmail's primary business model is to sell our paid email service to organizations as a part of G Suite. We do show ads in consumer Gmail, but those ads are not based on the content of your emails," wrote Suzanne Frey, director of security, trust, and privacy for Google Cloud.
Frey also attempts to dispel fears that people at Google are actually reading Gmail messages.
"The practice of automatic processing has caused some to speculate mistakenly that Google 'reads' your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse," she explained.
She also offers some details about how Google vets developers, and what controls are in place for business G Suite and consumer Gmail accounts.
"A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email," explained Frey.
That review process includes checking that the apps are represented to users accurately, are clear about how they use data, and only request relevant data.
Additionally, users can use Google's Security Checkup to review permissions already granted to third-party apps, and revoke them. G Suite admins can create a whitelist of approved apps that can access user data.