Third-party developers may access emails on Gmail if users give them access to the data, that's the main takeaway from a new Wall Street Journal story (which I don't link to because paywall).
Google users may authorize companies to access account data. Some companies may request access to "read, send, delete, and manage your email" which gives them full access to emails on Gmail.
Users need to give explicit consent to applications or services, and if that happens through a token-based system that Google uses for this kind of authorization, it does happen without users having to supply their username or password to these companies.
Clients and services may require access; a third-party email client needs access to emails, and an add-on that runs directly on Gmail needs access as well.
One could say that users are responsible for granting access to their data. Google told The Verge, which reported on the story of the Wall Street Journal, that all companies are vetted before they are allowed to request user data.
The other side of the medal is that developers sometimes request permissions that they don't need explicitly and that it is often difficult for users to determine whether the request makes sense. There is also no option to deny certain access, it is always an all or nothing type of situation.
The biggest takeaway, however, is that access is not restricted to computers accessing the data but that human employees may and do read emails as well. Google itself is very strict about giving employees access to emails and limits it to situations where a security issue or bug requires it, or when users give Google explicit permission to do so according to the Wall Street Journal.
Google's system allows or disallows access to the email data only; the company makes no distinction between algorithms that read emails, for instance to provide functionality, and humans who read it. In other words: if you grant a company access to your email data, it may be that human employees read it.
Some Gmail users may be shocked when they realize that humans may have read their emails on Gmail. Companies may reveal additional details about how data is processed but most users don't read privacy policies, terms of service, and other legal documents prior to allowing access to their data or installing applications.
The very first thing that you may want to do is open the Permissions page for your Google Account to make sure that only legitimate applications and services have access to it. We suggested the very same thing last year after a big Google Docs phishing scam hit Google users.
You may need to research each individual program or service to make an educated decision. If you use the email client Thunderbird for example, you may see it listed as a third-party app with account access.
You can remove access for any service or application listed on the page and should do so for any that you don't use.
Now You: Do you permit third-party apps access to important data?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.