Google has confirmed that private emails sent and received by Gmail users can sometimes be read by third-party app developers, not just machines.
People who have connected third-party apps to their accounts may have unwittingly given human staff permission to read their messages.
One company told the Wall Street Journal that the practice was "common" and a "dirty secret".
Google indicated that the practice was not against its policies.
One security expert said it was "surprising" that Google allowed it.
Gmail is the world's most popular email service with 1.4 billion users.
Google lets people connect their account to third-party email management tools, or services such as travel planning and price comparisons.
When linking an account to an external service, people are asked to grant certain permissions - which often include the ability to "read, send, delete and manage your email".
According to the Wall Street Journal, this permission sometimes allows employees of third-party apps to read users' emails.
'Not asked permission'
While messages are typically processed by computer algorithms, the newspaper spoke to several companies where employees had read "thousands" of email messages.
Edison Software told the newspaper it had reviewed the emails of hundreds of users to build a new software feature.
Another firm - eDataSource Inc - said engineers had previously reviewed emails to improve its algorithms.
The companies said they had not asked users for specific permission to read their Gmail messages, because the practice was covered by their user agreements.
"You can spend weeks of your life reading terms and conditions," said Prof Alan Woodward from the University of Surrey.
"It might well be mentioned in there, but it's not what you would think of as reasonable, for a human being in a third-party company to be able to read your emails."
Google said only companies that had been vetted could access messages, and only if users had "explicitly granted permission to access email".
It pointed the BBC to its developer policies, which state: "There should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Google to suspend your ability to access Google API Services."
It said Gmail users could visit the Security Check-up page to see which apps they had linked to their account, and revoke any they no longer wanted to share data with.
Latest Stories
-
I didn’t speak against holding wrongdoers accountable – Rev. Kwadwo Bempah clarifies ORAL comment
1 hour -
RSS Developers to hold 3-day open house event on home purchasing from Friday, Dec. 27
1 hour -
Elikem Treveh: How TEIN UMaT students contributed significantly to NDC’s victory in Tarkwa Nsuaem constituency
2 hours -
Joy FM Family Party in the Park kicks off with excitement at Aburi Botanical Gardens
2 hours -
JP U-15 Cup 2024: Fadama Ajax wins maiden edition
2 hours -
Lured for Love, Caged for Cash: How an 80-year-old American seeking love was kidnapped in Ghana by a Nigerian gang
3 hours -
Star Oil Ltd @ 25: Driving Growth and Profitability with a Vision for Renewable Energy and a Sustainable Future
4 hours -
American Airlines resumes flights after technical issue
5 hours -
NDC Greater Accra Chairman dismisses unauthorised appointment nomination request
5 hours -
Man City might miss out on Champions League – Guardiola
5 hours -
Joy FM’s Party in the Park set to thrill at Aburi Botanical Gardens today
5 hours -
KiDi performs with childhood idol, Kojo Antwi at ‘Likor On The Beach’
6 hours -
South Korea MPs file motion to impeach acting president
6 hours -
Star Oil Ltd @ 25: Driving growth and profitability with a vision for renewable energy and a sustainable future
6 hours -
Bald eagle officially declared US national bird after 250 years
6 hours