Google is allowing hundreds of companies to scan people’s Gmail accounts, read their emails and even share their data with other firms, the company has confirmed.

In a letter to US senators Susan Molinari, Google’s vice president for public policy in the Americas admitted that it lets app developers access the inboxes of millions of users – even though Google itself stopped looking in 2017.

In some cases human employees have manually read thousands of emails in order to help train AI systems which perform the same task.

The disclosure has uncomfortable echoes of last year’s Cambridge Analytica scandal, in which political consultants covertly harvested data from 87 million Facebook users through a third-party quiz app.

The letter, initially reported by the Wall Street Journal and seen by the Telegraph, also says that app developers can and do share the data with other companies – as long as Google believes their privacy policies make this clear enough.

“Developers may share data with third parties so long as they are transparent with the users about how they are using the data,” said Ms Molinari.

App developers can access Gmail data, including names, subject lines, message text and email signatures, to offer services such as price comparison, travel planning and market research. Most scanning is done by computers but some is performed by human employees who use them to check whether the AI is doing its job.

In one previously reported incident, employees at a company named Return Path read 8,000 unredacted emails to train the company’s AI, which collects data for marketers.

Return Path had accessed the emails through a partnership with another company, Earny, which scans emailed receipts to check whether users have paid more for a service or product than they could have elsewhere.

Both companies say this arrangement is clear in Earny’s privacy policy, which states that Return Path has “access to your information”.

In her letter, Ms Molinari said that Google manually reviews the privacy policy of every developer seeking access to “sensitive data” to make sure it “fully documents” its activity, and displays a warning message about any app which fails this vetting.

Apps that “misrepresent themselves” or are not transparent may be suspended and developers must show that they are protecting user data from hacking.

View more!

But Marc Rotenberg, president of the Electronic Privacy Information Centre in Washington, DC told the Journal that privacy policies were insufficient and that there was “simply no way that Gmail users could imagine that their personal data would be transferred to third parties.”

Earny's privacy policy, accessed on September 20, says that it will access and analyse “the content of your emails” and share them with Return Path. Return Path in turn says it will use your data to “understand how you engage with email” and optimise marketing campaigns.

A study by Deloitte last year found that 91 per cent of users consent to terms of service without reading them.

Previously Google itself mined users’ emails for personal data in order to target its advertising, but stopped in 2017 after a class action lawsuit accused it of illegal wiretapping.

The company continues to scan emails to let users search their inboxes, to detect spam and malware and to generate suggestions for its new auto-reply feature, which automatically suggests simple responses to emails. It also uses data from other sources to personalise adverts.

“No humans at Google read users’ Gmail,” said Ms Molinari, “except in very specific cases where they ask us to and give consent or where we need to for security purposes, such as investigating a bug or abuse.”

Google’s letter was sent in July after US congress members asked written questions about the practice. Company executives will testify next week before the US Senate’s commerce committee.

Google declined to comment beyond Ms Molinari’s letter.