The Wall Street Journal, which was the first to point this out, called it "tech's dirty secret" that has been kept under wraps for a long time.
What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says. According to the Wall Street Journal, Google does little to police developers that gain access to inboxes by offering email-based services such as price comparisons or other tools. Google has since stopped that practice, but not everyone else did.
"In another case, employees of Edison Software, another Gmail developer that makes a mobile app for reading and organizing email, personally reviewed the emails of hundreds of users to build a new feature, says Mikael Berner, the company's CEO", the report said. However, installing them hands the app developers. According to the report, apparently it has become "common practice" for marketing companies to scan the emails of their users, although we suppose common isn't necessarily good.
As per a statement issued to The Verge, Google said it provides data only to outside developers it has vetted and to whom users have explicitly granted permission to access email. There's no doubt that some of the actions described, such as having employees read users' emails to train machine learning algorithms, are cause for alarm.
While these kind of apps do ask for user consent, numerous forms don't make it explicitly clear that a human will be reading through your emails, not just a machine. Because the messages aren't end-to-end encrypted, the company has the ability to read them whenever it wants.
Gmail's opt-in alert spells out generally what a user is agreeing to.
It pointed the BBC to its developer policies, which state: "There should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed objective of your application may lead Google to suspend your ability to access Google API Services".