An email inbox is a vault of secrets. In recent years, millions of users have been giving out the combination.
An investigation by The Wall Street Journal this week found that hundreds of software developers have obtained access to the contents of inboxes using tools provided by Google and other major email services. In some cases, data miners use free apps to hook users into giving this access without clearly stating what information they collect, current and former employees of these companies said.
Computers are generally used to scan hundreds of millions of messages a day, but in some cases, employees at email data companies have personally reviewed emails to help train software programs, the people said.
Protecting email from prying eyes is generally not that hard—even if it is a new concept for many users, who have long operated under the assumption their email is private.
The best way to prevent developers from prying into your email is simply not to use any of the apps that ask for this permission, privacy experts say. If that isn’t an option, users should do some research about what data these companies are collecting and how they plan to use it. The email apps provide services such as productivity tools, shopping-discount finders and travel itinerary planners, but they at times do so in exchange for data, such as which products a user has purchased or what types of commercial emails they are most likely to open.
Email may pose even more security risks than social-networking profiles, because it may contain banking details, health records and login credentials for dozens of accounts all tied to one person, said Domingo Guerra, president of digital security firm Appthority.
“You are trusting [developers] with the most vital credentials you have,” Mr. Guerra said.
Google, owned by Alphabet Inc., lets users review all of the information about what apps have access to their account, including Gmail and other services. On the company’s “my account” page, users can see which apps have permission to “read, write, delete and manage” their email, and click a button to remove access to any of those apps.
Microsoft Corp. , the second-largest email provider, lets users access a similar dashboard.
Removing access to an app doesn’t necessarily mean your data has been deleted. Some developers continue to store email data on their servers until users explicitly ask them to stop.
To learn more about why those developers need that access, users should review the privacy policies of each company. App developers usually say whether they download user data to their servers, and how long they keep it. If a company says it shares or sells data to third parties, that raises a new set of questions and potential red flags, said Jules Polonetsky, CEO of the nonprofit Future of Privacy Forum
A question users should ask is, “Are they making money by selling information about inboxes?” Mr. Polonetsky said.
Doing research into a company’s policies and practices may also require looking into the company itself. Many app developers are small teams of engineers who have little training in privacy practices, and few resources to secure data.
Trevor Hughes, president of the International Association of Privacy Professionals, suggests looking at any reviews or ratings that other users have left for an app, and checking to see if the company is up front about its business model.
“How much advertising is supporting it?” he said. “You should be wary of things that suggest they are free.”
Some email apps let users opt out of sharing their information with developers and still use the service normally. Edison Software, a mobile app that scans user inboxes to collect data about commercial emails, lets anyone opt out of this data collection by following a link in its privacy policy.
Write to Douglas MacMillan at douglas.macmillan@wsj.com