Millions of people use third-party apps in conjunction with their Gmail accounts, and hundreds of millions of messages flow through the service on a regular basis. Last year, Google itself vowed to stop scanning users’ personal emails for data-driven advertising gold but it reportedly is still giving outside apps the ability to snoop through inboxes.

Third-party apps have been at the heart of Facebook’s ongoing privacy controversies over the last several months. Beginning with the revelation that political data firm Cambridge Analytica bought the private data of Facebook users who signed up for a quiz app, it’s become all too clear that the social network isn’t good at maintaining control of the information that earns it billions. This was reiterated last week when Facebook admitted that a third-party app had left the data of 120 million users exposed for anyone with the wherewithal to collect it. But as so many readers remind me on a regular basis, this isn’t just a Facebook problem, it’s a tech giant problem.

Google is arguably just as dangerous or even worse than Facebook when it comes to protecting users’ privacy. As the Wall Street Journal pointed out on Monday, there are hundreds of outside software developers that have free rein over your most sensitive emails. And it’s not just a reminder that algorithms can gather data to target you with ads and other types of messaging—flesh and blood humans do it, too. In the report, the Journal gave numerous examples, including:

One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software, people familiar with the episode say…

Letting employees read user emails has become “common practice” for companies that collect this type of data, says Thede Loder, the former chief technology officer at eDataSource Inc., a rival to Return Path. He says engineers at eDataSource occasionally reviewed emails when building and improving software algorithms.

“Some people might consider that to be a dirty secret,” says Mr. Loder. “It’s kind of reality.”

It is, indeed, a reality. It’s a reality because we like using novelty apps one time and forgetting about them, or because we find one client to have a more pleasing user experience than the basic Gmail app. Last April, Gizmodo did a deep dive into the methods unroll.me, a subscription-cleaning service, uses to worm its way into your private life without you stopping to think about it. Two months later, Google said it would stop doing its own data scans of Gmail’s free users to target advertising. But a group of third-party developers was still allowed to do it. The reason, in a nutshell, is the ever-devious user agreements that users never read.

Both Return Path and eDataSource cited user agreements as their cover for engaging in such practices. For its part, eDataSource did tell the Journal that it has stopped allowing employees to go through strangers’ emails.

We reached out to Google to ask for comment on the story and if it intends to continue this practice, but we didn’t receive an immediate reply. A spokesperson for the search giant told the Journal that the company vets all developers that are given access to its service and “if we ever run into areas where disclosures and practices are unclear, Google takes quick action with the developer.” That’s, ya know, comforting.

Fortunately, you can check right here to see if you’ve given any apps access to your account. It’s also always good to let corporations know that this is the kind of practice that makes them untrustworthy.

[Wall Street Journal]