Correction: Google provides access to scan user email. I’m going to say it again: The search giant confirmed that third party apps that integrate into Gmail have the ability to scan user’s email.

While the company stopped its controversial practice of scanning the email of its 1.4 billion users in order to serve ads, it admitted in a letter to United States senators that developers of third party extensions that manage tasks like trip planning and auto-replies have access to the content of user emails.

The only requirement for the developers to be able to do so is that the third party developer communicate what they are doing and, “are transparent with the users about how they are using the data,” according to the letter, drafted by Susan Molinari, Google’s VP of Public Policy.

This transparency comes in the form of privacy policies that the the end user has to accept in order to use the extensions.

Google noted in its letter that it is able to stop “a majority” of apps before they are able to access user email data that falls outside of their declared privacy policies, but has declined to provide any real figures on what this means, either in terms of the number of apps it has stopped, how many apps this would entail, or how much user data they have been able to access. Given the company’s omerta-like levels of secrecy, neither the Senate nor Gmail’s user base should be holding their breath for further disclosures.

Even more troubling is the assumption that users are knowingly granting the app developers access to their emails via privacy policies. Privacy policies have in general been found to be problematic since their inception, because–duh–barely anyone reads them: a study conducted a decade ago found that it would require 244 hours per year to fully read each of them, a number which has swelled in the post-GDPR internet.

Another study conducted by Pew Research in 2014 found that half of Americans weren’t aware of what a privacy policy was, and yet another conducted by Deloitte in 2017 found that 97% of internet users between the ages of 18 and 34 click agree without bothering to scan the contents. Another still found that reading and actually comprehending these policies requires a minimum of a college-level reading ability. In other words, they are written in 27th Grade English, and in a mouse-sized font.

The revelation about Gmail’s potential lack of privacy coincides with Google’s warning to U.S. Senators who use its flagship email product that foreign hackers are actively targeting their accounts, primarily via phishing attempts. If the Senators are using third-party apps and have clicked ‘agree,’ it’s possible that their information has already been compromised.