Google's stunning plan to avoid apps slurping Gmail inboxes: Charge devs for security audits
Requirement threatens to break the bank
To prevent a data grabbing snafu along the lines of Facebook's Cambridge Analytica scandal, Google is asking developers who use sensitive Gmail APIs to pay for a security audit that proves their apps play by the rules.
And the cost – anywhere from $15,000 to $75,000 or more, every year – could put some smaller companies out of business.
"The impact is massive," said James Ivings, co-founder of SquareCat, in an email to The Register. "We are a small company and are facing the likelihood of shutting down in face of the charges, as they are currently well beyond our means. Out of the thousands of apps using the API I think our situation will be very common."
His company makes, among other things, a bulk email unsubscription app called Leave Me Alone.
Google announced its privacy policing plan in October, 2018, three months after a Wall Street Journal report about how developers of apps that interact with Gmail messages – such as email analytics biz Return Path – have programmatic access to sensitive email contents and metadata.
The change followed years of being criticized by competitors, and of lawsuits over its algorithmic parsing of consumer Gmail messages to refine the ads delivered through the service, a practice Google repudiated in mid-2017.
The revised Google API rules took effect on January 15, 2019 and apply to all new apps implementing Google's APIs. Apps that existed prior to this date have until Friday, February 15 to begin the application review process.
Applications that fail to submit an application by February 15 will no longer be able to add new users on February 22 and face revocation on March 31.
"We introduced the new policy to better ensure that user expectations align with developer uses and give users the confidence they need to keep their data safe," a Google spokesperson explained in an email.
Not everyone is happy
The situation underscores the business risks of relying on platform rules that are subject to change at any time but not subject to neutral oversight.
The only option for those dissatisfied with the changes is to take their business elsewhere. Ivings said it may be that his firm will be forced to "pivot to supporting other services exclusively, such as Outlook, instead of Gmail, abandoning a large portion of our users."
Among apps implementing Google APIs, the subset using Google OAuth API Scopes, or Restricted Scopes – Gmail APIs that allow the reading, creation, or modification of message contents, attachments, metadata or header, or that control mailbox access, message forwarding or administrative settings – face extra scrutiny: an annual security assessment, backed by a Letter of Assessment from a Google-designated third party by the end of 2019.
This applies only to consumer-facing apps, like Leave Me Alone, which uses these Gmail APIs to identity newsletters, spam, and subscription message and provide a bulk unsubscribe option. It also applies to Clean Email, which uses the Gmail APIs organizes and labels messages. It doesn't apply to apps that interact with G Suite accounts, because workers have no expectation of privacy from corporate admins.
Clean Email founder Kyryl Bystriakov, in an email to The Register, said he welcomes Google's enhanced privacy requirements because Clean Email was built around respect for user's data and have no intention of selling or aggregating it.
"We believe that paying money for our services is a much more honest and straightforward transaction," he said.
Bystriakov said he was stunned to learn that Google will require apps using the Restricted Scope APIs to pay $15,000 to $75,000 for annual security audits.
"As a business owner who deals with users’ data and privacy every day, I understand where such a requirement is coming from," he said. "I also believe that it’s not only overkill but it will also destroy the development community they’ve been building around their APIs."
And there's not much room to negotiate on price; Ivings said Google provided only two approved auditing firms to choose from. "Essentially these firms now have a monopoly market over the thousands of apps that must now commit to having the audit performed," he said.
Asked whether it has different standards for companies that collect Gmail data for marketing purposes and companies focused on subscription revenue, Google insists it is applying its rules to everyone in the same way. "The terms of the User Data Policy apply to all developers," the company's spokesperson said. "We are not offering different arrangements."
Bystriakov argues Google should do exactly that. He suggests different business models bring different sets of risks and should be covered by different standards.
Assuming their respective privacy policies are accurate, Clean Email and Leave Me Alone make significantly stronger privacy commitments than companies in the data collection business. Clean Email for says it only collect email addresses. Leave Me Alone says, "We do not store content of any of your emails in any form."
Compare that to Unroll.me, a firm caught selling email data to companies like Uber in 2017, prompting an apology (for failing to communicate its business model) and a clearer declaration of its data trafficking.
That syncing feeling when you realise you may be telling Google more than you thoughtREAD MORE
Unroll.me says it collects "purchase receipts, sales receipts, delivery confirmations and returns, subscription confirmations and cancellations, registration confirmations, transaction summaries and the like" to prepare market research reports for corporate clients. And that's in addition to IP address, the URLs of visited web pages, referring and exiting pages, page views, time spent on page, and other interaction metrics.
The Register asked Unroll.me for comment but we've not heard back.
"I really hope that Gmail will revise its requirements around the security assessment or provide other ways to achieve compliance – by requiring different levels of compliance for different user bases or offering services for developers enabling them to achieve compliance faster and easier," said Bystriakov.
Ivings said there must be a better way of ensuring trustworthy behavior than creating a financial barrier for companies that want to improve the experience in a Google product. "Imposing penalties on companies that abuse the terms of service might be effective," he said. "Or creating a more granular or restrictive set of API access rules would certainly help. For example, the GitHub API restricts apps to very specific things such as reading an email address, or editing a file, in contrast to Google's 'you-can-now-read-everything' permissions." ®
Sponsored: Becoming a Pragmatic Security Leader