It’s frustrating to me when I hear people call Facebook’s Cambridge Analytica scandal a ‘breach’ or a ‘leak’ because it’s important for every Facebook user to know that it wasn’t. Cambridge Analytica happened because of an exploit on Facebook’s own tools, with the knowledge and implied permission of at least some of Facebook employees.
It turns out, Gmail hadn’t been paying enough attention and in 2017, they got caught out, too. One of Gmail’s strengths is the indie developer community that builds integrated apps, such as organization and backup tools. One, Unroll.me, was discovered by the New York Times to be collecting Lyft and Uber receipts from customers’ Gmail accounts and selling them to one or both companies to use as intelligence on the other. Google has been strengthening their policies ever since and Wednesday marked the introduction of the latest suit of armor around Gmail data.
Any app that wishes to integrate with Gmail whatsoever must now pass a human-led verification process (a la Play Store). Regarding data, the verification process checks that data is accessed at a minimum, in a secure way, and the user knows what they’re sharing. Each app must also comply with Gmail’s data usage policies, which prohibit companies from selling, transferring or using the data for tracking, advertisement, research, or any purpose that doesn’t serve the customer.
There are also two requirements borrowed from the Play Store’s list of issues; developers must be transparent about parent companies and only request the minimum number of permissions.
One last requirement turns out to be a bit of a doozy: the app must be relevant to email. While we don’t have a list of who’s passed and who hasn’t, Google is sending users with unverified apps a warning message, and thus we know that Microsoft’s SwiftKey and SMS Backup+ will no longer be supported. SwiftKey employs a user’s emails to inform its text prediction service, while SMS Backup+ is an open source kit that changes text messages into emails.
Google’s email warning reads: “We wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content. If these apps are unable to meet the deadline to comply with our updated data policy requirements, they’ll lose access to your Account starting July 15th, 2019.”
However, for any company that needs to store Gmail data on their own servers (most of them) the verification process is only part one. The second is a more challenging third-party security assessment that Google is charging between $15,000 to $75,000+ per company to complete, with the cost adjusted to the company’s size.
“There’s absolutely no way for a company engaged in collecting user data to pass verification at this stage.”
Clean Email, originally built by Kyryl Bystriakov to help his wife organize her iCloud account, became a popular mailbox organizer and clean-up service after the Unroll.me scandal, as it was one of the few services that protected users’ data from the beginning. While they support Google’s focus on security, they note the harsh impact of the cost of the security assessment.
“We’re absolutely pro-security and we welcome Google’s move – they are doing their best to balance between comfort and security of their users and an ecosystem they created. At the same time, apps, like Clean Email, that have been already verified by Google, will have to go through the security assessment which costs between $15,000-$75,000 every year. We believe that this will destroy the development community Google have been building around their APIs. A $15,000 ‘entry fee’ will mean that fewer developers will be starting their businesses around Gmail and the indie market will simply die.”
The cost of security is high, in both the literal and figurative sense, but it must be said that Google is not doing developers any favors. As SMS Backup+ is open source and has no business component, it is impossible for it to misuse data. “I’m sorry about this situation, SMS Backup+ will no longer have access to Gmail, mainly because it’s not an email reading app. I applied for an exception but it was declined, as expected,” SMS Backup+’s developer Jan Berkel confirmed on Github.
The period beginning last Wednesday and ending July 15 will mark the death of numerous Gmail-integrated apps, and at a later date, Google Drive will receive the same policy update. On one hand, this will be a rough transition for a group of users and third party developers, but on the other, a Cambridge Analytica-type of exploit will be harder to reach Gmail users.