back to article Google's stunning plan to avoid apps slurping Gmail inboxes: Charge devs for security audits

To prevent a data grabbing snafu along the lines of Facebook's Cambridge Analytica scandal, Google is asking developers who use sensitive Gmail APIs to pay for a security audit that proves their apps play by the rules. And the cost – anywhere from $15,000 to $75,000 or more, every year – could put some smaller companies out of …

  1. Anonymous Coward
    Anonymous Coward

    So paying for a sticker takes the curse off ?

    What will the Googley ones do when an "approved app" is found slurping ?

    1) Immediately drop it, refund the developer and pay damages to the customer

    2) Having been paid by the developer, take their side and tell the customer to Foxtrot Oscar

    3) Having got the cash, tell both the developer and the customer to Foxtrox Oscar ?

    answer via Gmail, please ....

    1. 142

      Re: So paying for a sticker takes the curse off ?

      Devs aren't expected to pay Google in this model - they pay the auditors.

      The fee listed in the article is simply a de facto price for getting approved, because there are only a couple of auditors approved.

      So Google can certainly decide to fuck over either the customer or the developer at their complete discretion, without worrying about audit-related refunds or income streams.

      1. Anonymous Coward
        Anonymous Coward

        Re: So paying for a sticker takes the curse off ?

        So Google can certainly decide to fuck over either the customer or the developer at their complete discretion, without worrying about audit-related refunds or income streams.

        In other words, business as usual.

  2. Harry Stottle

    We look forward to Gmail's Own Security Audit

    I'm unaware of any formal security audit of Gmail itself. That could just be ignorance on my part, but I have searched, using google of course, and failed to find one. (Kindly correct me if I've missed it)

    Assuming it's absence is not my oversight, I presume Google intend to lead by example.

    Other fairy stories are available

  3. Anonymous Coward
    Anonymous Coward

    When will using GMail (or any Google Service...)...

    seem so old fashioned?

    Like those who still hang on (for the love of Mike I don't know why) to an email address.

    IMHO Google are really trying to build a walled garden that is not only higher but has a far more costly entrance fee if you want to plant something inside than Apple and their's is bad enough.

    Again, IMHO there are vast numbers of people who think their whole portal to the internet is Google Search. Like 'Internet Explorer was the Internet' in days of yonder. They google for literally everything and get the ads as a result. No matter how much you tell them that there are alternatives and ways to get rid of the ads, they carry on as before totally ignorant about their footprint on the internet and how it might affect their lives.

    I know that some people here swear by Google but I don't. I think that they went over to the dark side years ago.

    1. old_IT_guy

      Re: When will using GMail (or any Google Service...)...

      They're a business, they exist to make money, any claims of loftier goals are a smoke screen to give their unfettered greed a veneer of appeal for the benefit of their marks.

    2. Warm Braw Silver badge

      Re: When will using GMail (or any Google Service...)...

      It's not just the walled garden - do you really want the very existence of your email service (or any other service) to depend on the good will of Google?

      And why would you cheapskate with a free e-mail service and then pay, for example, £7.49 a month to Clean Mail, to deal with its deficiencies? Surely at that sort of price these companies could throw in an actual e-mail service for free with their offering? And a domain name? Or are they all in fact dependent on people who don't understand that "Gmail" is not the only mail sysyem out there, in which case perhaps they deserve their fate

      This type of service offering makes no sense - you put your personal data on a random server with no guaranteed longevity and constantly-changing terms of use, then give access to it to a bunch of other organisations with similarly unpredictable consequences, possibly in jurisdictions where you have no effective means of securing even the most basic of remedies - but it seems increasingly to be the default. All of these "smart home" devices seem to work the same way. If it weren't for global warmiing, the collapse of the insect population and eternal Brexit, it's something we might have had to worry about.

      1. This post has been deleted by its author

      2. holmegm

        Re: When will using GMail (or any Google Service...)...

        It's not just the walled garden - do you really want the very existence of your email service (or any other service) to depend on the good will of Google?

        To play devil's advocate - I've been on the consumer internet since the beginning. I've changed email providers every time I changed ISPs, until I said to heck with it and went with Gmail. Frankly, Gmail has been more stable and had more longevity than just about anything else out there.

    3. 142

      Re: When will using GMail (or any Google Service...)...

      There are plenty of alternatives, but it's clunky to use the multiple alternative services together, in the way you need to do to replicate what you get with Google's integrated services. And you also have to find the good alternatives, because half of them are like moving to Gimp from Photoshop. Google's consumer facing services (if you ignore their Docs stuff, perhaps), "just work".

      Now, I'm not saying we shouldn't ditch Google entirely - I'm in the process myself - but it's annoying to do so once you've got used to them. And people don't generally voluntarily do things that annoy them.

    4. Doctor Syntax Silver badge

      Re: When will using GMail (or any Google Service...)...

      Gmail has its place.

      Fr'instance, I run a website for a community group. We get free hosting as a community group so it runs without any budget at all. The only cost was a nice extra in that I paid to register a domain which is then linked to the free hosting. Several years registration is pocket change. But we wanted a mail address for a "contact us" form and that certainly wasn't going to go into my private domain because I still live in hopes that someone else will share the responding and if I can get a free address elsewhere it isn't going to go into the domain I registered for the site because that would cost extra. So Gmail it is.

      Actually, I find Gmail by web to be clunky, like any other webmail.

    5. BoomHauer

      Re: When will using GMail (or any Google Service...)...

      Simply adding any type of paywall immediately dumps 90% of the dodgy characters.

      1. Anonymous Coward
        Anonymous Coward

        Re: When will using GMail (or any Google Service...)...

        Simply adding any type of paywall immediately dumps 90% of the dodgy characters.

        I see you too have noticed that the Reg doesn't charge us to empty out intellectual bowels in these forums......

      2. zuckzuckgo Bronze badge

        Re: When will using GMail (or any Google Service...)...

        "dumps 90% of the dodgy characters."

        And 98% of the rest of us, as I suspect the dodgy characters have more free cash flow.

  4. Terje

    I'm not cynical, trust me.

    Once upon a time Google was a company that I actually liked, nowadays they seem to morph into a more sinister version of the NSA.

    I assume that any audit of the GMail codebase would show so many obscene things done to any mail that pass through it that it would almost show on the bottom line result if it got out...

    I'm sure internal google audits done years ago have shown that they were clearly not slurping enough information and not correlating it enough in earlier versions, but I'm sure that have been corrected a number of years ago, so by now there's unlikely to be any more missed revenue to be gathered by additional audits.

  5. Nick Kew

    Do something!

    They're under huge pressure from governments and media to Do Something. But that "something" is horribly undefined, and we know very well that the kind of things they have to do can't be reliably automated. Nor even reliably assigned to human judgement. Where there are huge grey areas, a US court and a German court might order them to do diametrically opposite things.

    This is Doing Something. On a damned-if-you-do, damned-if-you-don't basis.

    If it kills off a lot of small biz, it's kind-of closing off a zero-investment business model that's pretty rare outside the 'net. At least it isn't the many-millions cost of getting anything licenced in a safety-critical biz like medicines.

    And it probably does reduce the risk of a Big Bad Scandal, by reducing the pool of places from which a Big Bad Scandal could come. So from the point of view of Protecting The Children (etc) it's probably a Good Thing. Throwing the baby out with the bathwater[1] might be seen as a side-effect but is kind-of what they're being told to do.

    Maybe a logical next step would be to create a discipline of Auditor for sensitive APIs, and a specific qualification for it. Then you get your app independently audited and signed off in the same way as your accounts. Except we kind-of know how ineffectual that process is from the number of companies going bust with big holes in their accounts after a clean audit.

    [1] Does that expression go beyond Blighty, or does it look a bit weird to international readers?

    1. MAH

      Re: Do something!

      Throwing the baby out with the bathwater[1] - Us CDN's have used that one before too...but we are joined at the hip so to speak...

  6. iron Silver badge
    Black Helicopters

    Anyone with nefarious goals will just pay the money and either bribe the auditor or hide their plans. It's not like Putin doesn't have the cash available.

    1. Jamie Jones Silver badge

      ..... or change their code back the minute the auditors have left.

  7. Giovani Tapini

    Business before pleasure...

    Any app from any app store, including fruit flavoured ones collecting personal information should arguably be audited. This is information over and above that already collected by the app store owner, Google or otherwise.

    In some ways, this is a really good idea, although instead of pushing an auditable qualification standard, pushing specific auditor firms and costs does not sit well with me.

    It's always fun to bash Google, however business before pleasure and all that, I would rather see other stores take a similar stance, albeit with a more flexible regime depending on the data collected and the volatility of the use-cases. These proposed costs do seem rather excessive for the masses, and will probably end up inefficiently re-auditing a few advertising solutions hundreds of times as they are consumed in apps. Frankly Google, evil or otherwise, is scrutinised far more than's independent, unsupervised, data harvesting operation.

    1. zuckzuckgo Bronze badge

      Re: Business before pleasure...

      By creating a high entry barrier (but blaming the outside auditors for the costs) Google will eliminate many free or low cost add-ons. Google can now provide these missing features in the paid accounts making this part of a strategy to better monetize GMail.

      As data collection tactics are get more scrutiny and regulation the notion of "free" services is going out of fashion at Google.

      1. M.V. Lipvig

        Re: Business before pleasure...

        So what you're saying is that this is the foundation for Google's casket. Excellent. People have had free Google for years, paid for by data slurpage far beyond anyone's imagination. Now that people are getting it through their thick heads that personal data is quite valuable, they are no longer going to be satisfied with just getting email for their data. However, nobody is going to fork over good money for something they've never paid for.

        Bye Google, it was (not) nice knowin' ya!

  8. adnim


    Such API's should not exist. At least those that parse the email content.

    How many people using gmail think that their emails are private? Those that do not read the T&C's and privacy policy?

    Almost everyone with a gmail account then.

    Those users who are not smart enough to tag an email as spam or open, read and click on links in emails from unknown sources, well what can I say?

    1. Jamie Jones Silver badge

      Re: imho

      Removing those api's restricts the ways you can access their services.

      For example, IMAP access is an "API that parses email content".

      The answer is more granular control over what/who can access what, and clearer descriptions to the user to what the permissions they grant actually allow.

      Less of this wishy washy vague stuff that facebook and google via android have been getting away with.

      1. zuckzuckgo Bronze badge

        "The answer is more granular control"

        Agreed. On my laptop, I access my GMail account through Thunderbird and want to continue to do so.

        Thunderbird allows me to view messages from both my GMail and non-GMail accounts in one place, without having to share the non-GMail messages with Google.

        1. M.V. Lipvig

          Re: "The answer is more granular control"

          Data That Is Not Shared With Google??!? We Can't Have That!!! Off With Thunderbird's Head!!!!!

        2. andrew2

          Re: "The answer is more granular control"

          You can do the same with Gmail, any email account can be run through the Gmail interface.

  9. Fred Flintstone Gold badge

    Well, I can make that simple

    To prevent mistakes, how about keeping your fingers simply out of people's email, Google? Just imagine what a shocking amount of pretence and fake certification efforts that would save.

    What? Oh, that eats into your profit? Well, wouldn't it have been simpler to base your revenue on methods that are actually legal in the countries you operate, or am I missing something here?

  10. Anonymous Coward
    Anonymous Coward

    What about IMAP?

    Some of those APIs mentioned are also presented by IMAP, so couldn't those apps with nefarious intent simply use IMAP to access the messages and do whatever evil things they want? I guess if or should I say when that happens, Google will wash their hands of it, claiming that since IMAP is a published standard they aren't responsible.

    1. Nick Kew

      Re: What about IMAP?

      Imap accesses individual accounts. So

      (a) you need credentials to access an account.

      (b) you're accessing something personally identifiable and private.

      Well and truly out of any kind of grey area of using a corpus for, say, linguistic research.

      1. ckm5

        Re: What about IMAP?

        The only real difference is credentials by proxy (Oauth) or directly via an 'application password'.

        The level of information you access AFAIK is the same.

  11. Henry Wertz 1 Gold badge


    OK... I am thinking if these APIs are so privacy-busting, they should not be used by anyone. Charging that kind of change (and then excluding apps who are trying to abuse your private data for profit) should make sure these APIs go properly unused.

  12. ckm5

    Just use IMAP

    Seem pretty obvious but this in no way affects the IMAP interface AFAIK, only Oauth-authenticated APIs.

    Edit: Ninja'd above by Doug S.

  13. JohnFen


    That's an insane pricetag.

  14. whitepines

    While I don't agree with Google in any way here (we all know it turns into a big-tech-pay-for-slurp / bribe auditor fiasco)....

    Awww. The poor rent-seeking app developers might have to actually pay an annual fee instead of just sitting back and collecting overpriced annual subscription fees for their simplistic app? Shoe on other foot, how do they like it?

  15. Anonymous Coward
    Anonymous Coward

    All this talk of walled gardens reminds me of 'The Herbs' (a childrens TV series in the 60's &70's) with ther regulators running around like Dill the dog...

    If only there was a fenced garden (i.e. visibly open) that did the stuff we apparently need such as phones, email, search etc. Now this might sound mad (it did to me initially!) but why couldn't Amazon do this? - as far as i'm aware they don't sell or share user date outside of their own organisation and the advertisding I do get from them is comparatively 'light touch', unlike Apple, they want to appeal to everyone and seem to support a broad range of browsers, media and playback methods.

    I'm not saying Amazon are knights on white chargers - far from it, they've done their fair share of snuffing out the competition and have questionable methods of complying with employment law but in terms of spaffing user data to the four winds of the internet, they currently seem to be the least worst of the bunch.

    1. JohnFen

      "in terms of spaffing user data to the four winds of the internet, they currently seem to be the least worst of the bunch."

      Just wait. They're only now getting into the wider online advertising business, and have already shown every sign that they'll be no better than Google, Facebook, etc.

  16. whoseyourdaddy

    Between the third-party libraries and the general Google "kick-me" state of their play store. Money wasted, IMHO.

    I abandoned Google because I was receiving emails not intended for me. My alias was punctuation between my first and last name. Apparently, they are really bad at hashing.

    1. holmegm

      "I abandoned Google because I was receiving emails not intended for me. My alias was punctuation between my first and last name. Apparently, they are really bad at hashing."

      Mine is precisely that, and I get the emails not intended for me too. But that's because people don't know their customer's/friend's/lover's - or heaven help us, their own - email address, not due to a technical error.

    2. zuckzuckgo Bronze badge

      GMmails not intended for me

      My son's GMail address uses his first and last name which also happens to be the same name as someone that aggressively markets themselves as a "Love Guru". As a result he gets some very interesting emails from people that are confused about who they are messaging.

  17. andrew2

    It's all a very grey area... how long will the assessment be good for... a few months, a year, or every time you have a major update to your code?

    So although the initial cost maybe 15-75K there is no discussion as to future assessments or cost.

    Finally you can have any security protocol in place and it doesn't stop some rogue programmer changing something in the future....

    (Remember Dr Strangelove where the American president phones the Russian president and say's something like: "I'm sorry Dimitri, one of our commanders went a little loopy and launched an attack on your country")

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021