• by Ray Schultz , October 9, 2018

App developers will have a harder time accessing Gmail data, thanks to a revised Google policy regarding Gmail APIs.

The changes, which are designed to “give our users the confidence they need to keep their data safe,” will take effect on January 9, 2019, Google says in a blog post.

Apps accessing Gmail APIs will have to submit an application review starting on that date. Failure to file by Feb. 15 will result in disabling of new grants from consumer accounts on Feb. 22, Google says.

These reviews must be submitted via the Google API Console.

The change follows a public outcry set off by a July report by The Wall Street Journal on developer access to Gmail data, and subsequent Congressional grilling of the company about the practice. 

The changes in policy cover the following areas:

Appropriate access — Gmail users allowing apps to access their email without direct interaction will be provided with additional warnings, and will be required to re-consent at regular intervals, Google states.  

How Data May Not Be Used — Third-party apps accessing these APIs will be prohibited from transferring or selling the data for ad-targeting market research, email campaign tracking “and other unrelated purposes.” Instead, they must use the data to provide user-facing features.

For instance, “consolidating data from a user’s email for their direct benefit, such as expense tracking, is a permitted use case,” Google writes. “Consolidating the expense data for market research that benefits a third party is not permitted.” In addition, human review of data will be strictly limited, Google says.

Accessing Only Information You Need — During application review, Google will tighten compliance with its existing policy on limiting API access to the information necessary to implement the user's application.

How Data Must Be Secured — Apps will be asked to show they have secure data handling. This will be done through “application penetration testing, external network penetration testing, account deletion verification, reviews of incident response plans, vulnerability disclosure programs, and information security policies.”

Google adds that “applications that only store user data on end-user devices will not need to complete the full assessment but will need to be verified as non-malicious software.”  

In addition, Google is encouraging developers to use Google Add-ons as their preferred platform “for the best privacy and security for users.”

It adds that developers who do so will get “the added bonus of listing their apps in the G Suite Marketplace to reach five million G Suite businesses.”

According to The Wall Street Journal, Google executives told lawmakers that “it continues to allow other companies to scan and share data from Gmail accounts, responding to questions raised on Capitol Hill about privacy and potential misuse of the information contained in users’ emails.” 

The practice is permission-based, but that apparently has failed to mollify critics.

Google contends that “Google API platforms have a long history of enabling a vibrant and secure third-party app ecosystem for developers — from the original launch of OAuth which helped users safeguard passwords, to providing fine-grained data-sharing controls for APIs, to launching controls to help G Suite admins manage app access in the workplace.”