Google’s policy of requiring developers who use Gmail apps to pay for security audits costing up to $75,000 could hurt small businesses, according to a Monday report in The Register.
"The impact is massive," says James Ivings, co-founder of SquareCat, The Register reports. "We are a small company and are facing the likelihood of shutting down in face of the charges, as they are currently well beyond our means.”
And Kyryl Bystriakov, founder of Clean Email, states: "As a business owner who deals with users’ data and privacy every day, I understand where such a requirement is coming from. I also believe that it’s not only overkill but it will also destroy the development community they’ve been building around their APIs."
Google confirmed the policy change, telling MediaPost: “We introduced the new policy to better ensure that user expectations align with developer uses and give users the confidence they need to keep their data safe.” However, it did not comment on the Register story.
As reported by MediaPost last October, Google toughened its rules following a July Wall Street Journal storyalleging that hundreds of millions of Gmail messages had been sifted through by app developers, and subsequent Congressional grilling of the company about it.
The new security assessment costs are discussed in an FAQ on the policy on the Google site. It says:
"First, your application will be reviewed for compliance with policies governing appropriate access, limited use, minimum scope. Thereafter, you will use a third party assessor to begin your security assessment. Your app will have the remainder of 2019 to complete the assessment."
It continues: “The assessment fee is paid by the developer and may range from $15,000 to $75,000 (or more) depending on the size and complexity of the application. This fee is due whether or not your app passes the assessment; the fee includes a remediation assessment if needed."
One firm with access to the data, as reported by the Journal, is Return Path. It presumably can afford any security assessment fees.
The costs are not the only changes. Google lists rules on appropriate access, how data may not be used, how data must be stored, and one stating that developers can access only the information they need.
Google does not allow scanning of emails to drive targeted advertising, a practice it halted in 2017.