Google has created numerous third-party apps and services to enhance the online experience of users.
However, the success of these apps and services depends on the awareness of users that their data is safe and developers following established norms. Over the last few years, Google has consistently strengthened policies and controls to respond to day to day internal reviews, feedback from users and changing presumptions related to data privacy and security.
At the start of 2018, Google came up with Project Strobe, a comprehensive review of third-party developer access to data of Google and Android device and Google’s outlook related to data access of the apps. The project focused on the operation of Google’s privacy controls, platforms in which users weren’t getting involved with Google’s APIs due to anxiety related to data privacy, an area in which developers might have been offered too much access, and other domains in which Google’s policies need to be made more stringent. Here are the four major findings and actions which Google has taken recently-
There are considerable challenges in developing and maintaining a successful Google+ product which lives up to the expectations of users.
Action: Google is closing down Google+
Over the last few years, Google has received feedback that users want to clearly understand how they can manage data which they have decided to share with various apps on Google+. Therefore, while working on Project Strobe, Google focused on closely assessing all APIs related to Google+.
The review confirmed what Google is already aware of that though its engineering teams spent a lot of time and effort to develop Google+ over a number of years, it hasn’t been widely adopted by consumers and developers and witnessed little user interaction with apps. 90 percent of Google+’s user sessions last for more than 5 seconds.
Google’s review demonstrated that its APIs and related controls for users are difficult to create and maintain. Highlighting this fact as a part of its Project Strobe Audit, Google found a bug in one of Google+ People APIs-
- Users can provide access to their Profile data and public Profile details of their associates to Google+ apps through the API.
- The bug indicated that apps had access to Profile fields which had been shared with the user but weren’t marked as public.
- The bug was found and immediately resolved in March 2018.
- The data is restricted to static, optional Google+ Profile fields comprising name, email id, occupation, age and, gender. It doesn’t include any other data which user might have posted or connected with Google+ or services such as Google+ posts or Google account data.
- Google created Google+ keeping in mind the privacy of users. So it kept the logo data of the API just for two weeks. So Google cannot verify the exact users who were impacted by the bug. However, they performed an in-depth analysis over a period of two weeks before resolving the bug. From the analysis, Google found that around 500,000 Google+ accounts were possibly affected. Google’s analysis demonstrated that 438 applications might have utilized the API.
- Google found no proof that any developer knew about the bug, or misused the API.
Each year, Google sends innumerable notifications to users related to privacy, security bugs and problems. Google’s Privacy & Data Protection Office reviewed the problem, taking into consideration the type of data involved, and whether Google could clearly detect the users to notify, whether there was any proof of misuse and whether a developer or user could take any action. It didn’t find any discrepancy based on any of these factors in this case.
The review did focus on the challenges associated with developing and maintaining a successful Google+ which lives up to the expectations of users. Keeping in mind the challenges and the low usage of Google+’s consumer version, Google decided to close it.
To enable users to make this transition, Google will execute the shut-down process over a period of 10 months. It is likely to be completed by the end of August 2019. In the months to come, Google will offer users additional details regarding how they can download and migrate the data they have.
Simultaneously, Google found that business owners who were using Google+ within their companies found it very useful. It’s review confirm that Google+ is more suitable for use as a business product in which colleagues can participate in internal discussions on a safe business network. Google has decided to concentrate on its business efforts and will roll out new features meant specifically for businesses. They shall share more details in the days to come.
Users want fine-grained controls over data which they share with apps.
Action: Google is launching more granular Google Account permissions which shall be displayed in individual dialog boxes.
Once an app alerts you to provide access to your Google account data, you need to see the exact data it has asked for, and you must provide it clean-cut permission. From now on, consumers will have more fine-grained control over the exact data they decide to share with each individual app. Rather than showing all requested permissions on one screen, apps will need to show you each requested permission, individually, within their own dialog box. At present, the app looks like this once an app requests access to any data which you have on your consumer Google account.
When users provide apps access to their Gmail, they do it keeping definite use cases in mind.
Action: Google is restricting the types of use cases which are allowed.
Google is updating its User Data Policy for the consumer Gmail API to restrict the apps which might ask for permission to access a user’s Gmail data. Only those apps which are directly improving email performance like email backup services and email clients shall be allowed to access the data. The apps will also need to agree with new rules for handling Gmail data. They will be subjected to security evaluations as well. You can review and control apps that access your data on Google data(this includes Gmail) inside Google’s Security Checkup tool.
Once users allow SMS, Contacts and Phone Permissions to Android apps, they do so in case of specific use cases.
Action: Google is restricting app’s ability to receive SMS permissions and Call Log on Android devices. Contact interaction data won’t be available through Android Contacts API.
Few Android apps ask for permission in order to gain access to a user’s phone for call logs and SMS data. From now on, Google Play shall limit which apps are permitted to ask for such permissions. Only that app which a user has chosen as his default app to make calls or for texting messages shall be able to make such requests.
Moreover, as a part of Android Contacts permission, Google had earlier offered basic interaction data. Google will withdraw access to this data from Android Contacts API in the months to come.
In the months to come, Google will also launch additional controls and update policies across a greater number of its APIs. While doing so, Google will provide its developer partners adequate time to align and update their services and apps.