Ben Smith, Google Fellow and Vice President of
Engineering
Published Oct 8, 2018
Many third-party apps, services and
websites build on top of our various services to improve everyone’s phones,
working life, and online experience. We strongly support this active ecosystem.
But increasingly, its success depends on users knowing that their data is
secure, and on developers having clear rules of the road.
Over the years we’ve
continually strengthened our controls and policies in response to
regular internal reviews, user feedback and evolving expectations about data
privacy and security.
At the beginning of this year, we
started an effort called Project Strobe—a root-and-branch review of third-party
developer access to Google account and Android device data and of our
philosophy around apps’ data access. This project looked at the operation of
our privacy controls, platforms where users were not engaging with our APIs
because of concerns around data privacy, areas where developers may have been
granted overly broad access, and other areas in which our policies should be
tightened.
We’re announcing the first four
findings and actions from this review today.
Finding 1:
There are significant challenges in creating and maintaining a successful
Google+ product that meets consumers’ expectations.
Action 1:
We are shutting down Google+ for consumers.
Over the years we’ve received
feedback that people want to better understand how to control the data they
choose to share with apps on Google+. So as part of Project Strobe, one of our
first priorities was to closely review all the APIs associated with
Google+.
This review crystallized what we’ve
known for a while: that while our engineering teams have put a lot of effort
and dedication into building Google+ over the years, it has not achieved broad
consumer or developer adoption, and has seen limited user interaction with
apps. The consumer version of Google+ currently has low usage and engagement:
90 percent of Google+ user sessions are less than five seconds.
Our review showed that our Google+ APIs,
and the associated controls for consumers, are challenging to develop and
maintain. Underlining this, as part of our Project Strobe audit, we discovered
a bug in one of the Google+ People APIs:
·
Users
can grant access to their Profile data, and the public Profile information of
their friends, to Google+ apps, via the API.
·
The
bug meant that apps also had access to Profile fields that were shared with the
user, but not marked as public.
·
This
data is limited to static, optional Google+ Profile fields including name,
email address, occupation, gender and age. (See the full list on our developer site.)
It does not include any other data you may have
posted or connected to Google+ or any other service, like Google+ posts,
messages, Google account data, phone numbers or G Suite content.
·
We
discovered and immediately patched this bug in March 2018. We believe it
occurred after launch as a result of the API’s interaction with a subsequent
Google+ code change.
·
We
made Google+ with privacy in mind and therefore keep this API’s log data for only
two weeks. That means we cannot confirm which users were impacted by this bug.
However, we ran a detailed analysis over the two weeks prior to patching the
bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts
were potentially affected. Our analysis showed that up to 438 applications may
have used this API.
·
We
found no evidence that
any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data
was misused.
Every year, we send millions of notifications
to users about privacy and security bugs and issues. Whenever user data may
have been affected, we go beyond our legal requirements and apply several
criteria focused on our users in determining whether to provide notice.
Our Privacy & Data Protection
Office reviewed this issue, looking at the type of data involved, whether we
could accurately identify the users to inform, whether there was any evidence
of misuse, and whether there were any actions a developer or user could take in
response. None of these thresholds were met in this instance.
The review did highlight the
significant challenges in creating and maintaining a successful Google+ that
meets consumers’ expectations. Given these challenges and the very low usage of
the consumer version of Google+, we decided to sunset the consumer version of
Google+.
To give people a full opportunity to
transition, we will implement this wind-down over a 10-month period, slated for
completion by the end of next August. Over the coming months, we will provide
consumers with additional information, including ways they can download and
migrate their data.
At the same time, we have many
enterprise customers who are finding great value in using Google+ within their
companies. Our review showed that Google+ is better suited as an enterprise
product where co-workers can engage in internal discussions on a secure
corporate social network. Enterprise customers can set common access rules, and
use central controls, for their entire organization. We’ve decided to focus on
our enterprise efforts and will be launching new features purpose-built for
businesses. We will share more information in the coming days.
Finding 2:
People want fine-grained controls over the data they share with apps.
Action 2:
We are launching more granular Google Account permissions that will show in
individual dialog boxes.
When an app prompts you for access
to your Google account data, we always require that you see what data it has
asked for, and you must grant it explicit permission.
Going forward, consumers will get
more fine-grained control over what account data they choose to share with each
app. Instead of seeing all requested permissions in a single screen, apps will
have to show you each requested permission, one at a time, within its own
dialog box. For example, if a developer requests access to both calendar
entries and Drive documents, you will be able to choose to share one but not
the other. Developers can read more on the Google Developer Blog.
This is what the process looks like
today when an app requests access to any data in your consumer Google account
(you've always been able to choose whether to grant that permission request):
This is what it will look like:
Finding 3:
When users grant apps access to their Gmail, they do so with certain use cases
in mind.
Action 3:
We are limiting the types of use cases that are permitted.
We are updating our User Data Policy for the consumer
Gmail API to limit the apps that may seek permission to access
your consumer Gmail data. Only apps directly enhancing email functionality—such
as email clients, email backup services and productivity services (e.g., CRM
and mail merge services)—will be authorized to access this data. Moreover,
these apps will need to agree to new rules on handling Gmail data and will be
subject to security assessments. Developers can read more details on the Gmail Developer Blog.
(As always, G Suite administrators are
in control of their users’ apps.)
You can always review and control
which apps have access to your Google account data (including Gmail) within
our Security Checkup tool.
Finding 4:
When users grant SMS, Contacts and Phone permissions to Android apps, they do
so with certain use cases in mind.
Action 4:
We are limiting apps’ ability to receive Call Log and SMS permissions on
Android devices, and are no longer making contact interaction data available
via the Android Contacts API.
Some Android apps ask for permission
to access a user’s phone (including call logs) and SMS data. Going forward,
Google Play will limit which apps are allowed to ask for these permissions.
Only an app that you’ve selected as your default app for making calls or
text messages will be able to make these requests. (There are some
exceptions—e.g., voicemail and backup apps.) Developers can find more details
in the Google Play Developer Policy Center and
in the Help Center.
Additionally, as part of the Android
Contacts permission, we had provided basic interaction data so, for example, a
messaging app could show you your most recent contacts. We will remove access
to contact interaction data from the Android Contacts API within the next few
months.
In the coming months, we’ll roll out
additional controls and update policies across more of our APIs. As we do so,
we’ll work with our developer partners to give them appropriate time to adjust
and update their apps and services.
Our goal is to support a wide range
of useful apps, while ensuring that everyone is confident that their data is
secure. By giving developers more explicit rules of the road, and helping users
control your data, we can ensure that we keep doing just that.
https://www.blog.google/technology/safety-security/project-strobe/?mod=djem_b_reviewpreview_20181008
No comments:
Post a Comment