1. It makes sense that Google wants to stop apps from abusing their storage platform. There are a lot of projects that abuse the data storage capacity. There was that one app that converted files to Base64 or something and was storing files that way as email text. Obviously not cool. However, Google needs to be explicitly clear on expectations and throw some people-power behind the reviews, since many are being denied by (seemingly) some automated process.
2. The second issue I see is that it will encourage less secure methods of using these apps.
SMSBackup+ in particular is discussing the possibility of moving to "App Passwords" to bypass 2FA and provide the app access it needs to upload and store the data.
Issue being, App Passwords are incredibly fragile, they provide near-unfettered access to IMAP and other account features with no auditing.
Caveat emptor and all that.
I think SMSBackup+, specifically, has a bit of a gray line as SMS messages can technically be sent via email and vice versa, (among other similarities). It's a shame that Google is becoming so draconian about their data storage uses.
Some things such as google docs text documents do not count towards your quota - so people converted data to base64 and uploaded that as docs to get free storage - bit of a dick move if you ask me, as it forces google to take steps like this one and kill the goodness for the rest of us
Google offered unlimited storage of private documents and people used it. I see nothing wrong with that. If this became an issue then goggle should have set limits or made it count to your google account storage. There is no point offering "Unlimited storage" and then stop people from using it.
I went to a restaurant that offered free refills last week. I brought a 50 gallon barrel with me, and then took home a whole barrel of soda...
(Or, in other words, somehow all sense of fair play and decorum go out the window once we're anonymous on the internet. And this is why we can't have nice things.)
Google doesn't like storing files as e-mails with base64-encoded binaries because it competes with Google Drive. That solution - the Gmail Drive - existed long before Google Drive, and even had a nice tool that mounted your gmail storage as a network drive on Windows! GMail storage isn't unlimited, so I always considered it fair - they give me a couple of GB of free storage, it's up to me how I use it.
As for the unlimited offers and restaurants, people don't do that too much in meatspace because they'd get thrown out by security for obvious abuse. But they do it a little, like e.g. couples buying one cup and using it together. There are also natural limits to how much soda you can consume or use, even if you got away with taking home a whole barrel (sodas lose gas fast)...
(And note that the "decorum" and "fair play" doesn't apply in meatspace either, when it comes to e.g. retail chains making mistakes in their promotions, like that one famous case where (AFAIR) Lidl in Poland offered refunds for products you didn't like if you brought back the box, whether or not the product was still inside. You can imagine what happened next.)
However, ultimately, it's the company that's playing tricks on people with "unlimited" marketing, and they deserve the problems they get when people take it at face value (offering something with no intent to fulfill that offer is plainly dishonest). Reminds me of a mobile vendor that offered USB modem with free unlimited LTE for $notmuch, back when LTE was a somewhat new thing (~2012). A friend bought the subscription to test it out, and discovered that the "unlimited" LTE was actually throttled past 20th or 30th GB. Guess which company I never considered buying Internet services from since?
It's not because of customers that we can't have nice things. It's because of companies using dishonest marketing tactics and then acting surprised when some people call them on their bluff. It isn't so hard to say "no hard limits <small>but we throttle you past XX $unit, and there are following restrictions on use...</small>", except treating customers with respect is anathema to modern business.
Whats the marketing term for "practically unlimited for normal usage patterns"? Because I think that's what they are after here in marketing.
The majority of the population will use these "unlimited" plans/products in a way that they never realize the limit. However there is always the outlier person that sees "unlimited" and is basically using the product at the max 24/7
Its much easier to say to the avg joe you have unlimited X instead of. Choose from the following 27 plans depending on how much a,b,c,x,y,z you need or even a you only pay per x of what you use! The avg person isn't going to even know those factors.
I think "Unlimited(asterisk)" marketing is here to stay for those reasons and if you are the minority power user then its up to you to read the asterisk
Sometimes it seems that HN and HN-like users like to argue for the sake of arguing. Everyone knows what unlimited means in the dictionary definition and in the marketing definition. Google was doing users a solid with the quasi-unlimited storage, and people abused it. Now people here are arguing that if it's unlimited, then why does it matter what is stored there? Well it's not unlimited, we all know that it's not unlimited, and circumventing normal usage isn't going to work in the end for everyone. I can think of two examples where users didn't have to circumvent normal usage patterns but are severely limited by company policy.
The first is a lot of mobile US carriers. They have unlimited plans, but after n amount of data, your throughput is throttled. You don't even have to do something crazy like use your data plan as an ISP for you and your neighbors in your apartment. It's as plain as day when you sign up.
The other is Olive Garden's unlimited pasta offering. Some friends and I took this up as a way to kill time before a movie. We needed food, but we had two hours. Why not stuff our face til coma? Turns out that the first plate is a full portion. Every other portion thereafter is about ⅓ - ½ the size of the original (estimating), and judging by how long it took to get the 2nd and 3rd orders of pasta out, there's a soft time limit before they'll bring out your additional orders of pasta.
I understand why people want to be so skeptical about unlimited offerings, but are you really doing yourself any favors by intentionally spitting in the face of an offered service?
> Sometimes it seems that HN and HN-like users like to argue for the sake of arguing.
Sometimes. But sometimes, they actually disagree with the official/majority/whatever opinion, and this is this case. I disagree that the way "unlimited" is used in marketing is honest, or desirable, or should be allowed.
> Everyone knows what unlimited means in the dictionary definition and in the marketing definition.
Not everyone. That's literally the point of using this kind of language - some people will not know that marketers have their own dictionary that's different from the one normally used, and the way most of those people will use the service will not reveal the difference, so it's one of the cheapest lies the marketers can tell to pull in extra customers. It's a lie nonetheless.
> The first is a lot of mobile US carriers. They have unlimited plans, but after n amount of data, your throughput is throttled. You don't even have to do something crazy like use your data plan as an ISP for you and your neighbors in your apartment. It's as plain as day when you sign up.
It is, or it isn't. Where I came from, there are plans that offer you e.g. X GB of Internet, and then you're throttled. It's plain as day, says right so on the offer. Then there are other plans, that say "Unlimited", where what they really mean is ~5X GB of Internet and then you're throttled. It's dishonest, especially because those offers are created to make them look more competitive against real ISPs who do offer actual, unlimited Internet, usually by cable.
> I understand why people want to be so skeptical about unlimited offerings, but are you really doing yourself any favors by intentionally spitting in the face of an offered service?
It's called "voting with your wallet". Doesn't really work at scale, but still, it sends some market signal.
That doesn't excuse false advertising. If a company wants to offer "enough foo for 99.9% of customers", they can say that. If a company offers unlimited foo, it ought to be able to provide unlimited foo (which it can't, of course, because it doesn't have unlimited money. Their problem.)
On a related note, I'd love to work for a company that offers unlimited vacation that's located in a country with decent protection against unfair dismissal. I wonder if I could get compensated for the (infinity-365) days of vacation a year I can't take?
"GMail offers unlimited email storage, I can encode arbitrary data in an email. Therefore GMail offers unlimited storage! Wait, they banned me? HOW DARE THEY, FALSE ADVERTISING!"
Where back in the human world its not ambiguous at all what what Google, and every other service ever, means by this and is completely correct to call it unlimited.
Yeah, and "tasty" is a specific marketing term meaning "poisonous", which I won't explain to you when I offer you a tasty sandwich.
Marketing does not create reality, no matter how much marketers may think otherwise. Words have meanings, you can't unilaterally attach some new one to a word and expect people to agree with it.
Marketing doesn't create reality, but the courts do and sometimes what a word means in a legal context is different than in conversation. It usually hinges on some standard of being reasonable.
Sure, and marketing which expects people to use their standard of "being reasonable", while the service being offered under a different standard of "being reasonable", is essentially bait and switch. That only a small subset of customers notice it doesn't make it more OK, it only shows the company is not dumb.
I don't know if I'd call it a bait-and-switch. Gmail is an email service and the purpose is to send and receive emails. Getting upset that you can't use it as a general purpose storage service isn't reasonable (IMHO). There was no baiting in this regard.
That's in interesting point. It's not so much that the sense of fair play is lost, but that it changes. Somehow, we lose track of the human factor when we don't see it and focus solely on "logic" or our own self interests.
In this example "unlimited", which actually means "unlimited within reason" works perfectly well (even though it isn't well-defined) in a human setting. We naturally and instinctively understand that people don't mean "take as many as you want" or "make yourself at home" literally.
But on the internet, if it's a data/storage plan, we might get angry at anything less than infinity, because logically
> "There is no point offering Unlimited storage and then stop people from using it."
I see this also apply to our "moral ease-of-use" for adblockers/paywall bypassers/torrents etc.
It is like a box of donuts at the office. They are free. You can take one. Come back for a second if any are left. But walk off with the whole box and you will be judged for it. Do so repeatedly and it will become a problem enough for disciplinary actions to be considered.
Edit: If I were to try to formalize the rules, I would say that the donuts are free for everybody in the office but not for anybody in the office.
If you are acting as a group with everybody in the office, which means behaving according to certain social rules involving fairness and sharing, then you count as an everybody and can have a donut. Once you cease to do so you no longer count as an everybody and cannot have a donut.
If you have special rights to the donuts, taking them won't get you judged. For example, the person who brings in the donuts can take the remainder home at the end of the day or may choose to give the rest to someone to take home, and there won't be any judgment. Further exceptions can exist on an office by office basis.
Tying this back to Google, I think there is one notable difference. Google is a private company, not a person, and is engaging in an extremely formal relationship by way of EULA/ToS/Privacy Policy/etc. Companies abusing loopholes in contracts are far more tolerated by people abusing loopholes in our shared social contract.
That is likely why my reaction at someone exploiting unlimited Google docs storage is far more 'meh' than someone violating social norms in the office.
Well G Suite deals in academia allow for unlimited storage. If you use the official tools they will throttle you, but if you use something like rclone https://rclone.org/ you can sometimes circumvent these limits.
When I was researching using a tool which leveraged a similar system and talked to a university which had backed up literally a petabyte of data to a single drive account.
Google's vague terms of service in terms of their "unlimited" storage is just a mess on both sides.
Like all cloud storage at the end of the day, if you're a paying customer or not, there are no guarantees you'll ever be able to retrieve anything once its off your infrastructure.
I doubt this has anything to do with my Unlimited Drive storage thing. Google are doing this to stop API consumers from storing user data on their own, presumably less safe than Google's, servers. I agree with that decision completely.
Presumably less secure is not the issue. Buried in the fine print of many of these tools that save you money or do other things with your account is explicit permission to share / distribute / use your data in lots of ways. It's explicitly not secure.
These scam apps trade off being inside the protected platforms, so users expand their trust assuming (incorrectly) that a third party app will treat their data well.
"This is how scammers are now abusing Google Calendar to pillage your data"
"Gmail app developers have been reading your emails"
The headlines are ALREADY happening.
Why should google risk their brand so some grow fast and break things startup can create the next cambridge analytica scandal? They are one big CA type scandal away from being looked at as the next facebook (not a good look).
To me, it reads like this: Google is going to prevent users from storing users' data elsewhere. As if it's Google's data, not users'. Though with the free tier this as well may in fact be the case :-/
I also imagine there is the other side where the third party has crap data security. End users figure that their data is safe with Google and may not consider that there is a third party with their various levels of security.
I can see Google copping a lot of heat should Company X have a data leak and that data was originally gathered from a users Google data store, whether it is justified or not.
Security is the go-to excuse for taking away control from users these days. For those that run Gmail on their own domain this makes 0 sense. They have control over the whole domain, restricting access to Gmail does nothing for security
> Google's OAuth APIs have been around for years as a way for apps to get access to and control your Google data. A third-party email app, for instance, would want access to your Gmail account and the ability to send, read, and delete emails so it could control everything remotely. An IM app might just want access to your contacts and profile picture. For years this was purely an agreement between the user and the developer—the app would say what it wanted access to, and the user could deny or allow it.
Yeah, until the Cambridge Analytica scandal revealed that agreements like this aren't sufficient to protect user data. I think Google's making the only acceptable tradeoff here.
I think that prohibiting user authorization of data access is throwing the baby out with the bathwater. I approve of privacy, but at the end of the day, my data is my data, and part of data ownership is having the freedom to share my data with whomever I choose.
I think that's not the right way to look at it. You can still get copies of all your data, and share them with whoever you want however you want. The only thing Google's restricting is the ability to set up a seamless interface, because the lack of seams often tricks people into trusting third parties more than they should.
I'm not a fan of this recently-popular form of argument: "we're not banning X: we're just adding friction, so your arguments predicated on banning X are invalid". Support for a thing is continuous, not discrete. It ranges from full endorsement on one end of the spectrum to a total unrelenting ban on the other. The arguments against banning X also apply to adding friction to X, just to a lesser extent depending on how much friction we're talking about. If it didn't, you could defacto ban things by making them arbitratily difficult.
I still think there's a data sovereignty argument against the move we're discussing on this thread. That it's just friction makes the move less bad, but I think it's still bad.
> The only thing Google's restricting is the ability to set up a seamless interface, because the lack of seams often tricks people into trusting third parties more than they should.
The whole point of computing is being able to set up seamless interfaces for doing things you want done. It might be more secure that way, sure, but past some point security is opposite to utility. For me, it's just another reason I'm happy with moving my primary mail to FastMail on my own domain.
1) Maybe a solution could be to give power users an escape hatch with big red warnings that doing so voids any support or terms of service guarantees, sort of like how Apple allows non-signed apps, but not be default.
2) Even with a mechanism like the above, part of the issue with communication/social data like Gmail is that you can’t control your own privacy perimeter, because the other party could inadvertently leak your data through another app they connect
> the other party could inadvertently leak your data through another app they connect
In snail mail, a sent letter becomes the property of the recipient, and the recipient can do whatever he wants with it. Why should email be different? We're not talking about a static "profile" like Facebook has, but individual messages.
Under GDPR, Google can only use your data for the uses you have given permission for. This includes not handing it to other companies (via their API or otherwise) for any other uses.
All they'd need to do is give me a way to grant them permission to share this data, and add that other company to their who-we-share-with list for my account.
(Also I guess they're already doing that, because the API isn't being killed off, it's being restricted to companies that threw a couple dozen kilodollars into a Google-approved bonfire.)
I've been expecting this. Google's attempts to get me to turn off "less secure app access" have grown increasingly obnoxious over the last couple of years. A few months ago they went so far as to send me a "prevented login from suspicious device" alert after a getmail run. Time to leave. If I can't download it with POP or IMAP, then it's not email.
Out of curiosity do you ever login to your Google account on the web? I also had the exact same experience where they have started increasingly sending alarming, and fake, security notices about suspicious devices logging in. Those device are, of course, me logging in from an identical geomapped IP using IMAP as I've done for years. This was following their decision to require IMAP access to require the "allow insecure application access" as an encrypted IMAP connection is apparently insecure now. A couple of times they also reset the "allow insecure application access" toggle on my account.
My working theory is that they were simply trying to refresh their fingerprint on my account since the only point of these alerts seems to be to get me to login using their web page. In particular I use Google for IMAP email, but never login to my Google account until forced. That's not so great for their metadata and tracking. Interestingly enough then when I then do login using a proxy half a world away from where I use my IMAP, Google never considers it a "login from a suspicious device." And yeah, as annoying as it is to migrate my primary email - Google is becoming intolerable on so many levels.
I see the same. About once a year, Google will throw a hissy about someone logging on via IMAP/SMTP, even if it is Google themselves logging in (to send email as another account).
My guess is if some fingerprinting/Auth service is down, it fails in a 'safe' state, causing the login to be rejected and your account locked.
As a former user of SMSBackup+, at a certain point it did seem like I was putting a lot of trust into a 3rd party to have full access to both my text messages and my email. So I can kind of see how it's a risk, but it seems sad to just shut it all down.
I agree with your sentiment, but part of the key difference for me is that SMSBackup+ is open source. I've been building the app myself and using it for years, so I'm very certain what it's doing and not doing.
This may or may not apply to the other apps being affected by this ban.
If you have GSuite, it seems you can whitelist existing applications. I've done that with SMS Backup+, so it should keep working for me. At least that's my understanding.
I suppose that people on the consumer side probably don't have that option, and it's probably not enough to get people to start paying.
I attempted to use SMS Gate (a fork) to do backups from the stock messaging app to the SD card. It didn't work.
> I did hear of some folks using their own IMAP server ...
I ended up syncing to a Dovecot IMAP server on my local Linux desktop, which seemed to work just fine. I was apprehensive about the complexity of setting an IMAP server up, but that turned out to be misguided - Dovecot was incredibly simple to get up and running. I assume SMSBackup+ would work just as well as SMS Gate did here.
I eventually ended up moving from the stock messaging app to QKSMS (GPLv3, Github, Google Play, F-Droid) because it has built in backup functionality.
How about an app that just, well, sends the SMS texts to your email, as regular emails? A filtering rule would put them under a certain tag and skip inbox.
The upside of the design is that it requires only one, very clear, permission: send emails to a given address.
SMSBackup+ makes the sender the contact / phone number and the receiver as your number. It's been fantastic for archiving all of my texts and such. I've been able to search it all relatively easily.
I reached out to the author because I've been a user of the app for several years, but I haven't heard back (this was only a few days ago). I'm hoping it can continue in some form.
I wonder how long it'll take for scraping to make a comeback. I feel like we've become used to APIs being the only integration options. When API restrictions become too burdensome, however, I expect people to recall that other access options exist.
Funny thing - there’s a very successful bank account aggregation API company called Yodlee that gets the majority of it’s bank data through scraping your account given that account’s username and password.
Google webservices make scraping pretty easy. They send all data back in a rest-like API, protobuf encoded.
All you need to do is guess the protobuf schema. Since protobuf is backwards compatible, you can be fairly sure your scraping won't break arbitrary either.
In many cases, they send back more data than is shown in the webUI too.
There will always be misuse of open APIs by third parties, and the company itself will be blamed in the PR fallout. After Google and Facebook I expect more services to follow suit, which is a shame but understandable.
Slightly off topic, but Google is also discontinuing Google photos and google drive syncing feature. This is currently the only way to access your Google photos with Rclone.
To be fair I can't blame them for this--the feature is confusing (I'm pretty sure it's responsible for every photo in my account up to a point in time last year being duplicated [in a rather annoying way--they appear visually identical and have the same EXIF tags and timestamps, but are different sizes, as a result my obsessive compulsive tendency won't let me delete either]).
I presume you can still download all your photos via Google Takeout right?
They offer ways to export your media via the Google Photos API, but you only get the "high quality compressed" version (even if you are storing in original quality) and it strips the location data out of the EXIF tags.
Unless I'm missing something, it looks like the only way to do a full quality bulk export now is using Takeout.
how long until Google says "hey, actually, it would be cool if users used gmail.com with all the ads instead of some stupid external email clients. Let's disable POP3/IMAP/SMTP for non-business users. Oh, and let's disallow mail redirection too, so they won't even think about running away".
Both the app and the website have ads, I just checked. They look like normal email messages, but they start with an advertisement indicator. I only see them in the "Promotions" and "Social" tab though.
The email client I use - Nine - is on the list. I can't see how an email client is a problem except they want to push Googles client. Hope Nine gets fixed.
I sincerely hope so as well. I'm just at the end of the trial period and I'll likely take the plunge, but not having access to Gmail would be very inconvenient.
They say they'll fix it, but seeing the requirements I'm not sure they'll get it done in time.
Huh, Nine does Gmail? Guess that makes sense. I've just been using it because I have 3 different Exchange accounts I need connections to and it's quite nice for that.
SMS Backup+? I totally agree, I wish I could opt out as well. Having my text messages and phone call log backed up to Gmail with this app has come in handy so many times since I started using it in 2012.
I've found gmail's own data export tools to not work at all for any inbox of a considerable size (100gb+) - so third party tools are the only way to actually back up / migrate email data.
Without such tooling, relying on Gmail would be a huge mistake for anything remotely important.
They could have gone another route than imposing a bogus security audit and have the devs pay for it. I did an integration with QuickBooks a while back, and they paid/conducted the security audit themselves.
Google could have added a contract that would plainly state that any data needs to be wiped out etc and enforce that contract if anything is fishy.
Google could have created a process to clearly inform the dev that the user wants to delete google related data and impose deadlines on it.
Those are simple, but I think Google was just lazy and listened to a bunch of lawyers instead of thinking out the box.
I have an app that allows to link your email account thru Nylas (with google), now I would have to pay the security audit? No way. I told my customers that any google account that is not a GSuite which whitelisted the app (most of my customers corporate) that they might have warning dialog when connecting their gmail account. There is a limit of 100 linked account without verification ;(
That appears to be a phrase made up by the writer of the Ars Technica article, rather than a quote. It's probably not worth getting outraged over the exact phrasing, it's just sloppy writing from a third party.
Yeah, totally. It's our customer's data, who is also Google's customer. Obviously since Fastmail allows our customers to synchronise email and calendars with Google, we're dealing with this right now - and kind of annoyed that our customers got emailed when we were already following Google's reauthentication process. Fun times.
Google seems to be casting a very wide net. In the case of the SMS Backup+ app which is open source and doesn't operate servers, it does sound like Google is essentially telling people not to store their personal data. (It's an open source app that downloads/uploads things from your phone.)
I invested a lot of time trying to publish a Gmail add-on and failed miserably [1][4] because of this lockdown. Here are some notes that may be of interest:
The lock down is for the Gmail API especially for API that allows reading user’s email.
Any App has to get OAuth 2 token to get access to the API. The user has to explicitly provide access . The approval screen will show each type of access the app is asking. See an example here [2]
In addition, Google will send an email to the user immediately after the approval, with a scary warning.
The user can withdraw the app access anytime, from Google account page.
The data access concern Google is projecting is that the APP can read user’s email (Remember, the app can read only those who explicitly gave the app the permission to read their email).
The “lockdown” is a direct reply to the media frenzy that “Gmail allows any app to read anyone's email” [5]. Gmail does not allow reading email automatically. The user has to allow explicitly.
In order to get Gmail API access, the app has to go through a Google review process where Google will ask the developer to justify each type of API access the app is requesting in addition to explaining (with videos) what the app does and how the API is used.
The first level of approval process demands you to publish a comprehensive privacy policy and in my experience, anything like “marketing” or “research” in the privacy policy will get you disapproval. [3]
Such a strict approval process is good and fine, and well appreciated till this point. The issue comes for the last part of the approval process.
Those Apps that requires read access to Gmail has to get themselves assessed, through Google appointed third party security assessors paying $75000 USD annually.
This is the main blocker.
This will kick out any app or add-on that small scale developers create. It will block new entrants. What remains will be established apps that are generating huge revenue to justify the “protection money”. They get an added advantage that there will no longer be any new competition.
It is not the restrictions, or the intention to protect the end user that is in question but the “first save my back” attitude in the process, and the bait and switch - that is the problem. In summary it happened like this:
Hey developers come, build apps using our platform, show your innovation!
Developers start investing time and effort on the platform, approval process is smooth and fare
Somewhere else, someone misuses someone’s system, huge media attention
Sorry developers, you go to Mr X , keep paying him and we will keep you here. If not, trash your product and go away.
The changes they've been doing is somewhat annoying. It killed probably 75% of my IFTTT and now it is going to kill my SMS backup solution (SMSBackup+) unless the developer changes a bunch of stuff. Sure I can backup other ways but I like having it in my gmail, I've been saving SMS backup there since the iPhone 3gs.
I get why they are doing it but blah, now I have to find solutions for everything again.
The article mentions this is going to affect Drive soon too, but couldn't find any info about this on Google announcement. Anybody has any info on this?
Looks like[0] using the scopes that allow for seeing all drive files vs specific files the user has invoked your app to see triggers the review process next year.
Gmass owner has talked about this changed in a few blog posts. For companies that are built on Gmail, they will just have to pay the $15k-75k security audit fee and consider it cost of doing business.
1. It makes sense that Google wants to stop apps from abusing their storage platform. There are a lot of projects that abuse the data storage capacity. There was that one app that converted files to Base64 or something and was storing files that way as email text. Obviously not cool. However, Google needs to be explicitly clear on expectations and throw some people-power behind the reviews, since many are being denied by (seemingly) some automated process.
2. The second issue I see is that it will encourage less secure methods of using these apps. SMSBackup+ in particular is discussing the possibility of moving to "App Passwords" to bypass 2FA and provide the app access it needs to upload and store the data. Issue being, App Passwords are incredibly fragile, they provide near-unfettered access to IMAP and other account features with no auditing. Caveat emptor and all that.
I think SMSBackup+, specifically, has a bit of a gray line as SMS messages can technically be sent via email and vice versa, (among other similarities). It's a shame that Google is becoming so draconian about their data storage uses.