In order to prevent abuse of APIs after the tragedy of Facebook and Cambridge Analytics, Google now requires security audits. They’re not cheap: $15,000 to $75,000 or more. A lot of developers have their hands in their hair. Deadline to sign up: February 15.
The drama surrounding Cambridge Analytica and Facebook has put a lot of companies on edge. Google is now also applying the handbrake with regard to sensitive Gmail APIs. Developers who want to make use of this will have to pay for a security audit from now on.
Google has appointed two specialised agencies to carry out the audits. Prices vary between $15,000 and $75,000 or more annually. The new rules were introduced on 15 January and will apply to existing customers from 15 February. Those who have not submitted an application by that deadline will not be able to create new users from February 22nd and will be banned on March 31st.
Just to be clear: this is not about all Gmail APIs from Google. It is mainly the privacy-sensitive variants, such as for example Google OAuth API Scopes, that require an audit. It allows you to read messages and attachments, collect metadata and control mailbox access. The more crucial the API, the stricter the rules. Some require only one audit, while others require annual audits.
The news doesn’t come like a thunderbolt on a clear sky. At the end of last year, Google explained its new privacy plans after the Wall Street Journal published a report on how much data developers can get out of Gmail.
Through The Register, two parties have already commented on how dramatic this decision is for them.
Clean Email inventor Kyryl Bystriakov thinks it’s good that APIs are checked extra, but not this way. I am convinced that this is overkill and that it will harm the developer community. There is also no room to negotiate the price of the audits. Two parties have been appointed who now have, in principle, a monopoly over thousands of apps.
James Ivings, inventor of SquareCat, hopes that Google will control security in another way. The imposition of penalties on companies that misuse the data can be effective. They can also provide a granular or restrictive set of APIs. GitHub APIs restrict a lot of data such as email addresses or editing files. This is in stark contrast to Google’s own you-can-just-read-rules.our launch article.