
Tell HN: Google removing Gmail access from IFTTT - pgrote
Hello,<p>Although you don’t need to take any action, we wanted to let you know that the following third-party apps will no longer be able to access some data in your Google Account, including your Gmail content. This change will go into effect starting March 31, 2019.<p>IFTTT<p>We are making this change as part of ongoing efforts to make sure your data is protected and private. These apps haven’t yet complied with our updated data privacy requirements announced on October 8, 2018<p>You can always view, manage and remove apps you’ve given access to your account by visiting your Google Account.<p>Thanks,
The Google Accounts team
======
joefkelley
Context:

In ~July 2018 there was some outcry because Google was "letting third parties
read your emails" (e.g. [https://www.cbsnews.com/news/google-reportedly-
allows-third-...](https://www.cbsnews.com/news/google-reportedly-allows-third-
party-apps-to-scan-gmail-emails/)). Of course, these were all explicitly
installed by users who gave these apps access. But somehow people were mad
anyway - maybe users shouldn't be given the option to make choices they don't
understand?

Anyway, as the message mentions, Google announced new requirements for these
apps on October 8: [https://cloud.google.com/blog/products/g-suite/elevating-
use...](https://cloud.google.com/blog/products/g-suite/elevating-user-trust-
in-our-api-ecosystems)

Apparently, IFTTT (which does personal automation, integrating with many third
parties), does not comply with the new policy.

~~~
o10449366
> Of course, these were all explicitly installed by users who gave these apps
> access. But somehow people were mad anyway - maybe users shouldn't be given
> the option to make choices they don't understand?

It's interesting to see the difference in attitude on HN towards Google and
Facebook. Many readers on HN shared the media's outcry when it was "revealed"
that Netflix and Spotify were given read/write access to users' messages if
they had authorized those Messenger plugins/platforms. I'm not attacking your
position--I wholeheartedly agree with it--it just seems like there's a double
standard on HN when it comes to certain tech companies.

~~~
RhodesianHunter
If I connect IFTTT to my Gmail to automate some aspect thereof I can
reasonably expect it to have access to my emails.

If I connect my Facebook to my Spotify so that I can log in with one account
and maybe share music with friends, I don't expect Spotify to have access to
my private messages.

Obviously context is important, but I'm not seeing the double standard.

~~~
nindalf
The Facebook integration with Spotify allowed you to send messages and receive
from within Spotify. Could you think of a way to implement this without giving
the Spotify _client_ access to those messages?

What’s more, users explicitly opted in, giving Spotify permission to do so.
[1] No reasonable person would use Spotify to send and receive messages after
explicitly granting the client permissions and then claim “but I don’t expect
Spotify to have access to my private messages”

[1] - [https://stackoverflow.com/questions/17561784/django-
social-a...](https://stackoverflow.com/questions/17561784/django-social-auth-
extended-facebook-permissions-like-spotify)

~~~
TeMPOraL
At various stages of Spotify's life, Facebook login was _required_ to use the
service. I'm a long-time user, and I've learned about the messages feature
from HN. It wasn't really even advertised in the UI, and not the reason I - or
many other people - connected Facebook to it.

~~~
bestnameever
Oh wow you are totally right. It had never occurred to me that Spotify
requiring Facebook to use the service was a means for them to gain access to
your Facebook account.

~~~
supermatt
i can’t tell if this is snark, but as an app developer, i have considered
facebook login as a means for a relatively frictionless user experience, not
as a way for me to gain access to a users facebook account.

~~~
acct1771
But security-wise, it is the same.

~~~
supermatt
Not at all. FUD. If you're going to make a statement like that at least come
with some facts. There is a massive difference between me getting login
permission TO MY OWN APP, and accessing a users facebook account, or
masquerading as them on other apps.

~~~
acct1771
...until Facebook mishandles their end, for example, the API.

Which they have been shown to about a dozen times over this month.

~~~
supermatt
I think you have either misunderstood the reports, misunderstand the API, or
misunderstand how to integrate it. There is literally no way for me to
accidentally steal a users data. You may not like facebook, but accusing me of
putting my users data in jeopardy is just fucking cheeky.

------
tyingq
What's funny is many of these IFTTT integrations appear to have been written
by the Google Gmail team themselves.

Like this one, for example: [https://ifttt.com/applets/jMfVncBv-press-a-
button-to-quickly...](https://ifttt.com/applets/jMfVncBv-press-a-button-to-
quickly-email-people-you-re-running-late)

~~~
soylentgraham
That's not an integration, just a task/applet.

~~~
tyingq
It's hard to look at it in a way that doesn't seem like Google/Gmail is highly
involved: [https://ifttt.com/gmail](https://ifttt.com/gmail)

------
flocial
Here's IFTTT's statement:

[https://help.ifttt.com/hc/en-
us/articles/360020249393-Import...](https://help.ifttt.com/hc/en-
us/articles/360020249393-Important-update-about-Gmail-on-IFTTT)

~~~
deanclatworthy
A little odd statement. I am in no doubt that it would require "massive back-
end & infrastructure changes" as they point out, but this is the business
model for IFTTT. They integrate these services as doing it yourself is a pain
in the ass.

~~~
icebraining
Yeah, it read as "we've managed to outsource the work and just reap the
profits, and now Google wants us to work again? Nope!"

------
gerardnll
When you register an account in Facebook it tells you to connect your Google
account to check for the confirmation email. There's no button that says 'no
thanks', it kind of makes you think it's the only way to go forward. I don't
want to know what kind of information they scoop out, but I guess, all that
they can. It's incredible. But here, IFTTT is the problem... I'm pretty sure
they don't care about your emails.

------
aboutruby
More info on the reddit threads:

\- Main one:
[https://www.reddit.com/r/ifttt/comments/b3umeo/gmail_is_bein...](https://www.reddit.com/r/ifttt/comments/b3umeo/gmail_is_being_removed_from_ifttt/)

\- Alternatives:
[https://www.reddit.com/r/ifttt/comments/b3zv1z/alternative_t...](https://www.reddit.com/r/ifttt/comments/b3zv1z/alternative_to_gmail_applet_using_sheetsapp/)

------
matb33
I got the exact same email but substitute IFTTT for Gmvault, which I use to
make backups of my emails.

~~~
gmvault_unnn
Yeah, there's an issue with a few comments already:
[https://github.com/gaubert/gmvault/issues/335](https://github.com/gaubert/gmvault/issues/335)

------
crazygringo
Will IFTTT update to comply?

Also, does this prevent _sending_ emails to my Gmail, as opposed to reading?
That was what I used the most.

~~~
istjohn
No, IFTTT doesn't intend to update to comply. See:
[https://help.ifttt.com/hc/en-
us/articles/360020249393-Import...](https://help.ifttt.com/hc/en-
us/articles/360020249393-Important-update-about-Gmail-on-IFTTT)

~~~
noahmbarr
They’ll comply if their users demand it. Time will tell

------
arihant
I'm not sure how much user security will come out of the new Gmail policies. A
lot of companies will just start asking for username/password for IMAP access.
Now the user is more vulnerable than if the developer was allowed OAuth
access. Unless they plan to break that somehow as well.

~~~
qbaqbaqba
So IMAP is the next on the kill list. RIP email.

------
tmp28342342
Data privacy offers a good reason for both Google and Facebook to close the
few gates that still offered access for 3rd party apps to their walled garden.

And I don't think I can blame them. This kind of access provided very little
benefits for them, but it has turned out to be a big PR problem.

------
swiley
IMAP still works though right?

It's strange that IFTTT would use some non-standard interface and that's why
I'm asking.

I don't think I can keep using gmail if IMAP breaks.

~~~
toomuchtodo
Disclaimer: Worked someplace that does something similar to IFTTT, but not
IFTTT.

You _do not_ want to use IMAP for integrations at scale. You run into all
sorts of weird issues retrieving and deduplicating messages. It’s a terrible
black box to troubleshoot. The Gmail REST interface was a huge improvement
over IMAP. If you can get access to the REST interface, you want to use it.

While IMAP is a legacy compatibility mode, I would not call it a “standard”
interface for this purpose.

~~~
Endy
Please define 'at scale' \- I use IMAP + SMTP to download all of my personal
emails, I avoid REST because it's Google-led. Are you saying my ~5K/mo emails
or my employers ~100K/mo emails are "scale"?

~~~
toomuchtodo
Your personal use case is fine. I’m referring to when 100k+ customers are
using it on your platform.

FastMail has been championing a new standard (JMAP) for mail messaging;
hopefully it gets traction.

~~~
zaphirplane
What is at scale mean? every account has its own connection There is nothing
inherently scalable in the imap vs rest layer

~~~
toomuchtodo
It’s not about performance scaling (although you do have to contend with those
issues, as you’re network and not CPU bound), but about data integrity
workload management. Each time a customer submits a ticket because you
couldn’t catch an edge case when IMAP polling, that’s someone digging through
logs to understand why, and determine if a patch provides ongoing resolution
(or if nothing can be done other than an apology). That’s not scalable past a
certain point.

Hence, (hopefully well supported and documented) REST interfaces.

~~~
dboreham
I think this is mostly a grass is greener scenario : you'll end up debugging
that REST interface, and no two email providers supports the same REST
interface. At least IMAP is reasonably well supported.

------
runjake
Apple's Shortcuts, too.

Claiming that IFTTT and Apple Shortcuts have not complied with Google's
privacy policy. That's rich.

------
dazbradbury
Seems to be the same issue for Gmail backup tools, eg:

[https://github.com/jay0lee/got-your-
back/issues/195](https://github.com/jay0lee/got-your-back/issues/195)

Frustrating, given Google's own takeout tool doesn't work on larger inboxes!
This is basically going to destroy the tools that were papering over gmails
cracks.

------
Vojojo
Although it doesn't necessarily cater for the home market, Zapier is suitable
replacement for many use cases IMO.

~~~
amanzi
What's different between the way that Zapier connects to Gmail versus how
IFTTT does it? Both appear to use the same mechanism, so I guess that Zapier
will get blocked soon too?

~~~
markdown
Not if Zapier paid for the audit and passed.

------
harrisonjackson
I use Zapier to do some basic email parsing / echoing important and
interesting things into slack and SMS. Instead of giving API access to Gmail
content I filter + forward the emails to an address they provide.

------
welder
Going to really miss IFTTT... auto-responding using Gmail Filters and Canned
Responses only works for a few hours before it stops auto-responding.

------
solarkraft
You mean that the app I explicitly want to be able to manipulate the data I
have given it access to will no longer be able to do so? Hm.

~~~
ucaetano
Yep, users made it clear that they can't be trusted to make such decisions, so
now the apps have to comply with new requirements, including security audits
by 3rd parties.

~~~
tptacek
Which is totally sensible. Nobody believes end-users are qualified to assess
the security risks of the applications they're opting into. It's a little like
being angry at how expensive it is to inspect and qualify an airliner before
allowing people to book flights on it.

~~~
freedomben
What _are_ end-users qualified to assess? Should we be able to choose what we
want to eat if we aren't qualified nutritionists? People that aren't experts
will certainly make poor decisions sometimes, or think they are choosing
healthy food when it really isn't. Where do you draw the line?

~~~
p1mrx
There should be a requirement to publish an easily-understandable description
of what the app does with its Gmail access. Pay $x per year to an auditor who
verifies the description.

As long as the [I agree] section says "We send all your email to market
researchers for money", then it's fair game to publish.

~~~
freedomben
I could definitely get on board with that. My only concern is that the expense
if paying a professional auditor might make startups and individuals and open
source projects unable to compete, but there could be solutions to those
problems.

------
solarkraft
So what is the policy update and can IFTTT comply without breaking
functionality?

~~~
winkeltripel
an independent 3rd-party auditor:

> The assessment fee is paid by the developer and may range from $15,000 to
> $75,000 (or more) depending on the size and complexity of the application.
> This fee is due whether or not your app passes the assessment

(snipped from above)

------
uhsaywhat
Maybe the goal is to remove IFTTT and build the features into GMAIL

~~~
londons_explore
The goal is to not let a Cambridge Analytica scandal happen to Google.

If users all choose to share their emails with a third party service, and that
third party service leaks/abuses the mail, Google will get blamed.

Google doesn't want that, so now stops you choosing to share mail with all
except the biggest companies.

------
maxhedrome
Just wait til they shut down GAM

------
ams6110
What is IFTTT? Never heard of it.

~~~
saagarjha
If This Then That: [https://ifttt.com](https://ifttt.com). It's a popular
personal automation service.

------
higfujk
Google reports straight to NSA cia anyways all messages. Do people listening
at all what Snowden revealed ?

------
Endy
So IFTTT, a good service, and if memory serves an HN poster, is being banned
from Google. This should be a sign to move away from Google, yes?

~~~
jasonvorhe
No. GMail gave people the option of giving full access to their Gmail's mails
with the user's consent. This was discovered and made up to be a scandal
(people who shouldn't be able to can read your Gmail) which it wasn't. GMail
then decided that the API is too dangerous to allow any 3rd party to use it,
because once you grant access to someone, your GMail's security is bound to
the 3rd party's security.

The sensible thing to do was to make the scope of access more clear while
granting access to the 3rd party as well as making sure the 3rd party is
following security best practices.

I don't see how this is Google's fault.

------
kop316
I'll ask the question, why? You have a vague "they don't comply with our
requirements", but you don't actually explain. That could be a happy to glad
issue, or it could be a much bigger issue.

But this announcement just sounds like the phrase from Empire " I have altered
the deal. Pray I don't alter it any further."

~~~
mrosett
Presumably the poster is just copy/pasting an email and isn't Google.

~~~
pgrote
Correct. My apologies as I should have prefaced it with a description
indicating it was an email from Google.

