
Elevating user trust in our API ecosystem - Leace
https://developers.googleblog.com/2018/10/elevating-user-trust-in-our-api.html
======
zaroth
There’s one simple feature I want. Any API that has access to any portion of
an email’s content should have their icon prominently displayed near the
header in the field similar to ‘Bcc’ indicating that they have been sent a
copy.

A click on that icon should display a popup which explains who it is, a link
to the privacy policy, date when the Integration was enabled, count of how
many emails it has seen, and provides an option to disable the integration
with a single click. It would be nice to have the ability to apply filters to
limit which emails are shared with that provider in the future.

It’s too easy for users to add an Integration at one point and forget months
or years later that it’s active. But also mentally when people add these add-
ons it often doesn’t really click exactly that you are literally Bcc’ing the
add-on every message you send.

~~~
rShergold
I can't upvote this enough.

There is precedence for this kind of UX change and Google. It used to be that
chrome extensions could optionally add icons to the Chrome menu (the icons to
the right of the address bar). Now all Chrome extensions appear in the Chrome
menu, both reminding the user that it is there and also giving an easy way to
remove the extension should they no longer need it.

------
ryanackley
Before you shell out $15k-$75k be aware that Google's record of maintaining
API's is very bad. They very aggressively deprecate API's with little or no
warning and provide zero alternatives. In my opinion, they have very little
concern or respect for people developing on their various platforms. Maybe
it's not applicable here but I've been burned by them before because of this.

~~~
weliketocode
When I read the headline, I expected them to address trust related to their
lack of API maintenance.

------
Leace
Google will require Gmail add-on developers to pass a security assessment:

> Your app will have the remainder of 2019 to complete the assessment.

> The assessment fee is paid by the developer and may range from $15,000 to
> $75,000 (or more) depending on the size and complexity of the application.

> This fee is due whether or not your app passes the assessment; the fee
> includes a remediation assessment if needed.

~~~
aidos
I imagine that's going to be a pretty bitter pill to swallow for a lot of
companies. How do you think they'll continue to police it? What happens in a
year's time when than company is sold to someone else, for example?

Personally, I feel like people in general are too quick to hand apps access to
their machines. For example, I know a bunch of people who used grammarly, and
I said to them at the time - wait, you're basically installing a key-logger
that sends your data to a 3rd party - what happens when they lose it?

~~~
baxtr
My experience is that many people simply don’t care. A friend of mine told me
that he uses the Kayak app a lot. He gave them access to all his emails. They
scan every incoming email for trip itineraries and push it to his app whenever
they find something. I was a bit shocked and asked him if he didn’t care that
they could read all his emails. He said “no I don’t care, there’s nothing I’d
like to hide and I love the convenience”. Well, fair enough I thought.

And then, there’s is often nothing I can tell people to make them afraid.
Sure, I’d never do such a thing. But because I don’t trust the corps, not
because I could really articulate what bad could possibly happen in the worst
case.

~~~
newman8r
I wonder if your friend would object if you asked to browse through his email
right then and there, or download it all as an archive to look through later.

I imagine most people wouldn't really want to do that, even if they believed
they had nothing to hide and use apps like kayak.

Might be a good way to make a point (or maybe not, but it's interesting to
think about).

~~~
baxtr
Interesting thought. He would have said no I guess. But maybe the apt question
is to ask if he’d hand it to a total stranger running by.

~~~
newman8r
Yes that's also a very good question. I think if you combine the two, you get
"would you prefer to give email access to your friend or to a random stranger"
\- it's actually a tough question for me to answer.

I guess maybe it's like how you're comfortable talking about a medical issue
with a doctor you've never met before, but you wouldn't necessarily want to
discuss it with friends.

------
nik736
Do I understand it correctly that I would have to pay $15k to $75k to release
a Gmail Addon?

~~~
spondyl
Well, you'd be paying $15K to $75K to Google who then use that money to pay
for a 3rd party security assessment of your addon but yes, basically.

------
geofft
How does this affect open-source apps? The other day we had a thread about
using Emacs as an email client, and I linked to docs on how to get offlineimap
to work with XOAUTH2. The Google docs currently say that you can opt in to
using apps under development - so in practice, an end user of an open-source
app can go to the Google developer console, get a key, and put that in their
personal config file - but it sounds like that conflicts with the spirit of
these policies. Is that changing?

[https://developers.google.com/gmail/imap/xoauth2-protocol](https://developers.google.com/gmail/imap/xoauth2-protocol)

~~~
lwf
> Applications that only store user data on end-user devices will not need to
> complete the full assessment but will need to be verified as non-malicious
> software. More information about the assessment will be posted here in
> January 2019. Existing Applications (as of this publication date) will have
> until the end of 2019 to complete the assessment.

Not clear what "verified as non-malicious" means in this case, w.r.t. cost.

------
AznHisoka
Before even delving into API's, why not address the low hanging fruit of
getting rid of Google Chrome extensions that harvest your click and traffic
data? And selling it to marketers?

~~~
Already__Taken
They are? [https://betanews.com/2018/10/01/google-chrome-web-store-
exte...](https://betanews.com/2018/10/01/google-chrome-web-store-extension-
security/)

------
ikeboy
There goes unroll/slice intelligence

------
reacweb
If google trust its users, root account shall be available.

