Google is cutting off third-party developers from using access to your Gmail account to serve up targeted ads.
The internet giant announced the new developer restrictions on Monday amid ongoing scrutiny over how third-party Gmail add-ons can scan your inbox. The Wall Street Journal reported this summer that hundreds of outside software makers can use this access to look through your unredacted emails for marketing or product-refinement purposes.
The new restrictions, which go into effect on Jan. 9, ban developers of Gmail add-ons from using your email data for any internet-based advertising or handing it off to marketing firms. Data pulled from your inbox can only be used to power user-facing features or to improve them, the amended policy states.
Google is also limiting when human staffers from a third-party developer can read your email data; they can only do so if they’ve received your consent, if they need to investigate a software bug, or if they must comply with the law. A developer can also permit a human staffer to read the email data, but only if it’s been aggregated and anonymized in bulk with the emails from other users.
The internet giant announced the new policy as it faces a privacy scandal akin to Facebook’s Cambridge Analytica controversy. Today, the Journal reports that Google initially decided not to reveal a data leak in Google+ that was discovered in March over fears the incident would invite regulatory scrutiny.
The company only decided to make the leak public today. In response, the internet giant said it’s shutting down the consumer version of Google+ and clamping down on third-party developer access to its platforms. “Going forward, consumers will get more fine-grained control over what account data they choose to share with each app,” the company’s VP of engineering, Ben Smith, said in a blog post.
In addition to Gmail, Google will prevent mobile apps from asking permission to read call logs and SMS data from your Android phones. Going forward, only the default app you’ve selected to make phone calls and texts will be able to do so.
Google’s decision to limit API access to the company’s products is a win for privacy advocates, but it does come at the expense of third-party developers. The APIs have helped software makers build thousands of apps for Gmail, Chrome, and Android, but security researchers have warned that this same API access can also be abused by sneaky marketing firms or hackers to collect your private data without your knowledge.
“The fact that API security is flying under the radar and not being adequately addressed should be a red flag,” Rami Essaid, co-founder of the security firm Distil Networks, said in an email.
Google’s new restrictions will force third-party developers to jump through more hoops when it comes to Gmail app development. In the future, Gmail add-ons will have ask for permission to access your inbox, at “regular intervals.”
Developers will also need to pay up. Google’s new policy demands that all Gmail apps go through a third-party security assessment, which the company said may saddle developers with a $15,000 to $75,000 fee, depending on the size and complexity of the application.
“To keep user data safe, we are requiring apps to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request,” Google said in justifying the security assessment.
Google plans on reviewing all third-party apps that need the extensive Gmail access starting on Jan. 9. If a review is not submitted by Feb. 15, then Google will begin rolling back what the app can access from Gmail inbox users later that month.
To check what third-party apps have access to your Gmail account, you can use Google’s security checkup tool.