How has the Google API changed and what does that mean?

Public faith in ‘big tech’ has eroded over the last few years. With many companies exploiting users’ privacy and monetising personal data for their personal gain.

You give away your email address, full name and your date of birth almost every time you interact with an online service. In recent times, people have become more aware and somewhat frustrated with the lack of control that we, as a society, have over our own personal details.

But this discontent has not gone unnoticed.

It wasn’t surprising that when Google revealed a bug in Google+ had exposed 500,000 users’ data for around three years it also announced the closure of its failed social network, and a massive shake up of developer regulations in a clear attempt to save face.

Regardless of your privacy settings, through a bug in its API*, profile information from Google+ like your name, email address, occupation, gender, and age were all (potentially) exposed to hundreds of developers between 2015 and 2018.

*An API is an application programming interface — a set of functions that allow developers to build applications to access features or data within an existing system or application.

Google, however, claims there is no evidence that third-party developers knew about the bug or took advantage of it.

And even though APIs change every so often, to make way for technological advances and such, Google took the breach as an opportunity to redesign the software that allows developers to integrate and build applications for Gmail, due to its link with Google+.

Cue, Project Strobe

Inspired by the backlash of this broad data access for third-party add-ons, Project Strobe intends to strengthen controls and policies in the way apps are integrated into Gmail, meaning more security and control over data for you.

The updated API was rolled out on March 31st, making application permissions for Gmail accounts and data more granular and secure due to increased control, limited access for developers, and extensive application vetting.

How will this affect you?

If you’re one of Gmail’s 1.5 billion+ active users and you interact with the service through an external client or productivity tool, you’ll soon notice frequent prompts to re-grant access to your email account.

Though this could be slightly inconvenient, below the surface, changes also mean your data and privacy is more protected than ever. There are now much tighter restraints on what developers can and can’t do with the information they collect about you.

Third-party apps accessing APIs can’t transfer or sell data for targeting ads, market research, email campaign tracking, and other unrelated purposes either. Data collected by developers must be used only to provide features that you, as the end user, will see and benefit from.

Google has previously admitted that it scans Gmail accounts to create more personalised advertising, however its new rules state that even if you give developers explicit consent, they can’t use information collected via the Google API to deliver advertising. This is in direct conflict with the spirit of GDPR, which is sure to cause some problems for developers down the line.

It is not clear if rules will apply to the company itself. Google announced in July 2017 that it would stop reading the contents of emails by the end of that year, but had still failed to do so by May 2018.

Which begs the question: Will you see less targeted advertising, as a result of actually private communications, and will you have control over your data, or is Google giving itself control?

Controlling your permissions

One big change for you is more granular permissions. When apps request access to data on your phone, instead of one list that forces you to grant a blanket yes or no, you can now give or deny access to each individual feature.

This marks a fundamental shift in the way users share their data going forward.

According to the Project Strobe announcement, Google conducted research and found this granular approach is what users wanted, but it’ll probably just feel like just more windows to swipe and more boxes to tick.

It’s understood that agreeing to a 117-page terms and conditions online pop up, or something along those lines, is the most common lie on the internet. This is because people think they have no choice but to accept the terms and conditions, in their entirety, if they wanted to purchase or use a product or service.

But this also shouldn’t be the case. And Google’s new pick-and-mix permissions functionality may well act as a catalyst for more digestible and customizable terms and conditions, along with other long technical jargon, across the internet. Accessibility has long been called for and, with the rise of smart technology, becomes more important each day.

Many developers will be relieved by these changes, with it taking weight off their shoulders by forcing applications to be privacy-by-default, and helping companies deal with GDPR-related problems. Though some, not so much.

Cutting off the supply

Impact varies across the board. API changes have restricted functionality for many tools, including core features, but for others they have been detrimental.

Some platforms, primarily those who rely on the API to collect data and then monetise it, have had to close or scale down as a result of the upheaval.

Google’s privacy-focused regulation is likely to impact every business handling any amount of data, anywhere in the world. This is true whether in the most simplistic way, or on the same scale as GDPR, which saw the likes of cease its EU operations after deeming new rules unworkable.

Already there have been closures., which integrated email insights into applications that helped with day-to-day tasks like saving money, achieving zero inbox and enhancing communication tools, has taken the decision to stop its operations related to Gmail.

Its hand was forced under API changes as only apps that directly enhance email functionality, like email clients and productivity services, can now access your Gmail data. Data that was core to its business model.

And still, such applications can only survive after they’ve agreed to the new rules, including extensive security assessments and a vetting process.

A step in the right direction, if with good intention

Although a large step in the right direction for users like yourself, data sharing rules directly conflict with the spirit of GDPR’s consent articles so this will probably catch a few smaller app developers out.

Reinforcing a privacy-by-design standard, applications using Google’s API must be checked and validated before they are given a stamp of approval. But if they aren’t mindful of easy-to-overlook details, your favourite email client or spam filtering tool could be forced to shut down as a result of data breaches or an inability to operate in Google’s new climate.

Project Strobe appears to tackle ways that data can be harvested, inferred and utilized without consent, an issue highlighted in the Cambridge Analytica scandal, and appears to close all ways for businesses to make money from the data they access via the API.

However, it’s still not clear how Google will apply these rules, or whether they too must comply.

You can put a good and bad spin on anything. Are API changes fueled by malicious intent? After all, Google is sure to benefit from a wealth of data that only it can access, and from companies, that may have been seen competitors, scaling down.

Will Google benefit the most — more than you — from such strict regulation? Is the company safeguarding its own monopoly on monetising personal data?

Fair Custodian is building a platform to create a new type of relationship between consumers and businesses. A relationship based on trust, transparency, and personal empowerment. To find out more about us, check us out at