Google 'Project Strobe' Reviews Third-Party Access To Comply With Its Philosophy

Privacy has been a big topic in technology as more people are engaging with their devices, wherever they are. With more user data involved, companies have to make it clear that data is secured and safe.

Since early 2018, Google began a project to analyze third-party developer access in its various services and Android. It's called 'Project Strobe', and it aims to look "at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened."

On October 8th, 2018, Google Project Strobe announced the first four findings and actions from its review.

1. Shutting Down Google+

This has been predicted and inevitable. Project Strobe found significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations. As for the action, Google is shutting down Google+ for consumers.

The problem lies from a bug in the Google+ People APIs that allowed third-party app access to user data not shared to them. Here, Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public.

The bug seems to have been active since 2015 and until March 2018.

While Google did not discover any evidence that developers outside of Google were aware of the problem, or that any Profile data was misused, Google is taking some precautions and decided to shut down the service instead.

In the process, the company acknowledged that Google+ has entirely failed as a social network, noting how "it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps." According to Google, the consumer version of Google+ has a very low usage and engagement.

"90 percent of Google+ user sessions are less than five seconds."

2. Granting Individual Permissions

Google found that people want fine-grained controls over the data they share with apps. As a result, Google is launching more granular Google Account permissions to show in individual dialog boxes.

In the company's attempt to give users better control over their data, Google is making third-party app requests to access data, requiring each with permission presented one-at-a-time, with users able to deny access to individual requests.

For example, if a developer requests access to both calendar entries and Drive documents, users will be able to choose to share one but not the other. An example shared by Google can be seen below:

Granting Individual Permissions

3. Limiting Third-Party Gmail Access

Gmail is one of the most popular email provider, and here Google found that when users grant apps access to their Gmail, they do so with certain use cases in mind. To make things more secured, Google is limiting the type of use cases that are permitted.

This limits what kinds of apps can access users' Gmail data to services that are "directly enhancing email functionality." This includes email clients, email backup services, and productivity services.

"Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments," explained Google.

4. Android Permission Changes

Similar to number 3, Google found that when users grant SMS, Contacts and Phone permissions to Android apps, they do so with certain use cases in mind.

For that reason, Google is also limiting apps’ ability to receive Call Log and SMS permissions on Android devices. Here, they can no longer make use of contact interaction data available via the Android Contacts API.

"Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions. Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests," said Google.

After finding these first four findings, Project Strobe is rolling out "additional controls and updating policies across more of our APIs." Google is also working with developers to make the changes, and give them the time needed to update their apps.