Google promises tighter and better privacy controls
Google announced plans yesterday to improve privacy for customers on Android, Gmail, and other services and apps that make use of Google account data.
The company published findings of an internal project called Strobe yesterday; it used the project to analyze how third-party developers interact with Google account and Android device data, and whether interactions affected user privacy.
Google made the decision to shut down Google+, the company's social networking service, and make a number of other changes to strengthen user privacy by limiting developers or changing existing workflows.
The company made a similar change to Chrome's permissions system for extensions earlier this month.
Changing permission requests
Some Android applications and services request extra permissions when they are installed or when a Google account is linked to the app. They may request access to the calendar, contacts, or access to files hosted on Google Drive.
Permission requests are displayed all at once at the moment regardless of how many requests an application or service makes.
Users can allow or disallow access to these permissions, but they can't give apps or services access to some permissions only. It is an all or nothing approach right now when it comes to granting permissions.
Going forward, Google plans to change permission requests by displaying individual requests to users during setup and giving users to grant or deny requests individually.
The screenshot above highlights the new process. It begins with the selection of the Google Account that you want to use for the sign-in just like it did previously. The process displays each permission prompt on its own screen giving users options to deny or allow it. Google displays a final screen on which it highlights requests and granted permissions.
Limiting Apps access to Gmail
New policies for Gmail APIs will go into effect on January 9, 2019 to enforce stronger controls and policies in regards to user data such as email content or contacts.
Google plans to limit which applications, which use the Gmail API, may access data on Gmail.
Only apps directly enhancing email functionalityâ€”such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)â€”will be authorized to access this data.
Google lists the following permitted application types on the Google Developers site:
- Native and web email clients.
- Email backup applications.
- Productivity enhancing applications.
- Reporting or monitoring services and apps.
Apps that are still allowed to access data are subject to security assessments. Developers may check this article on the Google Cloud blog for detailed information.
Applications are only allowed to use the data for "user-facing features" and "may not transfer or sell the data for other purposes such as targeting ads, market research, email campaign tracking, and other unrelated purposes".
Limiting Android apps' access to SMS, Contacts, and Phone permissions
The final change affects applications that request permissions to access SMS, Contact data or Phone permissions on Android devices.
Only the application that is set as the default application for making calls or text messages will be allowed to access the data according to Google's plans.
There are some exceptions to this, e.g. backup applications or voicemail applications. The option to access contact interaction data will be removed from the Android Contacts API in the coming months next to that.
Google restricting third-party application access to user data is a welcome step that has been long overdue. It remains to be seen how well the new permission request system works for users and application developers, and whether there will be an increase in user support requests.
Ultimately though, it is a good change that gives users more control over their data.
Now You: What is your take on the changes?
Google’s idea of privacy: We collect everything we can about you but we wont allow third parties to do the same, we promise.
In my country 3 month earlier Google helped a dangerous prisoner to escape by helicopter. After this my government asked to Google to blur the jails in Google Earth, a google manager replied that it would be feasible but difficult and it would take at least two years. Do you think helping criminals to escape can give to honest people more control on their privacy?
I don’t see how Google will be able to police the policy. Companies like Samsung which overlay Android with their own skins will still have control over how the phone functions.
For example, back in 2014 Samsung introduced its own beacon system which doesn’t require an app: http://beekn.net/2014/11/samsung-makes-move-beacons-android-app-required/ Will Google’s new policy prevent this kind of behaviour?
Samsung keeps bugging me right now with an update wwhich will add “new features”, but doesn’t explain what they are. Consequently I just tap “Now now” or “Later” whenever it pops up. This has been going on for months.
There has to be more transparancy on the part of smartphone manufacturers regarding user privacy together with the option to “Opt-in” to receiving ads rather than an “Opt-out” policy. I’m not sure if the latter even exists.
If Google really cared about privacy, they would allow disabling “Full Internet Access” permission that all apps have.
It would be pretty amazing to get an application firewall in Android, actually in other OSs too. Since Kerio disappeared I’ve been battling with that worthless built in fw in windows :@
In Android nothing beats NetGuard (open source).
So, still no protection against the largest of the privacy threats of all, then.
Watch the leaked Google video!
The goal of google is to create a “hive mind”. Within a hive mind, there is no concept of privacy, and to a certain extent, no concept of security.
At first, they want to abolish the idea of privacy, nudging people into “good” behavior, a collectivist utopia.
In the ideal google society, the concept of security will be abolished too, because when everyone is behaving perfectly “good”, there will be no “bad” behavior.
This is of course just a vision, but we need to make sure it won’t come true.
Fighting for privacy means fighting for dignity, and it isn’t only about us, but about a future where people can not even think of why privacy could be a good idea.
Google’s an advertising company. By doing this, they can sell more data instead of non-google apps getting it directly.
Who are they trying to fool?
They have already shown that they can’t even keep a simple extensions store free from malware, they just shut down their social media site because not only did it have a huge security hole but Google knew about it and didn’t do anything or even tell anyone about it, yet some people willing use an entire OS from them?
Furthermore, everyone is supposed to believe their lies about improving their now decade old OS that has been insecure since the beginning, all while it is still developed/maintained by the company that is known for mining and selling your data for advertising purposes?
Nice to see they’re finally copying iOS which has had these granular permissions since 2008, but it’s too little too late now and still doesn’t absolve them of all the other issues.
Do NOT trust Gurgle. They be evil.
The french car manufacturer “RENAULT” just decided to stop using TomTom the vey good french navigation sytem to use Google android instead. If you want to be spied and make your wife jealous, just buy a “RENAULT” lol.
Martin, would you be able to do a full article on “a privacy reminder from Google” please?
I have never explicitly agreed to this as I don’t normally use Google, but whenever I do see it it always says “already agreed”. Today I got a new device and the default search engine was Google, so when I launched the web browser to get the Amazon App Store, before I’d done anything else, this dialogue box came up saying “a privacy reminder from Google – already agreed”. I was annoyed and puzzled about how they could conclude I had agreed to anything just by being directed to their website. The text looked a little different to usual so I clicked on “already agreed” to get more info, and it turns out, that link is a disguised “I agree” button. When you click it you get a quick “thank you”.
I’ve always been against a checkbox being contractually obliging, but now it seem that a mis-labeled hyperlink that tricks you into clicking it can amount to irrevocable consent, according to Google and their many lawyers. There’s next to nothing on the internet about either of these topics.
I noticed that clearing the web browser did not cause the privacy reminder to re-appear, so presumably Google are using supercookies or other sneaky methods to pretend I have agreed to their relentless tracking.
trust no one
mulder was right!