Following the WSJ expose today that profiles of 1000s of users of social network Google+ were exposed over 3 years, Google has decided to take some corrective steps, though it may be a little too late for those whose data may have been misused. Incidentally, this seems to be Google’s Cambridge Analytica moment, with it having decided to also shutter Google+ social network.
It said on its developer’s blog that in the coming months, it would start rolling out “an improvement to our (Google) API infrastructure.”
Like other Internet giants, it offers a wide variety of Google API that 3rd-party app developers can use to build features for Google users.
Going forward, Google said it would show each permission that an app requests 1 at a time, within its own dialog, instead of presenting all permissions in a single dialog. Users will have the ability to grant or deny permissions individually.
Here’s what the post says:
To prepare for this change, there are a number of actions you should take with your app:
- Review the Google API Services: User Data Policy and make sure you are following them.
- Before making an API call, check to see if the user has already granted permission to your app. This will help you avoid insufficient permission errors which could lead to unexpected app errors and a bad user experience.Learn more about this by referring to documentation on your platform below:
- Request permissions only when you need them. You’ll be able to stage when each permission is requested, and we recommend being thoughtful about doing this in context. You should avoid asking for multiple scopes at sign-in, when users may be using your app for the first time and are unfamiliar with the app’s features. Bundling together a request for several scopes makes it hard for users to understand why your app needs the permission and may alarm and deter them from further use of your app.
- Provide justification before asking for access. Clearly explain why you need access, what you’ll do with a user’s data, and how they will benefit from providing access. Our research indicates that these explanations increase user trust and engagement.
Google has also gone & updated its API Services, user data policy.
Google API Services, including Google Sign-In, are part of an authentication & authorization framework that gives developers the ability to connect directly with Google users when they would like to request access to Google user data.
Now, the update says:
Accurately represent your identity and intent
If you wish to access Google user data you must provide Google users and Google with clear and accurate information regarding your use of Google API Services. This includes, without limitation, requirements to accurately represent:
- Who is requesting Google user data? All permission requests must accurately represent the identity of the application that seeks access to user data. If you have obtained authorized client credentials to access Google API Services, keep these credentials confidential.
- What data are you requesting? You must provide clear and accurate information explaining the types of data being requested. In addition, if you plan to access or use a type of user data that was not originally disclosed in your privacy policy when a Google user initially authorized access, you must update your privacy policy and prompt the user to consent to any changes before you may access that data.
- Why are you requesting Google user data? Be honest and transparent with users when you explain the purpose for which your application requests user data. If your application requests data for one reason but the data will also be utilized for a secondary purpose, you must notify Google users of both use cases. As a general matter, users should be able to readily understand the value of providing the data that your application requests, as well as the consequences of sharing that data with your application.
Be transparent about the data you access with clear and prominent privacy disclosures
You must publish a privacy policy that fully documents how your application interacts with user data. You must list the privacy policy URL in your OAuth client configuration when your application is made available to the public.
