Google’s painful Gmail OAuth verification process

How it will affect independent developers and kill innovation

Friday 21 June, 2019

This blog post prompted a lively discussion on Hacker News.

Google, bruised from years of privacy scandals and keen to avoid its own Cambridge Analytica incident, announced last year that any project touching user data in Gmail would now require verification. What verification meant was left unclear until the beginning of this year.

When the dust settled, Google published an FAQ outlining what was required. Any app touching user data was required to pay a fee between $15,000 and $75,000 or more. A full security audit was required by one of two third parties selected by Google. Cries of protest went up around the web, and several services announced their intention to shutdown.

Fearing the worst I was preparing to email users and start shutting down Aura. However, because Aura doesn’t store any user data on its own servers I was able to avoid the security audit. After five months of waiting, Aura has just completed the verification.

Ajay Goel, developer of the Gmass extension, has live blogged the process – still ongoing. If it looks opaque and unclear, that’s because it is. The Google team reviewing applications takes weeks or months to reply, and frequently loses the thread of the conversation.

With a userbase numbering 1.4 billion users, Gmail has become a platform in its own right. What makes this policy so frustrating is the inconsistency. Any email app can still connect to Gmail using POP3 or IMAP which aren’t subject to these checks. The result will be to stifle innovation, frustrate users and increase prices for all services.