Google: We're giving you more control over what personal data apps can use

Users will soon get extra controls for granting developers access to user data stored in Google services.

Google defends Gmail sharing policy in letter to US senators

Google will soon be offering users finer-grained control over Google Account data they can choose to share with apps via Google's application programming interfaces (APIs).

The company revealed the upcoming changes to Google Account permissions alongside news it was shuttering Google+ and the revelation that it didn't tell users about a security bug in the social network because it feared it would attract regulatory scrutiny.

In future, instead of consumers granting an app a whole bunch of permissions to access Google Account data with one press of a button, users will get to grant or deny each permission, one at a time.

It will mean, for example, that when a developer asks for access to calendar data and permission to view files stored in Google Drive, users can agree to grant access to one but not the other.

Users will in future be asked to allow or deny each of these permissions separately, one after the other. The end result is more control for the user.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The move follows questions from US lawmakers about how Google controls and monitors third-party developer access to Gmail content and user data after a July report alleged employees of these developers frequently access Gmail content.

As reported by ZDNet yesterday, Google next year also will restrict access to Gmail content to apps that directly enhance email functionality -- such as email clients, email backup services and CRM and mailmerge services.

The finer-grain Google Account permission controls are another strand of Google's response to findings of its Project Strobe audit revealed yesterday.

This project also builds on stricter rules Google rolled out last year for web app developers who access user account data via Google's OAuth infrastructure.

Google is advising developers who use Google OAuth and its APIs to only request permissions when needed, and to provide justification before asking for access.

The changes will roll out to new clients this month and will be extended to existing clients in early 2019.


Google says this image shows what it looks like today when an app requests access to data in a consumer Google account, and the image, below, is how the process will change.

Image: Google

This image shows the new app permissions process.

Image: Google

Previous and related coverage

Google restricts which Android apps can request Call Log and SMS permissions

Only apps selected as the device's default app for making calls or sending text messages will be able to access call logs and SMS data from now on.

Google sets new rules for third-party apps to access Gmail data

All Gmail third-party apps with full access to Gmail user data will need to re-submit for a review by February 15, 2019, or be removed.

Google shuts down Google+ after API bug exposed details for over 500,000 users

Search giant says it found no evidence that any user data was misused.

Google moves to decouple Google+ and YouTube

Following feedback from its users, Google+ is getting a makeover, with the search engine giant admitting that decisions it had made in the social networking space previously, were not necessarily the best, and it will start with decoupling YouTube comments.

Google secretly logs users into Chrome whenever they log into a Google site TechRepublic

Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

Google promises Chrome changes after privacy complaints CNET

The search giant comes under fire for hoarding cookies and logging its website users into Chrome.