OAuth 2.0 for Google APIs – 3rd Party Audit Costs Require EmailMonkey to Shutdown

The Cost to use Google’s API: $15k – $75k (or more) for a 3rd Party Assessment

It’s a sad day for EmailMonkey and the many folks who utilize our hands free gmail reader service for Alexa & Google Assistant devices. Last week, we received an email notification from Google’s Cloud Platform Console regarding their User Data Policy stating that in order to continue utilizing Google’s API for gmail we would need a third party assessment that Google estimates to range between “$15,000 to $75,000 (or more)”.

A copy of the official email is below:

Hi Google API Developer, We sent this email because you’re listed as a contact on the Google Cloud Project that uses OAuth 2.0 to use Google APIs for your app below:   email-monkey   Last month, we announced new Gmail OAuth policies. We designed these changes to give users enhanced controls that better align with how developers use their data. We want to remind you that the updated policies will go into effect starting January 15th, 2019. What’s changing Prepare for the following changes: Only permitted application types can use restricted scopes such as most Gmail APIs. Third-party apps using restricted scopes must only use the information they need to provide user-facing features. Apps may not transfer or sell data for other purposes such as targeting ads, market research, email campaign tracking, and other unrelated purposes. Please review the full policy and OAuth FAQ for more information. What you need to do If you want to use one of the restricted scopes, you need to submit your app for review through the Google API Console between January 15th and February 15th, 2019. Developers with internal apps for users in the same G Suite domain do not need to apply for a review. Other upcoming changes: Security assessments To keep user data safe, we‘ll be requiring apps to demonstrate their handling of Gmail data meets minimum security standards before January 2020. Learn more about security assessments, and expect a more detailed update in January 2019. Thanks, Google Cloud Platform/API Trust & Safety © 2018 Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043

When you click the “OAuth FAQ” link, under “Security Assessment” “How will the security assessment work” it says:

First, your application will be reviewed for compliance with the Google API Services: User Data Policy. Thereafter, you will have the remainder of 2019 to demonstrate compliance with the secure handling requirements. Assessments will be conducted by a Google-designated third party assessor, may cost between $15,000 and $75,000 (or more) depending on the complexity of the application, and will be payable by the developer. This fee may be required whether or not your app passes the assessment. We expect that fees will include a remediation assessment if needed. If your app has previously completed an adequate security assessment as determined by the assessor, you will be able to provide a letter of assessment that may reduce the scope of the review.

We had been utilizing Google’s API – following Google’s guidelines to adhere to their (much deserved) strict privacy policies – to access the gmail account of users who sign up to use EmailMonkey.  We invested hundreds of hours creating this application and have created a significant user base. Unfortunately, it no longer makes financial sense to continue to offer EmailMonkey as a free service with these new costs.

We aren’t the only ones using Google’s API for gmail related services, so if you see some of your favorite apps starting to disappear – now you know why.