[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Making GNUS continue to work with Gmail

From: Gregory Heytings
Subject: Re: Making GNUS continue to work with Gmail
Date: Fri, 21 Aug 2020 17:16:46 +0000
User-agent: Alpine 2.21 (NEB 202 2017-01-01)

Yes, if they agree to take the legal responsibility of the use of these credentials, and if they pay if Google wants to have the code of the program reviewed by security experts.

I am completely lost here.  What legal responsibility is involved?

This is an answer that developers cannot give you. It's a question that only a lawyer can answer. But I at least would not agree to personally take the risk of being sued by Google for having knowingly violated their terms of service, even if Google tolerates (at the moment at least) that free software projects violate these TOS. I observe that this is what happened in similar projets, e.g. Kmail: it's not an individual who has submitted the app for verification by Google, but a legal person, KDE e.V.

Violating these TOS by making the OAuth credentials public (which is what happens in a free software project) can have consequences, for example if a malicious person uses them in their own app to fraudulently gain access to Google accounts.

I've asked for someone to please tell me, in brief terms, the concrete reqwuirements for issuing an app key to something like GNUS, but I have not seen a reply stating them.

Google's terms of service for OAuth services are available at https://developers.google.com/terms . Only a lawyer can tell you in brief terms what the concrete requirements are.

I've just read them again, and it seems to me that:

- Paragraph 4.a.1, which states that "you will not create an API Client that functions substantially the same as the APIs and offer it for use by third parties", expressly prohibits your idea of creating a "modif[ied] Kmail so that it does the necessary low-level access, and nothing else".

- Paragraph 4.b.1, which states that "You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects." prohibits the use of OAuth credentials in free software projects. As I wrote above (and earlier), Google tolerates (at the moment) that this specific point of their TOS is violated. But that doesn't mean that violating them is without legal risk.

- Paragraph 9.c list the legal risks: "Unless prohibited by applicable law, if you are a business, you will defend and indemnify Google, and its affiliates, directors, officers, employees, and users, against all liabilities, damages, losses, costs, fees (including legal fees), and expenses relating to any allegation or third-party legal proceeding to the extent arising from: - your misuse or your end user's misuse of the APIs; - your violation or your end user's violation of the Terms; or - any content or data routed into or used with the APIs by you, those acting on your behalf, or your end users." Of course an individual person is not a business, but nobody is completely independent, and I'd guess that Google would seek redress against that person's employer for example.

What I wrote above is nothing but my understanding. Again, only a lawyer can tell you what these TOS concretely imply.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]