[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Making GNUS continue to work with Gmail

From: Arthur Miller
Subject: Re: Making GNUS continue to work with Gmail
Date: Sat, 22 Aug 2020 09:24:12 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

Gregory Heytings via "Emacs development discussions."
<emacs-devel@gnu.org> writes:

>>> Yes, if they agree to take the legal responsibility of the use of these
>>> credentials, and if they pay if Google wants to have the code of the program
>>> reviewed by security experts.
>> I am completely lost here.  What legal responsibility is involved?
> This is an answer that developers cannot give you.  It's a question that only 
> a
> lawyer can answer.  But I at least would not agree to personally take the risk
> of being sued by Google for having knowingly violated their terms of service,
> even if Google tolerates (at the moment at least) that free software projects
> violate these TOS.  I observe that this is what happened in similar projets,
> e.g. Kmail: it's not an individual who has submitted the app for verification 
> by
> Google, but a legal person, KDE e.V.
> Violating these TOS by making the OAuth credentials public (which is what
> happens in a free software project) can have consequences, for example if a
> malicious person uses them in their own app to fraudulently gain access to
> Google accounts.
>> I've asked for someone to please tell me, in brief terms, the concrete
>> reqwuirements for issuing an app key to something like GNUS, but I have not
>> seen a reply stating them.
> Google's terms of service for OAuth services are available at
> https://developers.google.com/terms .  Only a lawyer can tell you in brief 
> terms
> what the concrete requirements are.
> I've just read them again, and it seems to me that:
> - Paragraph 4.a.1, which states that "you will not create an API Client that
>   functions substantially the same as the APIs and offer it for use by third
>   parties", expressly prohibits your idea of creating a "modif[ied] Kmail so
>  that it does the necessary low-level access, and nothing else".
> - Paragraph 4.b.1, which states that "You will keep your credentials
>   confidential and make reasonable efforts to prevent and discourage other API
>   Clients from using your credentials. Developer credentials may not be 
> embedded
>   in open source projects." prohibits the use of OAuth credentials in free
>   software projects.  As I wrote above (and earlier), Google tolerates (at the
>   moment) that this specific point of their TOS is violated.  But that doesn't
>   mean that violating them is without legal risk.
> - Paragraph 9.c list the legal risks: "Unless prohibited by applicable law, if
>   you are a business, you will defend and indemnify Google, and its 
> affiliates,
>   directors, officers, employees, and users, against all liabilities, damages,
>   losses, costs, fees (including legal fees), and expenses relating to any
>   allegation or third-party legal proceeding to the extent arising from: - 
> your
>   misuse or your end user's misuse of the APIs; - your violation or your end
>   user's violation of the Terms; or - any content or data routed into or used
>   with the APIs by you, those acting on your behalf, or your end users."  Of
>   course an individual person is not a business, but nobody is completely
>   independent, and I'd guess that Google would seek redress against that
>  person's employer for example.
> What I wrote above is nothing but my understanding.  Again, only a lawyer can
> tell you what these TOS concretely imply.
> Gregory

Just as a curiosa: have you guys thought about asking Google for
help/clarification? Can't FSF send a mail to Google lawyers/devs and ask
what has to be done get FSF/GNU software work with Google services? Of
course there is no sure that Google will answer in any meaningful way if
at all, but have you tried?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]