As per mentioned Ghisler page: "The security assessment would have to be performed by a specialized company, and costs up to $75'000 per year and program (so $150'000 for 32bit+64-bit). This is not sustainable even with a subscription." [0]
This is death kiss to indie developement.
But paradoxically it is great. Killing interoperability is nail to coffin. This brings more and more focus to alternative solutions out of Google market, especially in independent software area. Like yt-dlp, FreeTube, F-Droid - actually all my family uses them and I recommend it to everyone. I can't wait to get some alternative GDrive client lib which simulates browser to throw data over that garden wall, and I don't care if it nags with captcha. The more hassle the more people are going to hate that ivory tower.
This is what everyone said they wanted after Cambridge Analytica! For platforms to exercise due diligence before allowing users to delegate their access to third parties.
Yes, the situation superficially resembles Cambridge Analytica, but there's a few differences here. People aren't building detailed dossiers of themselves on Google Drive like they were on Facebook, and Transmit is a client app that is honest, open and up-front about how it uses your data - to move it in and out of Google Drive.
To be clear, the problem with Cambridge Analytica was not Cambridge Analytica. The problem was - and still is - Facebook's habit of getting everyone to overshare and self-surveil. There needs to be some control and vetting over the apps that have access to your data but not so much that actually honest developers are quitting the game.
My guess is that Google just doesn't want third-party clients (you can't shove "AI" or "Investor Advertising" into it), so they're slowly turning up the heat by abusing the data scare.
Before Cambridge Analytica I could get language stats for Belgium down to municipalities.
These are illegal otherwise, but very useful for journalists reporting on political matters.
Wasn't a significant part of the Cambridge Analytica scandal that Facebook gave them access to user data _without_ the user's consent?
Not as far as I know.
Facebook provided a general API for apps, not some kind of data feed. The API required user consent from the app user, though almost certainly not informed consent.
The API also provided too much data, in particular on the user's social graph, which is why a single user giving uninformed consent would lead to data being extracted for multiple others. But even if the app had informed users about intending to steal the social graph, most users would still have consented. They would not have read the text, or not cared. Just click ok until the computer lets you do what you wanted.
So we really do know that the only way to safeguard the data is to design safe scoped APIs for the typical use cases, and keep dangerous unscoped APIs around only as an escape hatch with much stricter security and safety requirements.
IIRC the way Facebook's "platform" stuff worked was that when one user authorized an application, it got to see all their friends' data. Farmville had to be able to access your friends list to see who you could send a sheep to, you see.
Nowerdays this seems like an incredibly dumb idea, sure, but back in ~2006 facebook was a new thing, for young people - and nobody was sure where this new "social media" thing was going to go.
On top of that I believe Cambridge Analytica did the usual "personality test" trickery where you fill out a survey, then it won't show your result until you hand over your details and accept some legal mumbo-jumbo.
So your Great Uncle wanted to know what harry potter character he was, clicked a consent button, and Cambridge Analytica got your PII.
This is a fair thing to point out! I as a user feel I'm being much more respected when I'm allowed to use some independent client software of my choices, than being told that "for my own good" I must use the absolute abomination that is most of the software provided by Big Tech firms themselves. Like, thanks for your opinion, Google, but 90% of these "security audits" are about box checking and ass-covering. It's the technology equivalent of all of the silliest parts of the TSA process, meaning that it contributes nothing to security while employing a lot of people to do valueless work at the expense of those doing useful work.
In the same sense that if someone uses a third-party Google Drive client, the input of other collaborators on shared documents is exposed without their consent. (It was data about friends of users who authorized the application in Facebook's case).
I'm surprised that there isn't more support for just using object storage via a GUI.
I would love for as user friendly way to just use Backblaze or some other S3 compatible provider as my drive.
Edit: I guess that's sort of exactly what Transmit does, but I want something that is simple enough that anyone can use it.
Transmit is as "easy" as one could imagine software of that type being.
You do have to know what a file is and what a directory is, mind you, which is something I can non-ironically say does rule out half of GenZ or anyone else raised in the postmodern era, where 'content' just lives 'in' an 'app' and can be searched for (and if you're lucky, found). But I don't think people of that minimum level of sophistication are in the market for products like Backblaze or S3 - they're just out there paying for more iCloud storage (or new laptops) because Apple said they are out of space.
Yep. I use drive but keep waiting for some clear alternative to arrive. My biggest use is just keeping D&D campaign-related materials there.
Google is a drag.
WebDAV is pretty easy to configure on all operating systems I'm aware of. You wouldn't even need a third party client.
You can do that self hosted or via fastmail or similar
Its the kiss of death for google drive support, and eventually when many apps don't support using google drive people who are on it will switch to other cloud storage providers.
Even the "audit" they require for increasing something simple as your YouTube API quota is already annoying and a massive waste of time, and this is not even close to the one they are requiring from Panic.
The quota increase process is roughly:
1) Fill out the same form every year from scratch
2) Send it into the black hole that's Google "support"
3) A few weeks later receive a reply from someone asking a irrelevant question to our use case
4) Two weeks later another person replies asking for screenshots of the "implementation", so you send a screenshot of "func storeTrailerMetadata()"
5) Another two weeks later, another automated person replies that you got approved.
The Google "support" black hole even exists for their high budget ad customers. I've seen a case where things went into the Google support black hole for a company spending a few million per month via DV360 / Google Ads. Nothing anyone could do about it, campaign blocked, work with "support" to fix it.
Have the same experience with Microsoft support. The difference is the timeline is much shorter and when our issues don't get any traction our rep intervenes and escalates to engineers.
I understand that level-1 support for these orgs are basically documentation librarians. Cool. We pay an incredible amount for premium support, but whatever. It's fine. What matters is that we have a rep that is engaged and cares about us being unblocked and isn't going to let us flounder for issues their support team is not going to solve. Have never seen this level of commitment from Google.
And as much as I dislike Amazon and the juggernaut of AWS, this is how they win me over.
It's rarely a complete black hole, and I have spoken to product engineers and owners for multiple lines.
When we filled ours out for a CRM they wanted a video of the CRM. So we showed them a video (from dev with fake data). We appealed the process explaining that Mickey Mouse is a not a real person. They rejected that appeal. So after going back and forth for a week or two we uploaded a video with basically everything but the navmenu blurred out and they finally approved it.
The entire process was awful.
Just another reason to not deal with Google. Eventually, gravity is going to catch up with them, and they will never recover, because their business culture is shit. Zero interest or focus on the customers.
The process is the punishment
That's a diamond of a quote; are you a student of Kafka's?
It's from the eponymous 1979 book by Malcolm Feeley and may predate it
I wrote this response to another front page HN article on a similar topic: https://news.ycombinator.com/item?id=41664753
I know everyone loves to dunk on Google, and I definitely agree their communication and customer service to app developers is shite, but this change to permissions scope is a good thing. If you have full, unfettered access to large number of people's Google Drive data, you're a huge target for malevolent actors. If you can't afford the new audit requirements (which I've done and are quite easy - if anything I'm sympathetic to the argument that they're more "box ticking" than valuable security audits), then I'd really question your ability to appropriately safeguard so much critically private data. For reference, these audits are about 1/20th as complicated as a full SOC 2 audit, for example.
FWIW I'm not previously familiar with this Transmit app, but based on their use cases (e.g. backup) it sounds like the limited "drive.file" scope wouldn't work for them. Still, if you want complete, unfettered access to my entire Drive account, I don't think it's a bad thing that Google is enforcing some minimal security standards.
The problem with Google’s security certifications, especially when compared to competitors like Salesforce and Microsoft, is how disorganized the process is. While these companies all require security reviews, Google’s approach seems particularly disorganized: if something goes wrong, there’s almost no one to contact for help.
The certifications themselves are valuable, but Google’s main issue lies in its poor communication and support. Third-party developers, even those paying $60k annually for re-certification, struggle to get timely responses or any at all.
What’s ironic is that the very partners handling these certifications often avoid using Google themselves because it’s “unreliable if something unusual happens.”
And that’s the crux of the issue—when things do go wrong or something unusual happens, it’s incredibly difficult to resolve.
100% agree. Again, my position is that Google rightfully deserves all the criticism they get around communication and customer support. I just think it's a mistake to confuse that criticism with Google's change to enforce better security for highly sensitive permission scopes.
That seems like a poor argument for an app which doesn’t mirror data or accept commands remotely (if I can control your app on your device, I can control the official Google Drive app) but there is a general point about full drive access. However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared. Instead, this process serves as a competitive moat and isn’t very effective – all of the large companies that we’ve seen getting breached are going to pay KPMG to spend time on performative box checking, and your data will still be exfiltrated but they’ll at least say they’re very sorry.
> However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared.
The oauth scope https://www.googleapis.com/auth/drive.file [0]basically allows this. If memory serves the app can use this scope, create a folder, and have access to things within that folder, it can certainly have access to all files created via the app (which should in general be true for iA and probably also Transmit). Offhand, I don't actually see what iA or Transmit are doing that needs the broader scope, though TotalCommander, trying to be a replacement file manager would still need the biggest scopes.
[0]: See https://developers.google.com/drive/api/guides/api-specific-..., the drive.file scope is non-sensitive so it needs a much more cursory approval process
This assumes that Google can be trusted with my data and other apps can't, and that I'm ok with Google assessing the safety of other apps. It's something that is automatic, and right now it needs to be explained.
Yes, assessing the trustability of apps is important. No, I don't trust Google to do it properly. Maybe I didn't choose Google because I find them the best, but because I have to (because Google, surprise surprise, forces itself down the throat of everyone, so the people I want to collaborate with use it).
Did my apps certify Google as a trustable provider ?
> If you can't afford the new audit requirements ... then I'd really question your ability to appropriately safeguard so much critically private data.
Because large companies that can afford it have proven to be exemplars at safeguarding private data?
Like google? Yes, I think so. Probably one of the best track records among big tech, so maybe their security practices should carry more weight?
Lets just say this: the US Federal Government, several large health care and health insurance organizations, several large financial institutions, a major university, and several others have all had to send me "We take security seriously" letters. They could all afford to undergo (and had passed) various security audits. But in the real world they failed.
They aren’t demanding you meet their practices. They are demanding you meet whatever the approved auditor thinks the practices are.
Certification schemes like that don’t have a good track record.
If you can't afford to buy starbucks every day, I'd really question your ability to buy a private jet. However, that doesn't mean that being able to afford to buy starbucks every day is sufficient to being able to afford to buy a private jet.
Google's not my dad. It's not their responsibility (or their place) to audit every piece of software I use to interact with their services. I'm tired of being treated like a child who needs every sharp corner ground down for my safety.
Edit: Next logical step is auditing every IMAP client before you can connect it to Gmail. Ridiculous.
> Edit: Next logical step is auditing every IMAP client before you can connect it to Gmail. Ridiculous.
Actually .... They're not that far away from that, if they're not already implementing it. Office365, and Google, if they haven't already have disabled basic Auth for IMAP/SMTP, and only supporting oauth2. Which requires a AppId/ClientSecret handed out out by registering your app with Microsoft/Google.
It seems that you can still steal thunderbirds appid/clientsecret from their open source code, for now ( https://simondobson.org/2024/02/03/getting-email/ ) , but ......
They're the ones who will take the blame when a third-party app gets compromised and is used to siphon off people's data.
This isn't a theoretical concern. It's pretty much exactly what happened with Cambridge Analytica. Facebook didn't really do anything wrong; they provided an API for data access, people explicitly authorized an app with broad access their data, and it turned out that the app was basically a trojan horse for data collection. And politicians, the media, the general public, and even the technologically savvier people who should know better all blamed Facebook for this.
You say that, but I've been in plenty of situations where people say they're comfortable taking on the risk themselves, but then when shit blows up, they come and blame the biggest actor (with the biggest pockets) they can. I mean, just check out some sob stories that made the front pages of NYT and Washington Post when people got scammed out of a lot of crypto money - I've read a bunch of those and always the first thing I think is "lord, there is no way these people should have had a dime in crypto in the first place", but then when they lose their money they're the first to blame everyone else but themselves.
I think it's relevant that Transmit is a local native app. There's no hosted app exposed to the internet to hack here. Google made one lengthy process that doesn't fit this use case.
Panic runs a cloud-hosted sync service that syncs your credentials and connection info between different instances of Transmit you may have.
No idea if that's what google is targeting here, but that is a cloud service, that presumably gets a copy of people's Google Drive OAuth keys if they use Google Drive with Transmit and the sync service.
If they are connecting to Google Drive, is that not connected to the internet?
There’s no way for someone on the internet to reach into your Transmit app and make it do something.
exposed to the internet and connected to the internet are different. Exposed implies that traffic originating from the internet reaches the app. You still do have to worry about things like parsing malicious files, but the class of relevant attacks is much smaller and generally easier to defend against.
Everything's connected to the internet, what the OP was talking about was attack vectors and since Transmit is a local app it really isn't one unless your whole machine is compromised, which in that case you're screwed.
The problem is that if you want to provide a full-featured file picker, and not rely on Google's limited browser-based version, your app will require the full "drive" scope. (We do, and we do, for our InDesign-to-Google Docs connector plugin.)
If you use some of the lower-tier CASA labs, it's not that expensive (4K/year), but it is definitely a nuisance for a pure desktop plugin like ours that has absolutely no cloud component (other than connecting to GDocs).
> which I've done and are quite easy - if anything
Did you read the part where it took multiple months to continue because of slow replies and non-working tooling from Google's side?
It's also pretty expensive for a relatively niche app, it might be fine if you are Dropbox or a big VC funded Mail app but for smaller companies it's not "easy".
> I don't think it's a bad thing that Google is enforcing some minimal security standards.
How would Google find out if the version that they are "scanning" is the same one that gets uploaded to the app store on every small app update? Zero, so there's no security benefit.
We've done it too, first time it was hard but it's required and recommended.
It raises the bar for low effort hackers and improves security.
I disagree with the op. Sorry mate go through the casa audit and get the access .
How much was the external audit they are now requiring? As it's most likely not based on company revenue, it's obvious that it's less of an issue for bigger companies who can afford to pay an auditor for their stamp of approval and task a person with talking to Google over a few months every year.
If you read the article, they went through the casa audit, found that it did not improve the security of their app, and came to the conclusion it wasn't worth the time and now money to do it a second time.
> and came to the conclusion it wasn't worth the time and now money to do it a second time.
Especially because they'd now have to go through an other third-party to perform the audit process (not just the security lab, the entire thing), according to the total commander folks[1] that's 75k/year/program.
> It raises the bar for low effort hackers and improves security.
There are meaningful ways you can improve the security of your app. There are ways to make sure your app passes CASA. I found very little if any overlap between those two when going through the process.
> But then… a couple of months later, Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review.
What a racket. Smells downright anti-competitive The EU will have fun with this when it catches up.
Just as a data point, we paid $750 for one of these engagements (scan + some discussion about use cases etc) to one of Google's preferred providers. There were multiple options for providers.
It wasn't even that expensive. Ada security audit from tekta in Spain was under 4k.
There's nothing like a racket here. The list of certification agencies goes from KPMG at top end to smaller companies.
4k is not expensive in enterprise terms, but in small bootstrapped startup terms it is absolutely expensive.
And the issue is the other corporations may likely follow, so you have to stack hefty audit sum every year for multiple monopolistic cloud vendors because you made some cheap documents scanner app with convenient storage options for your user.
> Smells downright anti-competitive The EU will have fun with this when it catches up
What? The EU wants to introduce certifications for all products and services, further kneecapping local innovation through regulation and costly certifications.
https://digital-strategy.ec.europa.eu/en/policies/cybersecur...
Never hitch your wagon to somebody else's horse.
Entire companies have been destroyed because they rely on Amazon, Google, or some other service, and then have the rug pulled. Sometimes companies have even been destroyed, notably by Amazon, for having the wrong political viewpoints.
My rule of thumb is: Only use open source components, and only run my stuff on Linux. So that way I maintain full control over my stack, and stay mostly immune from the political rug pulls, and other kinds of rug pulls.
> Sometimes companies have even been destroyed, notably by Amazon, for having the wrong political viewpoints.
Ok, I'll ask: what company did Amazon destroy for having the wrong political viewpoint?
AWS hosts some pretty vile stuff without blinking. The last time a company made a big "woe is me, my ideas are being suppressed" claim against Amazon, it was Parler, and they weren't kicked off for their viewpoints. They were kicked off for operating a crime-ridden site with zero effective moderation.
I don’t know about the political stuff that poster is talking about but this is true for quite a few small stores that transitioned to mail order as Amazon really took off. If you couldn’t handle complaints quickly enough or had too many flagged listings (stuff Amazon didn’t want to allow on the platform for one reason or another) you could get kicked off without much recourse except trying to open a new account and hope you were not caught.
You could see this as good for the consumer in cases where the abuse is bad but the store I was at in the 00s got kicked off for selling some Martial Arts equipment legal in 47 States but on a naughty list we were unaware of. We listed it in a few colors and that was enough to get kicked out.
never forget that Old Cloudflare kept lulzsec's site up /while they were defacing .gov pages/, then gave a talk at DEF CON about how they managed it.
we can have better standards for speech and platforming than "you didn't moderate enough".
Cloudflare is AWS?
why should pre-2016 cloudflare be the only company with a commitment to free speech and platforming?
They quickly kicked off WikiLeaks under political pressure.
AWS’s stated reasons seem pretty sound to me: https://aws.amazon.com/message/65348/
Look, they were kicked off for their content. I hesitate to call their content "viewpoints" but it's become roughly synonymous with speech so I guess it kinda fits. Regardless, I'm happy they did it. I think there is room for "exception that proves the rule" type behavior. When the bridge too far is literal Nazis I'm okay with considering AWS to still be politically neutral. No ToS violation (which was flimsy at best) needed.
I didn't realize that death threats were a viewpoint.[1]
> People on Parler used the social network to stoke fear, spread hate, and allegedly coordinate the insurrection at the Capitol building on Wednesday. The app has recently been overrun with death threats, celebrations of violence, and posts encouraging “Patriots” to march on Washington, DC, with weapons on Jan. 19, the day before the inauguration of President-elect Joe Biden.
> In an email obtained by BuzzFeed News, an AWS Trust and Safety team told Parler Chief Policy Officer Amy Peikoff that the calls for violence propagating across the social network violated its terms of service. Amazon said it was unconvinced that the service’s plan to use volunteers to moderate calls for violence and hate speech would be effective.
Parler was used to coordinate the Jan 6 attacks, and when they were caught with their pants down they promised some half baked scheme to have unpaid volunteers do moderation. It was demonstrably a joke and they were caught failing to moderate more attack planning that was happening out in the open on their app. I think Parler leadership got off easy on this, they frankly should've been in jail on January 7th for being accomplices and not merely getting kicked off AWS.
[1] https://www.buzzfeednews.com/article/johnpaczkowski/amazon-p...
Some of these wagons only managed to move because they were hitched to someone else's horse.
My concern is that people aren't building their own horses the minute it becomes feasible. The farrier now seems mystical and occult to a generation even though they're more than capable of picking up the tools themselves.
You don't build things when it becomes feasible, you build things when it becomes less risky to build them than to not.
For things like a convenience integration, that moment may never come. For other things, it's easy to estimate wrong, given how fuzzy the risks are.
That sounds great, but also for an app that interacts with > 10 services and companies it's not really a good advice.
> Only use open source components, and only run my stuff on Linux
Most people don't have the luxury of never having to interact with Google Drive, MS Teams, Slack etc.
Sure integration points to all that are great. The mistake is when your entire company can no longer function at all without Amazon AWS for example. I've worked at a place like that.
EDIT: Of course if you're sure your politics are completely left-leaning you'll have no censorship worries, because these platforms are mostly Silicon Valley run. Also since conservatives basically don't play dirty in this way, the conservatives won't censor stuff just because it's left-leaning. We're for protecting freedom of all legal speech and actions.
Worth mentioning Stripe among the destroyers. Sure a percentage of those who complain on r/stripe are breaking ToS, but it's evident that a substantial % are not. Stripe ToS allows them to profit from investing held funds. Once funds are held, nobody at Stripe responds. Has taken years for some to get their funds returned. I wonder how much funds they have on hold at any one time and how much they're making on it.
> Never hitch your wagon to somebody else's horse.
Though this was a nice and welcome feature, it wasn’t Transmit’s only feature nor even its main one. I don’t think this sentiment applies, exactly.
> Entire companies have been destroyed because they rely on Amazon
I assume the retail side, not the AWS?
Enjoy the ride https://youtu.be/2mdg9h4HjPw?si=f12DQK1pYt9fILSN
Then have the write political viewpoints instead. It seems popular.
Man... this stuff sucks. If I were panic, I would do the same... but I also wouldn't want to be the one at google to navigate this.
With Google Drive now being at the center of so many companies for storing business data, I am certain it is a juicy target, and third party access with full access to read and write to that big hard drive full of proprietary data is one that I would understand want to lock down... but not like this?
I don't think the market is anywhere near to shifting where business are going to dump google drive en masse, but as the ecosystem shrinks because so few companies can afford the cost to play in google's backyard, it does make me wonder how many companies are going to absolutely resent google, comparable to the way they resented oracle.
> With Google Drive now being at the center of so many companies for storing business data, I am certain it is a juicy target, and third party access with full access to read and write to that big hard drive full of proprietary data is one that I would understand want to lock down... but not like this?
Could be a Google Workspace policy where you can just set that employees can't access the corporate Drive account through third party apps, while it continues to work for personal accounts.
That's already how it works for workspace, in my experience.
There is a clear subtext to this and the Play Store changes: everyone interacting with the Google ecosystem is going to be pinned down and deanonymized with rights assigned based on legal identities. This will be done in the name of security. There is no freedom in who you trust here.
The big question here is if all this was preemptive or the response to something.
All monopolies do this. Once they're past the point where the government can effectively regulate them they essentially take over and regulate the market for their own interests. Google is very good at this. They're probably better at this than actually writing code these days.
Which is why anyone and everyone should flat out avoid them as a company.
Title on the blog is now (changed?):
"End of the Road for Google Drive in Transmit"
The being unfamiliar with Transmit the "and" gave me a startle
I don't use Google Drive and probably never will but FWIW Transmit is still one of the best all-around data transfer apps that exist. I always miss it when I am on my Linux workstation. Being able to quickly connect to an S3 bucket and dump files and edit their permissions is a huge plus. Not to mention basic SFTP access like Cyberduck or Filezilla would do. I have never regretted my purchase of Transmit, it's great!
I am not sure smaller devs were given the option of self-scanning code. I always wondered what the point of that was, given that there is no way for Google to ensure that the scanned code was the version distributed, and even then, as soon as a minor update was released it would have been out of date.
Because they don't care about security, it's compliance-checkbox-driven policies.
Google really is wrecking hell on third party integrations.
"The fastest path to wealth is the construction of these digital platforms, where other people depend on you."
- Eric Schmidt.
Many products leads at Google seem to disagree!
Depends.
Build it, get dependent developers, start charging dependent developers, ????, profit.
...Try and launch a new platform, Nobody trusts you, Platform Dies, Loss?
I've spent the last 14 years developing for Android, and I love both the community, the platform and tools.
But I have about had enough of Google's stewardship and behaviour around it all.
Any idea what this means for Google Drive support in rclone and similar tools?
That’s a real shame. I use the feature a lot, but I can’t blame Panic for it.
This is both a curse and an opportunity. Compliance is one of those things that is costly and time-consuming but can lead to entrenchment in certain industries. I worked for a client eons ago that went through the enormous hassle of HIPPA compliance and now it is a bit of a moat for them. Having SOC 2 compliance almost feels like table stakes for b2b SaaS these days.
It does disgust me that Google is going this route. I wonder how much influence is coming from governmental agencies. It is possible they are being forced in some way based on some kind of KYC-like requirements. Or perhaps the volume of bad actors is even higher than I imagine and Google is being forced to do this just to keep the lights on for the API at all. But the fact of the matter is that they are offloading the cost of whatever compliance they need onto their platform users, the people who are spending time and effort to improve the Google ecosystem. It feels petty and short-sighted but I suppose that Google has shifted into an extraction phase on behalf of their investors. We'll probably see a lot more of this kind of nickel and diming from them.
Raising the barrier for access like Google has done feels very anti-small company. Sure, it's more secure, but I have to wonder if they could improve security without excluding smaller companies like this. Seeing as it's Google, they probably could and specifically choose not to.
> we would now have to pay one of Google’s business partners to conduct the review
This is straight out of the IBM playbook. Did Google pick up some IBM flunkies recently?
What a terrible business practice. This was a company that once proudly displayed the motto, “don’t be evil” and even proved itself in various situations. Those days are long gone as the company is filled with more brain dead, unimaginative MBA flunkies.
This policy is to create a moat for AI offerings.
I think its totally reasonable. If google wants to make drive functionality expensive and annoying for devs to include, then devs are going to drop support.
I appreciate that this seems to be some additional security for drive access which is ostensibly a good thing but it doesn't seem like the review is very useful or catches any bad actors or errors.
The original title now reads “…for Google drive in Transmit”. @donatj can you correct the HN title please.
Fixed
I think if there is one "value" that stands out from Google's culture (as it is reflected onto its customers) it is tremendous lack of empathy.
- Google maps appears to be designed by non-drivers. Much of hte time it is impossible to find out the name of cross streets near one's location by zooming in. Pins get added accidentally and are hard to categorize and find, there is no notion of neighborhoods, and the voice directions say the same redundant thing over and over (and it is often misleading). No intelligent person could design the product that way if they actually used it.
- Google's parental control features in android lack granularity, and the bias is toward kids watching garbage content as there is no way to share curated lists or for creators to become curators of high quality youtube content, etc. For anyone with young kids this is a must have feature and Google has ignored this kind of thing for years. Also if your kid's phone dies there is no way to remove it from the FamilyLink app! Someone really tested it thoroughly!
- Google Home / Nest. Exceptionally buggy devices. Basic functionality like shared speakers (all Nest over Nest wifi) are buggy and slow. "Hey Google" takes an extra few seconds to respond compared to Alexa and none of it is compatible with Google Advanced Security (Google's own feature!). Nobody building this tech is using it at home or else they would be furious about these big oversights.
- Gemini in Gmail is a total dud. It can't tell me what upcoming events are listed in my email inbox. It biases toward searching the inbox, and GMail inbox search has been highly broken for years. I participated in a user study at Google a while back and the PM admitted it was broken and would not be fixed.
Google is now a cash cow advertising business and thanks to Eric Schmidt (a brilliant but morally lacking individual) it has become a major defense contractor.
Thanks to OpenAI and others, Google search is already dead. The market hasn't caught up with this yet. I sincerely regret making gmail my main email, as the company seems to have completely lost its way. In spite of a lot of brilliance the lack of empathy with users and the need to deliver products that solve problems continues to persist.
It's almost like the incentives at Google are misaligned, who knew.
Sounds similar to what iA Writer are going through: https://ia.net/topics/our-android-app-is-frozen-in-carbonite
Sure does. The article even says, on the first screenful of text:
> You may have seen iA Writer’s announcement that they are stopping development of their Android version for similar reasons. Our experience was different, but our circumstances are similar. While Google Drive may not be the most popular connection option in Transmit, we know many users rely on it, and we often use it here at Panic to send and receive files from the game developers we work with.