This is what everyone said they wanted after Cambridge Analytica! For platforms to exercise due diligence before allowing users to delegate their access to third parties.

There is some massive confusion around the types and costs of audits required for full Drive permissions scope (and I definitely blame Google for the lack of communication/direction on this). I had to get this audit for an app and it was nowhere near 75k - I believe it was well under 10k. Another commenter said they had it done for $4k: https://news.ycombinator.com/item?id=41781325

I'm surprised that there isn't more support for just using object storage via a GUI.

I would love for as user friendly way to just use Backblaze or some other S3 compatible provider as my drive.

Edit: I guess that's sort of exactly what Transmit does, but I want something that is simple enough that anyone can use it.

Its the kiss of death for google drive support, and eventually when many apps don't support using google drive people who are on it will switch to other cloud storage providers.

Yep. I use drive but keep waiting for some clear alternative to arrive. My biggest use is just keeping D&D campaign-related materials there.

Google is a drag.

> The more hassle the more people are going to hate that ivory tower.

This is a bit naive, a very small percentage of people would be interested in these alternative solutions. Most people don't even install any third party software on their computer and just use the browser for everything.

The Google "support" black hole even exists for their high budget ad customers. I've seen a case where things went into the Google support black hole for a company spending a few million per month via DV360 / Google Ads. Nothing anyone could do about it, campaign blocked, work with "support" to fix it.

Have the same experience with Microsoft support. The difference is the timeline is much shorter and when our issues don't get any traction our rep intervenes and escalates to engineers.

I understand that level-1 support for these orgs are basically documentation librarians. Cool. We pay an incredible amount for premium support, but whatever. It's fine. What matters is that we have a rep that is engaged and cares about us being unblocked and isn't going to let us flounder for issues their support team is not going to solve. Have never seen this level of commitment from Google.

Any tier of Google Support is 100% a black hole. I had an extremely unusual issue with a service in Google Cloud, tried to debug it and failed. I filed a ticket and waited because P1 was only for “production” issues, but our issue was for development.

A few days later, the Google engineer assigned notes to us that we can escalate to P1 if this is blocking our workflow, even when not in production. I take this to my manager and they agree that it’s time to move it to P1.

We move it to P1 and immediately get traction, only to be stonewalled by a support engineer confidently asserting that the code throwing the error, which only existed in a private Google-maintained container, which only interfaced with our app through launching a cloud job through their platform, was actually our responsibility.

No joke, they actually said “As stated in my prior message, this issue is due to your code”, despite our code being a thin wrapper around their demonstration code to run it from the command line.

In my most business professional tone, I tell them off for lying to us about them debugging on their end and inform them that I will be immediately escalating because of this dissatisfactory response. This finally gets the ticket moving and a few weeks later, a bug fixed version of the entire platform is deployed.

Total time from start to finish:

- P2: 2.5 weeks of daily updates - P1, until we’re told that it’s our fault: 8 hours - P1 escalated until issue was completely fixed: 5 weeks

We paid for premium support. I cannot imagine how bad free support is.

When we filled ours out for a CRM they wanted a video of the CRM. So we showed them a video (from dev with fake data). We appealed the process explaining that Mickey Mouse is a not a real person. They rejected that appeal. So after going back and forth for a week or two we uploaded a video with basically everything but the navmenu blurred out and they finally approved it.

The entire process was awful.

Just another reason to not deal with Google. Eventually, gravity is going to catch up with them, and they will never recover, because their business culture is shit. Zero interest or focus on the customers.

The process is the punishment

The problem with Google’s security certifications, especially when compared to competitors like Salesforce and Microsoft, is how disorganized the process is. While these companies all require security reviews, Google’s approach seems particularly disorganized: if something goes wrong, there’s almost no one to contact for help.

The certifications themselves are valuable, but Google’s main issue lies in its poor communication and support. Third-party developers, even those paying $60k annually for re-certification, struggle to get timely responses or any at all.

What’s ironic is that the very partners handling these certifications often avoid using Google themselves because it’s “unreliable if something unusual happens.”

And that’s the crux of the issue—when things do go wrong or something unusual happens, it’s incredibly difficult to resolve.

> if you want complete, unfettered access to my entire Drive account,

Panic never got complete or unfettered (or any) access to my Google Drive. I got access. I used their application, which can easily be supervised with Little Snitch or other software to prove that is not sending a copy of my credentials or my files to Panic. If it were OSS it would be even more categorically provable that it's not giving access to anyone but the end user, but these draconian requirements would still apply.

The point is, Google is telling THEIR users, not Panic, that they aren't qualified to use their own judgment to select a client. It woudl be just as bad as Microsoft saying that if you want to check your email or access SharePoint you can't use anything but Edge (insert jokes about how they basically did do that 20 years ago with MSIE, but let's be serious, that sort of thing would be rightfully mocked today).

> I don't think it's a bad thing that Google is enforcing some minimal security standards.

These certification programs are 100% a moneymaking program to engage in a lot of box-checking, which I'd wager has zero correlation with a positive outcome for anyone other than the shareholders of the "labs" that do these audits.

That seems like a poor argument for an app which doesn’t mirror data or accept commands remotely (if I can control your app on your device, I can control the official Google Drive app) but there is a general point about full drive access. However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared. Instead, this process serves as a competitive moat and isn’t very effective – all of the large companies that we’ve seen getting breached are going to pay KPMG to spend time on performative box checking, and your data will still be exfiltrated but they’ll at least say they’re very sorry.

> If you can't afford the new audit requirements ... then I'd really question your ability to appropriately safeguard so much critically private data.

Because large companies that can afford it have proven to be exemplars at safeguarding private data?

They're my files in Google Drive. If I've made the choice to buy a product from Panic, and I trust Panic as a company personally, it should be my right to decide to give Panic access to my files in Google Drive. It is not up to Google to shuffle money into the pockets of their security partners under the guise of doing it for my safety. My safety and the safety of my files is my responsibility, not Google's, and it's oddly convenient from a monetary perspective (both for Google itself and their partners) for Google to suddenly care a lot more about this than they used to, so it does not seem particularly altruistic in any way.

Google's not my dad. It's not their responsibility (or their place) to audit every piece of software I use to interact with their services. I'm tired of being treated like a child who needs every sharp corner ground down for my safety.

Edit: Next logical step is auditing every IMAP client before you can connect it to Gmail. Ridiculous.

I think it's relevant that Transmit is a local native app. There's no hosted app exposed to the internet to hack here. Google made one lengthy process that doesn't fit this use case.

The problem is that if you want to provide a full-featured file picker, and not rely on Google's limited browser-based version, your app will require the full "drive" scope. (We do, and we do, for our InDesign-to-Google Docs connector plugin.)

If you use some of the lower-tier CASA labs, it's not that expensive (4K/year), but it is definitely a nuisance for a pure desktop plugin like ours that has absolutely no cloud component (other than connecting to GDocs).

This assumes that Google can be trusted with my data and other apps can't, and that I'm ok with Google assessing the safety of other apps. It's something that is automatic, and right now it needs to be explained.

Yes, assessing the trustability of apps is important. No, I don't trust Google to do it properly. Maybe I didn't choose Google because I find them the best, but because I have to (because Google, surprise surprise, forces itself down the throat of everyone, so the people I want to collaborate with use it).

Did my apps certify Google as a trustable provider ?

> which I've done and are quite easy - if anything

Did you read the part where it took multiple months to continue because of slow replies and non-working tooling from Google's side?

It's also pretty expensive for a relatively niche app, it might be fine if you are Dropbox or a big VC funded Mail app but for smaller companies it's not "easy".

> I don't think it's a bad thing that Google is enforcing some minimal security standards.

How would Google find out if the version that they are "scanning" is the same one that gets uploaded to the app store on every small app update? Zero, so there's no security benefit.

Just as a data point, we paid $750 for one of these engagements (scan + some discussion about use cases etc) to one of Google's preferred providers. There were multiple options for providers.

It wasn't even that expensive. Ada security audit from tekta in Spain was under 4k.

There's nothing like a racket here. The list of certification agencies goes from KPMG at top end to smaller companies.

The EU absolutely loves adding requirements for certifications, so no I don't think they would get involved here. In fact, it's something they are pushing for in general.

> The EU will have fun with this when it catches up.

I don't think you know how the EU works.

I wonder which VP+ at Google is getting kickbacks from KPMG?

> Smells downright anti-competitive The EU will have fun with this when it catches up

What? The EU wants to introduce certifications for all products and services, further kneecapping local innovation through regulation and costly certifications.

https://digital-strategy.ec.europa.eu/en/policies/cybersecur...

All monopolies do this. Once they're past the point where the government can effectively regulate them they essentially take over and regulate the market for their own interests. Google is very good at this. They're probably better at this than actually writing code these days.

Which is why anyone and everyone should flat out avoid them as a company.

> With Google Drive now being at the center of so many companies for storing business data, I am certain it is a juicy target, and third party access with full access to read and write to that big hard drive full of proprietary data is one that I would understand want to lock down... but not like this?

Could be a Google Workspace policy where you can just set that employees can't access the corporate Drive account through third party apps, while it continues to work for personal accounts.

> Sometimes companies have even been destroyed, notably by Amazon, for having the wrong political viewpoints.

Ok, I'll ask: what company did Amazon destroy for having the wrong political viewpoint?

AWS hosts some pretty vile stuff without blinking. The last time a company made a big "woe is me, my ideas are being suppressed" claim against Amazon, it was Parler, and they weren't kicked off for their viewpoints. They were kicked off for operating a crime-ridden site with zero effective moderation.

That sounds great, but also for an app that interacts with > 10 services and companies it's not really a good advice.

> Only use open source components, and only run my stuff on Linux

Most people don't have the luxury of never having to interact with Google Drive, MS Teams, Slack etc.

Some of these wagons only managed to move because they were hitched to someone else's horse.

> Never hitch your wagon to somebody else's horse.

Though this was a nice and welcome feature, it wasn’t Transmit’s only feature nor even its main one. I don’t think this sentiment applies, exactly.

Worth mentioning Stripe among the destroyers. Sure a percentage of those who complain on r/stripe are breaking ToS, but it's evident that a substantial % are not. Stripe ToS allows them to profit from investing held funds. Once funds are held, nobody at Stripe responds. Has taken years for some to get their funds returned. I wonder how much funds they have on hold at any one time and how much they're making on it.

That's not really relevant to the problem at hand, which is the ability to integrate with the large and widely used tech giants' platforms. Customers do use Google Drive (unfortunately) and thus the need to integrate.

Enjoy the ride https://youtu.be/2mdg9h4HjPw?si=f12DQK1pYt9fILSN

> Entire companies have been destroyed because they rely on Amazon

I assume the retail side, not the AWS?

Then have the write political viewpoints instead. It seems popular.

rclone strongly recommends users create their own individual API key:

> It is strongly recommended to use your own client ID as the default rclone ID is heavily used. If you have multiple services running, it is recommended to use an API key for each service. The default Google quota is 10 transactions per second so it is recommended to stay under that number as if you use more than that, it will cause rclone to rate limit and make things slower.

https://rclone.org/drive/#making-your-own-client-id

Yes, wanted to ask the same, what will happen to rclone? Is it unaffected?

Same. I used to pirate it back when Serial Box was a thing and I was a broke college kid, and I've been licensed since growing up. An essential tool. I would say it should be built into the OS, but that's a joke since modern-day Microsoft and Apple could never provide such a useful tool without sanding everything down to a smooth minimalist surface with no discoverability.

Yeah Transmit is one of the OG Mac apps (OS X) that were great at a reasonable price. Sadly, they don't make them like this anymore.

Because they don't care about security, it's compliance-checkbox-driven policies.

"The fastest path to wealth is the construction of these digital platforms, where other people depend on you."

- Eric Schmidt.

Many products leads at Google seem to disagree!

Probably a big part of the problem is this:

- good engineers and managers earn well, especially in the US

- they want to own premium products

- where Google and Apple compete, Apple has gone for the premium end and Google has gone for the mass-market end

- speculation: thus Google employees aren't living in their own ecosystem

It's almost like the incentives at Google are misaligned, who knew.

You're not missing anything, it's just that

> Google doesn’t know or care about who’s using it at that point

is incorrect.

Google Drive uses OAuth. Users don't register API keys, apps do, and then users just log in with their Google account.

Google now requires apps to go through manual approval to actually use their OAuth keys, if those apps request certain endpoints. Doesn't matter if the app is local or cloud-hosted, if it makes certain REST requests, it needs special access, and Google controls which API keys get that special access.

See https://developers.google.com/drive/api/guides/api-specific-...

Compile to apk and sideload; Google won't even know. The audit gate in TFA is a gate to get into the play store.

I just dropped support for Android on my app. From now on it will be iOS only. That’s where all the users willing to pay for apps seem to be anyway any dealing with Google bureaucracy just isn’t worth it.

Transmit is a file transfer app. It includes a file browser for your local and remote filesystems. Full access is literally the entire point of it.

https://www.panic.com/transmit/

Transmit is a file transfer client (like FTP). It needs access to your entire drive because you might want to copy something to/from anywhere in your drive.

Fixed

Sure does. The article even says, on the first screenful of text:

> You may have seen iA Writer’s announcement that they are stopping development of their Android version for similar reasons. Our experience was different, but our circumstances are similar. While Google Drive may not be the most popular connection option in Transmit, we know many users rely on it, and we often use it here at Panic to send and receive files from the game developers we work with.