62 comments

[ 4.7 ms ] story [ 132 ms ] thread
Part one of the title is true. Part two of the title is probably true but we don’t know.
"Quite a few of these apps (Drive, Docs, Sheets, Keep, Duo) were updated on December 7, the very last day to get in app updates before the new privacy requirements"
As others pointed out, this might not mean "Google is deliberately trying to avoid defining the applicable privacy labels", it could mean "Google has prohibited developers from pushing updates until they legally figured out what the applicable privacy labels are".
If they need such a time, they haven't their house in order. At that size and the sensitivity of the data Google deals with, there must be constant monitoring or they act irresponsible.
How can I move away from Google. All my millions of accounts and services (even ones I've forgotten and may one day need) are linked to my Gmail.

And frankly, I find it hard to trust many others with some of my secure information (passwords) etc that I keep on my account...I feel like Google probably have some of the best of "anti-hacking" for lack of a better term.

I find MS services a pita to use and Apple, I just don't want to pay for their HW, it's not good value (to me).

I just forwarded all the email to fast mail and it has worked properly.
So Google is still getting all your email, you're just never logging in to Gmail UI... Don't see the point.
The end-goal is to gradually update your email adress in your third-party account to FastMail, and you keep the email forward enabled just in case you forgot to migrate one or someome tries to reach you through Gmail by mistake.
I did the same but that's not really moving away from google. They still know what emails you receive, what you buy, who you write with, what websites you use. I slowly, one by one, move each website that I use whenever I notice it goes to my old email or I login using my old email.
This is also how I transitioned to Fastmail. Forward all mail from gmail to your own domain and then slowly unsubscribe or update the email on any that you receive. Eventually you will have most of your accounts and subscriptions moved over to your own domain. I still keep the email forwarding enabled just in case any old accounts send me something.
You can set up pop3 access on fast mail to grab your legacy gmail mail while you transition to a domain and address that you own and control. I still have mine but only get 1-2 messages a month to my old gmail address.
I second the recommendation for Fastmail. Forward your email, gradually change your accounts over.
Most accounts you secure as a service to the people running the service with the account, not for your own benefit. For these you can use weak passwords/reuse passwords with the domain added.

For accounts that are actually valuable use a self hosted password manager and memorize the passphrase it uses to encrypt everything.

Also you should be backing everything up off Google yesterday. Everyone has a decent chance of getting smacked by a poorly thought out heuristic/ML/AI automation that locks you out either because they don't like something you said or think you're trying to break in to your own account. I regret not backing up my photos before Google took them away.

I used FastMail and migrated to ProtonMail recently. I use my own domain. On my main machine I run thunderbird in the background so it always has a local copy in case something happens. You can always sync to a new service.
I started switching over to a paid Fastmail account with my own domain several months ago. I still use my gmail account for some sign ins (and my work uses google for email and sso), but if my account was locked tomorrow I’d be ok.
I’ve been slowly transitioning away for almost a year now. And I was all in on google products and services.

I got rid of my android, switched to iPhone, was gonna go with protonmail, but went with Hey instead and I have zero regrets, Hey is awesome! Cancelled my YouTube premium/music subscription and switched to Apple Music.

Recently I’ve been going through my password manager and updating accounts and services to use my new email address. I’ve almost completely transitioned away. I’ll still keep my google account for stuff like my Stadia games (and tbh Stadia is actually pretty good), chromecasts, and my nest thermostats, but when we move I’ll probably leave them with the house.

Unfortunately there isn’t really any good neutral replacements for email + calendar + contacts, etc.

They do exist, but I just found switching phone ecosystems easier than anything else.

You can find an Own Cloud or a Next Cloud host in your country or whatever, and use that. That gives you calendar and contact sync, at least.
1) Get an email with a custom domain that you own, so you can switch providers without losing your address. Use Google takeout (https://takeout.google.com) to download your old messages.

2) Use a third-party password manager, or if you're paranoid (like me) use one that is open source and can be self-hosted like pass (https://passwordstore.org)

3) Use Linux on desktop for the best experience if you're a tech/software person. If not, you're stuck with Microsoft Windows, which nowadays is a window into your personal life and data. FWIW, the new M1 Macbooks offer the best value than any other laptop on the market today.

4) Use iPhone. Whatever you might think about their desktop hardware, the iPhone at least is price competitive with high-end Android devices. The biggest hurdle is transitioning to a different OS, but that difficulty is usually overestimated.

If you're really attached to Android though, the best you can do is use a custom ROM like LineageOS (aka Cyanogenmod), or maybe get a Purism phone (https://puri.sm/) which doesn't use Android at all.

5) Switch to Firefox if you're not already using it. Mozilla's hands aren't exactly clean, but they're a massive step up from Google in terms of privacy.

For all other Google services, you can easily find hundreds of alternatives, including self-hosted ones. Here's one list I found with a quick search (on DuckDuckGo!): https://restoreprivacy.com/google-alternatives/

The only Google service I find myself using nowadays is Youtube, and AFAIK there's not much you can do to avoid that one.

Looks like Google is embarrassed to admit what they collect from user. Fortunately Google makes Android so they can hide the facts.
> Making it easy to understand what data we collect and why

https://safety.google/privacy/data/

That's the part they tell you about.
Google doesn't need to have some nefarious, hidden tracking program. They're pretty transparent about it and everyone still uses Google products.

That's what I think is so great about Apple's stance: they're forcing providers to give users a choice, because I think most people would greatly prefer NOT to have all the off-site surveillance but still be able to use Google products.

So you think they'll magically declare to Apple what they've been hiding from you as the user? :D
Given that Apple's changes have riled up Facebook like nothing else (not even regulations such as the GDPR), it's not that far-fetched to believe that Apple has more leverage here and Google may choose to tread very carefully.
What would be the consequences for Google if that page was inaccurate, misleading, or untruthful?
Proving it is inaccurate would involve a third-party audit of all of Google's internal code and machine learning models so it will never happen.
I wonder if some of the developers are feeling a bit uneasy "What happens if senior management realises that we've not realised anything on iOS for a month and no one cares?" What exactly are Google paying the people writing these apps for? What happens if you fire half of Google's app dev staff and it has no effect on revenue.
Big tech prefers overpaying programmers to stay in their job than be their potential competitors in the future.
Exactly. It might for example make (business) sense for Google and Facebook to round up every single ML PHD and just keep them busy so they don‘t work for anyone else. That way other companies are dependent on them and they keep resources from competitors. I actually love the Silicon Valley (HBO Show) analogy of engineers hanging out on the roof being „unassigned“.
The rooftop thing was a "rest and vest" situation. Different from keeping talent busy. Something Microsoft did by letting their top engineers build a brand new OS that was never meant for market. Forgot its name, Singularity OS?
One month is NOTHING. Companies do not care about a month. Users do not care about a month. Nothing changes within a month of development anyways.

Now go 2 years without an update, and it would start to show. 5 years, and the general consensus would be "the app is outdated"

This is what happened to IE, btw. They stopped updating it for 5 years. We all know what happened afterwards once the momentum was lost.

They didn't only lose release momentum, but they moved almost everyone away from working on it.
I think it's possible this is driven by legal, and not marketing. I found the app store privacy label questions very confusing if you think about it for too long. Their legal teammay want the product teams to wait until they get more clarity on how these questions will be commonly answered, etc before releasing. Otherwise they may face a flood of legal claims.
Not to mention that the labels might read different depending in the user or context. For example Google Apps Gmail vs free consumer email.
Interesting how far we've come. There was a time when a new version of an application came along every 2-3 years or longer; or never (it was fully baked and did what it said on the package, from day one).

Now we suffer from update fatigue, where half the time we fire up an app or turn on a device, it must spend a few minutes updating apps.

I'm not convinced that we always get value from these updates. (Security updates are indeed important, but sometimes their need is evidence of pushing out features too soon, without proper testing and review.)

Google Calendar seems to do everything I need and more; same with Gmail. I don't want new versions of them unless there's a really compelling reason. I sure don't want < 2 month release cycles.

In fairness, I think that while you mention security as a main source of this, you have it a bit out of order. Security pressures and expectations are substantially higher these days. Applications written thirty years ago faced far fewer attacks, and with generally less consequence for failure, than they do today. Probably by orders of magnitude though that would be hard to actually measure.

Increased patching to address this reality seems unavoidable, at least until we understand how to produce truly secure software on the first try far better than we currently do.

Also applications written 30 years ago today were often self contained applications. Something you can test in a variety of environments as a reasonable proxy to the end user.

Today with SaaS/etc offerings you have very different difficulty spikes. Imagine only rolling out an update once a year to 1B customers. Especially with all the big changes that might entail.

I can't imagine the fear. Releasing often irons out small problems before they become massive problems. Or, at least, is a strategy to attempt that.

According to the post website, the Google Search app updated 27 times this year... is that really this insecure?

And honestly, I don't get the idea of making an app for every service where a simple web app suffices. Why making a native app that requires installation when you can do it through the browser?

> is that really this insecure

Depends on how many libraries there are. I have to deal with at least 2-3 different CVEs existing in our libraries or runtimes a month. And I’m dealing with a pretty small surface area compared to some of my peers.

We rebuild our environment from scratch every week to reduce the manual work involved in resolving those CVEs.

Surely some of those security vulnerabilities in underlying libraries could be avoided with a bit more careful, slower releases of the libraries themselves.

There is no question that the current app reality is one or more orders of magnitude more complex than in "the old days"; but even so, I think the race to MVP (and perhaps the VC pressures that drive some of that?) have led to layers of rushed out, risky codebases.

(comment deleted)
> Google Calendar seems to do everything I need and more; same with Gmail. I don't want new versions of them unless there's a really compelling reason. I sure don't want < 2 month release cycles.

We probably get the unnecessary updates because Google (and others) have a boat-load of engineers that need something to do and they aren't getting assigned to something useful.

And managers who want to get promoted by "leading" on visible changes.
So essentially, the problem is with the people giving the promotions...
> Google Calendar seems to do everything I need and more; same with Gmail. I don't want new versions of them unless there's a really compelling reason. I sure don't want < 2 month release cycles.

It got there by doing short cycles

1) the fact they did short cycles doesn't mean, that short cycles were useful (while probably short cycles makes it simpler to carry users along)

2) it doesn't mean they are still benefitial to the users. At some point an app does "all" and new features are more likely to lead to bloat than improvements for 99% of the users. Thus "they got there due to that" isn't an argument.

2) is completely independent of short release cycles
To me it is almost surprising they still work. Every time Let's Encrypt comes up it seems people are in a rush to have security certificates invalidate within weeks if not days. A server backed app without updates for two months would turn into a brick.
LE certificate renewal is server-side, client apps don't need updates.
Ah, forgot that the trust model is only based on having a valid certificate for the domain, not on the specific certificate. Which is only a problem if someone manages to hijack the domain long enough to get a valid cert. Google is probably less likely to loose control of its main domains than other groups that sometimes just forget to keep track of them.
This is a result of agile practices being more of the norm. Continuous delivery of code has been preferred over monolithic releases.
I can't recall the last time I noticed an app upgrade
This might be what gets me to switch to fastmail.
They’re probably trying to figure out a workaround.
Still no PIP in the app, so annoying.
Feels like a wild ride going from DoubleClick getting flagged as literal spyware back in the day to everyone normalizing tracking to iOS cracking down on stuff like this
Google Maps, YouTube and gmail are the three products I still use. I will try to use Apple Maps more, but I dont see how I can replace other two.
I've used fastmail instead of gmail for years and much prefer it even if it's an inferior product. I still use google calendar and youtube (vanced) and google voice (still not any good way to text using my carrier on a browser that I know of)