28 comments

[ 4.1 ms ] story [ 27.1 ms ] thread
This is pretty egregious, but not surprising. Google wants that data and is willing to do whatever it takes to get it. I’ma little surprised though as other Google apps (hangouts) behaves and asks for access to additional photos every time I try and send a picture.
I am going to put a different spin on this: If you use a service like google photos, wouldn't you want to uplift all your photos, albums and metadata into the service?

Viewed from the "be maximally useful" perspective, it makes sense. I have 150,000 photos (maybe) -I don't want to approve each one. Even at the album granularity, I have thousands of albums. We all do.

Yes, its a giant, egregious privacy breach. That is pretty much definitional for a cloud based Photo archive/album service.

I use google photos. I also certainly do NOT want to upload all my photos, albums and metadata into the service.

Having said that I would still allow full access to all my photos on my device for the convenience of being able to scroll through my thousands of photos to select the 20-100 I want to upload.

Nope, that's not what I would want to use Google Photos for.
then.. keep on granting per photo I guess? If they made that impossible thats a dark anti pattern
I take it you didn't even click the OP? Because that's exactly what this is about, and nothing else.
You can easily grant Google Photos access to all your photos. Why do you think others should not be allowed to specify a subset?
per album would be nice I guess.

see, this is why I love HN. it makes me think!

It depends on what you use it for. I only use it to access a non-personal library, but Google Photos still shows all of my local photos in every account. That renders the app useless for me.

Google Photo only wants to be a full replacement for your Photos app and doesn't allow any other usage. That's user-hostile.

The worst part is that iOS 14 initially let me use Google Photos exactly the way I wanted, until Google (pretty quickly) added the block described by OP.

yea I kinda see this now
I don't agree with the title at all. Detecting the auth level of access to photos is documented (PHAuthorizationStatus).

Google photos is simply refusing to let you use their app all unless you grant them access to view all of your photos.

I'm all for privacy -far beyond the average person- but this seems like one of those cases of uninstall it and move on if you don't agree with the product decision.

Fwiw: Not a fan of google. Currently on iCloud + Flickr for non-sensitive photos

It's a clear violation of Apple's app store guidelines for them to deny access to the app if the app could reasonably function in the scenario where the user has only granted partial photos access. Unfortunately, as end users of a free app, we have no way to report this probable violation to Apple through customer support means. Hopefully the press around this will attract the attention of App Store leadership.
> Detecting the auth level of access to photos is documented (PHAuthorizationStatus).

This is not the problem. The problem is that they use that to do

> Google photos is simply refusing to let you use their app all unless you grant them access to view all of your photos.

This is not an appropriate use of the API.

I believe I read somewhere that your app can be booted from the app store if you require permissions that are not needed for core functionality.

E.g. a navigation app is useless without GPS permission and is okay, but a Maps app do not specifically require GPS permission as it can be used to view maps.

So to me, it seems Google is requiring permissions that are not strictly necessary for using the app.

Apple App Store Review Guidelines, Section 5.1.1:

"(iv) Access: Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access. For example, apps that include the ability to post photos to a social network must not also require microphone access before allowing the user to upload photos. Where possible, provide alternative solutions for users who don’t grant consent. For example, if a user declines to share Location, offer the ability to manually enter an address."

https://developer.apple.com/app-store/review/guidelines/#pri...

Apple should really stop allowing abuse of their APIs, from custom photo pickers that nobody needs (remember, if your app uses the default photo picker, it doesn't need any permission at all) to any app that decides to include a general-purpose cookie-less web view instead of just opening links in Safari.
Google Photos is not circumventing anything. It’s using a public API that was provided to developers in order to detect and react to limited permissions.

If I paid for Google Photos and they won’t let me access my stored data without handing over even more data, then that feels outrageous.

But if I’m using it for free, then it’s a reminder that nothing is actually free. That business model likely can’t work as a “view only” retrieval service. (If it even works at all)

> Google Photos is not circumventing anything.

Yes, it is. It is attempting to induce the user to granting more access than it needs to function, circumventing the user's preferences regarding the privacy of their photos. In doing so, they fall afoul of section 5.1.1 of the App Store Review Guidelines.

> It’s using a public API that was provided to developers in order to detect and react to limited permissions.

It is very clear that the interaction that Google Photos has with this API is not what it was designed for. I actually advocate for the removal of this API as it is very easy to use in ways that are not appropriate (and of limited use to legitimate apps).

> That business model likely can’t work as a “view only” retrieval service.

photos.google.com on desktop exists. Plus, this is an entirely separate argument; regardless of the business model there are rules for what iOS apps are allowed to do and the outrage stems from that.

Nothing is circumvented. I limited access to my photos, and Google told me that it needs full access for me to be able to “view, share, or back up” my photo library.

There are no lies or circumventions here. The situation is fully transparent: They don’t want to build a “view only” experience. Apple cannot force them to build a “view only” experience. They can reject Google Photos, and Google can re-evaluate their investment.

Viability of the business model is really not a separate argument. It’s intrinsic to the argument. Unfortunately, an App Store Guidelines decree does not mean that a business model becomes magically feasible.

Let’s say Apple rejects Google Photos as you are suggesting. Google would likely relent and build a “view only” experience. Google can afford to lose money.

A photo startup with limited funding might not have that option, and could go out of business. Is that a win?

I desire the ability to use the Google Photos app without giving it all my photos on this device. Perhaps I only want to share my camera photos and not the screenshots I take, or whatever. Google Photos gets around this by pretending that it cannot function without access to all my photos…which is basically the definition of circumvention.

I am not claiming that the App Store Review Guidelines can magically make an app model feasible; instead my claim is that Apple claims that all apps on the App Store follow the guidelines and Google agrees to this so they can distribute their apps on the store. I actually strongly disagree with the situation surrounding the App Store as it is currently, but this is how it is for now and if we apply the rules consistently then Google Photos as it is now cannot be in the App Store. There is no provision that says "you can bend the rules if they are an existential threat to your business".

(comment deleted)
> needs full access to your photos

This is a lie. The app could be made to function with access to only a subset of photos, so "wants full access" would be the accurate phrasing. Lying to users to gain more access is what malware does.

> The app could be made to function with access to only a subset

How so? Does the platform permit choosing photos by a specific album or set of tags?

An app that installs without the permissions it really wants and then refuses to function AT ALL until granted those additional permissions has got to be some kind of violation. It's basically lying about the permissions it needs to function in order to make it into the appstore.
Completely understandable for this case. I have no problem with it.

I find the opposite problem more puzzling: when an app (e.g messenger) only has access to certain photos, why can’t the image selector still browse all of them? Isn’t the image selector an OS component that shows me all my photos without the app seeing them (that is, the app isn’t rendering them)?

If this isn’t the case - why isn’t it? Is there no iOS system level image picker that runs isolated from the app? Or is there, but apps aren’t using it?

I find this problem more puzzling: when an app (e.g messenger) only has access to certain photos on my device, why can’t the image selector when I want to attach an image still browse all of them?

Isn’t the image selector an OS component that shows me all my photos without the app seeing them (that is, the app isn’t rendering them)?

If this isn’t the case - why isn’t it? Is there no iOS system level image picker that runs isolated from the app? Or is there, but apps aren’t using it?

>Isn’t the image selector an OS component that shows me all my photos without the app seeing them (that is, the app isn’t rendering them)? > If this isn’t the case - why isn’t it? Is there no iOS system level image picker that runs isolated from the app? Or is there, but apps aren’t using it?

Yes, you're exactly right.

There is a native OS switcher that does exactly what you say. But, there's nothing stopping an App developer from writing their own. Here, they'd just basically be fetching all photos it has access to (i.e., only certain images) and display those there.

I haven't installed or used Fb messenger for years, but it sounds right up their alley to create their own image picker. You can shove a bunch of telemetry into your own image picker, but you can't into the native OS one.