It's Google's Internet, we just use it. Well, maybe not, but some days it seems that way. Google's gone from searching the Internet to being a big chunk of it. The latest moves from Mountain View include adding OAuth and contextual gadgets to email. Good on the surface for Google users, but what do they mean for everybody else?
Google recently announced that it’s beefed up Gmail with OAuth for SMTP and IMAP, and providing adding “contextual gadgets” to Gmail to integrate with Google Apps. Sounds good for Gmail and Google Apps users, but what about everybody else?
It’s Google’s Internet, we just use it. At least that’s how it feels some days the the predominance of Google. Google’s been trying to integrate itself into almost every area of technology lately, from providing DNS service and suggesting new protocols to replace HTTP, to its front-line user applications. Oh, and I hear they’re dabbling with this search thing as well, and something about advertising.
There’s nothing inherently wrong with what Google’s trying to achieve, and I generally think that Google means well, but the ripple effects mean the company has a lot of impact on the Web by dint of its sheer reach. The most recent announcements make me wonder whether the reach is going to move beyond people who choose to use Google’s products.
What Google’s Doing
The OAuth announcement is pretty straightforward. Google is giving access to Gmail accounts to third-parties using OAuth, which means that you can authorize an application to work with your data stored in Gmail IMAP and/or allow sending of mail via SMTP with your account. People have been giving access to Gmail accounts to third-party programs for years. They’re called mail clients, and people expect to give their credentials to a mail client to send and receive email.
Enabling OAuth means that an application can connect without your credentials. It still has access to some or all of your data, but it doesn’t have your password. Meaning that the application can’t take full control of your account. OAuth is being used pretty widely by social networking sites like Twitter to give access to third-party apps without giving them full run of account. This is a Good Thing, and people should not be giving access to their social network sites to other Web-based services in any other way.
Google’s aiming OAuth at enterprise clients right now, and exposing features to suck users in to Gmail and Google Apps, but note that the company doesn’t seem to be making it easy to migrate out of Google Apps. The company might argue that one can migrate out of Google Apps/Gmail just fine using POP3 or IMAP, to which I would reply yes, but it’s an enormous pain for a single user with a 4GB mail spool, much less any company with dozens or hundreds of users with similar mail archives. Trying to get all your data out of Gmail is a multi-day project while you watch messages download over POP3 very, very slowly. Not quite the same as being able to simply tar up /var/spool/mail or whatever. But I digress…
One service, Backupify, is providing Gmail backup to Amazon S3. This seems to be of limited use, though because it provides only a big bucket of .eml files which is not what I want to try to import into another email client or service.
So, applications are gaining access over OAuth. Which seems to be enterprise related for now, but I can see quite a few social networks and other applications popping up that would use OAuth if Google continues to expand. So this makes Gmail more or less the only company with tools to appify email so far.
The next feature is contextual gadgets. Liz Gannes over on GigaOm writes about how these could make the Inbox an application platform. Right now these are being rolled out to Google Apps users and are being used for things like previewing YouTube, but I doubt they’ll stop there.
Email has always been a handy way to spread malware. I have to wonder if the “contextual gadgets” are going to be a new way of spreading malware to users, if it’s going to be possible to exploit the gadgets somehow.
OAuth access is supposed to be more secure, but you’re still granting third-party applications access to your inbox and access to send messages. Now, instead of malware exploiting the desktop mailer, they can target third-party services that have a bunch of authorizations via OAuth. That can be turned off quickly and attackers might have a much harder time, but it’s something to think about.
Everyone Else is Second Class
My biggest concern with Google’s changes has less to do with security, though, and more to do with the second-classing of everybody else who isn’t using Gmail.
Long-time Linux users will remember the many years when Linux was a second-class citizen for virtually everything. Get an attachment? Well, maybe you can open it, maybe you couldn’t. Media files? Ugh. HTML email? Some clients displayed it OK, but if you were using Pine or something like that, it was a headache.
As much as I think that email needs an upgrade, I’m a little uncomfortable with the Goog doing everything here. Presumably much of this will be done in the open, so other providers will be able to follow along if they choose to and have the resources and interest in keeping up. But Google seems to be doing a reverse Facebook here.
Facebook trotted out a platform that a lot of people enjoyed, and then slapped on a walled garden email system to keep its users on site as long as possible. This is an ugly practice, at least in my book, because it means that I can’t communicate using standard tools with some of my friends that have gotten into the habit of using Facebook to send notes rather than using email.
Google, on the other hand, has a platform that works with other email networks and that’s been a good thing. Use Gmail, communicate with anybody using email. No problem. Now, though, by appifying email, it might be breaking email for other folks.
The initial gadgets are harmless. Google is just previewing information from other sites within Gmail. You get a link to Picasa or YouTube or Flickr and Gmail gives you a preview right in your inbox. No worries if you’re not using Gmail because either way, you have a link.
But the next stage is to allow third-party providers to build apps that interact with Gmail, and they won’t work with third-party clients. So it’s another way to keep users and companies tied to Google Apps and Gmail.
Smart for Google, and not inherently harmful, but I have to wonder about the effect on the larger ecosystem of email users. It’s certainly not unambiguously good, as it has potential for lock-in with a system that was designed to be universal. Your email may remain portable, but other information and services will not be. What are your thoughts?