Re: Making GNUS continue to work with Gmail

[Gregory Heytings]

> > Yes, if they agree to take the legal responsibility of the use of these 
> > credentials, and if they pay if Google wants to have the code of the 
> > program reviewed by security experts.
>
> I am completely lost here.  What legal responsibility is involved?

This is an answer that developers cannot give you.  It's a question that 
only a lawyer can answer.  But I at least would not agree to personally 
take the risk of being sued by Google for having knowingly violated their 
terms of service, even if Google tolerates (at the moment at least) that 
free software projects violate these TOS.  I observe that this is what 
happened in similar projets, e.g. Kmail: it's not an individual who has 
submitted the app for verification by Google, but a legal person, KDE e.V.

Violating these TOS by making the OAuth credentials public (which is what 
happens in a free software project) can have consequences, for example if 
a malicious person uses them in their own app to fraudulently gain access 
to Google accounts.

> I've asked for someone to please tell me, in brief terms, the concrete 
> reqwuirements for issuing an app key to something like GNUS, but I have 
> not seen a reply stating them.

Google's terms of service for OAuth services are available at 
https://developers.google.com/terms .  Only a lawyer can tell you in brief 
terms what the concrete requirements are.

I've just read them again, and it seems to me that:

- Paragraph 4.a.1, which states that "you will not create an API Client 
that functions substantially the same as the APIs and offer it for use by 
third parties", expressly prohibits your idea of creating a "modif[ied] 
Kmail so that it does the necessary low-level access, and nothing else".

- Paragraph 4.b.1, which states that "You will keep your credentials 
confidential and make reasonable efforts to prevent and discourage other 
API Clients from using your credentials. Developer credentials may not be 
embedded in open source projects." prohibits the use of OAuth credentials 
in free software projects.  As I wrote above (and earlier), Google 
tolerates (at the moment) that this specific point of their TOS is 
violated.  But that doesn't mean that violating them is without legal 
risk.

- Paragraph 9.c list the legal risks: "Unless prohibited by applicable 
law, if you are a business, you will defend and indemnify Google, and its 
affiliates, directors, officers, employees, and users, against all 
liabilities, damages, losses, costs, fees (including legal fees), and 
expenses relating to any allegation or third-party legal proceeding to the 
extent arising from: - your misuse or your end user's misuse of the APIs; 
- your violation or your end user's violation of the Terms; or - any 
content or data routed into or used with the APIs by you, those acting on 
your behalf, or your end users."  Of course an individual person is not a 
business, but nobody is completely independent, and I'd guess that Google 
would seek redress against that person's employer for example.

What I wrote above is nothing but my understanding.  Again, only a lawyer 
can tell you what these TOS concretely imply.

Gregory