Using Chrome's API keys in Chromium builds

[Evangelos Foutras]

I'm sending this message to formally express my intent to bake Chrome's keys into Chromium, if those still work in March. Fellow developers of my distribution have voiced concerns that this action could drag Arch Linux into muddy legal waters. Fedora's Chromium maintainer has tweeted about having similar reservations. [1]

However, considering that:

1. The keys have been public since 2012 (e.g.: in Chromium's src repo, several repos on GitHub, in Google search results and Chromium build logs)
2. Your decision to limit our keys "is not a security nor an infrastructure cost decision" [2] and you can make and keep new keys for Chrome secret
3. Vanilla Chromium behaves identically to Chrome and allows users to access their own Chrome sync data using easily installable distro packages
4. We will no longer be bound by the Terms of Service and/or your policies after our keys have been limited by you and removed by us shortly after
5. These are API keys we are talking about (not copyrighted code or intellectual property) and their publicness is not a security and/or cost concern

I don't see how building and distributing Chromium with Chrome's keys is legally prohibited.

If you, Jochen, or another member of the Chrome team would be so kind as to point out applicable EU Law that prohibits me from proceeding as previously described, I would greatly appreciate it.

Otherwise, I see no reason to stop providing a fully functional Chromium build for Arch Linux like I have done for the past ~10 years (8 of these years using our own API keys with blessings and assistance from the Chrome team).

For what is worth, I'm acting in good faith and have no monetary gain from this. I only want to preserve the fully functional Chromium we currently enjoy. When Chrome's keys stop working or I'm informed that it's illegal to use them, I will immediately remove them.

To be clear, I'm not requesting permission to use Chrome's keys, nor do I expect them to continue working. I am only asking whether doing so is illegal under EU Law or not. Please let me know before March if it is. Thanks for your help and understanding! :)

[1] https://twitter.com/spotfoss/status/1351665708837572609

[2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/m/EGtPNL94CwAJ

[Jochen Eisinger]

I can't provide you legal advice as I'm not a lawyer, but please understand that finding Chrome's keys and informing me of your intent to use them is not a license from Google. We've informed you that these APIs are not intended for use in third party products and we recommend against continuing to do so.

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-packagers/CAA407myU0LaZOrN5nujLU8CK3OUxd5Wc4beUq01eOjFNhAQWBw%40mail.gmail.com.

[Evangelos Foutras]

When asked by Eric whether users could export environment variables with Chrome's keys you asserted that it "would still be prohibited by our policies", implying that such API access would be unauthorized. So you have repeatedly opposed the fact that users should be allowed to access their Chrome sync data through Chromium. If you had stuck to liability denial (your "may be broken in the future without notice" statement) that'd be totally fine. Going beyond that though is either dishonest, arrogant, or both.

While your responses have been prompt and courteous, your handling of the situation leaves much to be desired. And since you are representing the Chrome team on this, it reflects badly on all of you.

[Arnaud GRANAL]

This restriction is actually an extension of the decision that was made a couple of years ago on Android:

https://www.androidpolice.com/2017/01/24/google-shuts-off-chrome-sync-api-third-party-browsers-android-citing-security-vulnerability/

On Android, the issue is even more obvious; users have no possibility to export their profile (bookmarks, history and passwords) without going through the sync service (and sending all their data to Google).

Because of that, switching to another browser is notoriously difficult.

It may sound like an attractive decision in the short-term to restrict users.

In the long-term, however, *artificially* limiting users how they can access the information that they stored themselves in their Google account will eventually make the users rethink a lot ("why doesn't Google allow me to access my own bookmarks using an open client ?") and there is a risk that the users conclude they don't need Sync after all (and not that switching to Google Chrome is the best option).

Sometimes, data portability brings more than it takes; what would have happened to Gmail if it hadn't been possible to sync emails to Thunderbird/Outlook ?

Thinking deeply and further away, the main business model of Google is to collect and monetize user data via ads.

Here, 3rd party apps offer to send to Google the bookmarks of the users and their full browsing history; and all of that for free.

I'm not sure why Google is so much against this opportunity; you can lead a horse to water, but you can't make it drink.

Arnaud.