I am looking for "authentication as a service" (fully managed, Google or any other 3rd party) that provides authentication for a web-service on Google Cloud Platform with (user) data stored on servers located in the European Union.
Currently, we use Firebase Authentication with Google as Identity Provider for authentication. After the cancelation of the US-privacy-shield last summer, we formally have to search for something else, as Firebase Authentication is currently an US service only (https://firebase.google.com/support/privacy).
Please only technical advise, as we have discussed the lets-wait-and-see option in depth already.
I am aware that you are looking for technical advise only for another Europe based authentication service, but it maybe worth mentioning that The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, Swiss, or UK personal data to the United States and onwards. In light of the recent European Court of Justice ruling on data transfers, Firebase has made updates to their terms to add the relevant Standard Contractual Clauses as adopted by the European Commission, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR.
Related
I'm integrating with Stripe Connect, and, for tax purposes, only want to support Connected Accounts for people in the US.
I wasn't able to find anything about this in the documentation. Is there a mechanism for this?
I'm using Firebase, so an alternative pattern I've considered is gating Google accounts US IPs, but that seems like a very error-prone process.
You have mostly answered your own question but I'll just add this here to help others.
Since you are programmatically creating the accounts, my approach would be to notify your users that you are only able to support US based entities up front, then hard code the country code that you pointed out in this doc.
Additional information about the country parameter can be found in the API reference doc:
The country in which the account holder resides, or in which the business is legally established. This should be an ISO 3166-1 alpha-2 country code. For example, if you are in the United States and the business for which you’re creating an account is legally represented in Canada, you would use CA as the country for the account being created. Available countries include Stripe’s global markets as well as countries where cross-border payouts are supported.
I have a client that has several country offices and hence different country specific tlds.
Now we want to consolidate google access under the main corp tenant but some of the offices have already registered their domains for various services that are actively used. Bei it firebase or marketing platform.
While technically we know what to do, we are not sure about the business impact and implications of our actions.
We deal with the gcp side of things and have no interest in taking care of additional services.
Will the transfer of access management have any impact on the already used services? Business or technical? Do we have to take care of billing related stuff?
Thx for the help
We have recently been tasked with adding In-App Purchases to our Android mobile application. We have completed this and have started testing small purchases internally in our production environment prior to release.
We're successfully performing the purchase and storing the result in our back-end database. We have a service that contacts the Google API daily to query about the PaymentState for the transaction.
Today our first test purchase changed to 1 (Payment Received).
We have not yet received the money transfer in our bank account, but it's probably on the way.
Our question is, once the PaymentState has changed to 1, how can we reconcile this with our bank account?
Our finance department doesn't like the sound of just trusting that we got the money. We want to ensure that each payment is accounted for in cash.
How are others accomplishing this?
Thanks
Does your bank offer any interface for a computer to interact with your bank account?
In Germany, almost all banks support either the Home Banking Computer Interface (HBCI) or it's successor the Financial Transaction Service (FinTS) to connect arbitrary computer programs with the bank account and pretty much provide all services available on their web-based online banking sites via those interfaces as well.
With such an interface you could then check the transactions on your bank account programmatically and simply check if the transaction reference provided by Google has already arrived on your bank account.
Without knowing where you're based and what your bank is / what interface they provide, it's hard to provide more details. (There are multi-national/somewhat universal electronic interface standards for how banks communicate with one another, but these are usually not open to the customers and most likely don't provide the required data about one account's individual transactions)
I am now developing a social application. But recently I noticed that Firebase is blocked in China. So I want to make sure whether firebase can be used in China?
* EDIT 24 January 2020 *
Some of the information here might be out of date.
Firebase has a China service at https://firebase.google.cn/ which is not blocked in the PRC. (Thanks to #c-an for bringing this up.)
That said, *.google.com and *.googleapis.com are still blocked in China. I'll change/update this as I get more information.
Original Answer
For now Firebase is blocked and can't be used in China, along with other Google services, because the PRC has blocked all URIs with *.google.com and *.googleapis.com.
This also means, for example, that the Play app store can't be accessed from China. If you don't know what's going on between Google and the PRC, here's a primer.
Also, according to Chinese law, user data of Chinese citizens must be stored inside of the PRC. You might be able to get away with only addressing this once you have a significant number of users, but the trend has been for the CCP to crack down more and more on foreign information, even busting VPNs and declaring them illegal despite complaints of academics who say that they need, you know, real information.
As we're now in the run-up to the 19th Party Congress this autumn, we can expect the situation to get worse before it gets better. Maybe 2018 will leave room for relaxation?
For now, very sadly, forget anything Google in China, and be prepared to store user data of PRC citizens on servers located inside the Great Firewall. Also be prepared for seemingly random degradations of your service within China, or to be blocked altogether, along with these other blocked services.
Update 2017-11-23: The 19th Party Congress has come and gone and, if anything, Google services look less likely than ever to become available in China. The great firewall is likely to continue to be strengthened as the Chinese Communist Party extends its role into corporations, and foreign firms are generally disadvantaged.
Update 2018-08-05: Google plans to open a censored version of its search in China, according to leaked documents. It seems reasonable to assume that if a censored Google Search becomes available in the PRC, then Firebase and other Google Cloud products may as well. The censored search plan, code-named Dragonfly, has reportedly been in the works since December 2017, possibly a result of meetings that month between Google CEO Sundar Pichai and an unnamed top Chinese official when they met at the World Internet Conference in Wuzhen, China, where PRC General Secretary and President Xi Jinping gave a speech.
Update 2018-12-23: It appears that Google's Project Dragonfly is now on hold if not outright abandoned. This implies that the outlook for Firebase in China has worsened.
You can build your own Rest API server outside of China, and make the server talks to Firebase rest api endpoints of Realtime db or Authentication, https://firebase.google.com/docs/reference/rest/database. So you web app talks to your rest api server (accessible from China), and your rest api server talks to Firebase.
The answer is NO :
Using a huge part of Firebase services, I contacted the support, this is the answer :
I'm glad you are considering Firebase for your project. However, in
accordance with current U.S. policies, it is not possible to use
Firebase from within certain countries. For more information about
these restrictions, please refer to the U.S. Department of the
Treasury website. The current list is of blocked countries is listed
here. If you have end-users located within China, it's quite difficult
to access Firebase there since the use of Firebase requires Google
Play Services, which most of the devices in China don't have. We
understand that access to our products has been problematic from
within mainland China. We believe it may have been caused by
networking conditions in China, rather than Google's own services.
Since access to services is determined by the respective country's
government and they don't report to Google, the Transparency Report is
the most authoritative it can be.
I just tested and I am able to access my realtime database hosted on the Singapore region in China mainland. No need to modify anything. Whatever works overseas, works in China. Tested in Beijing.
Facing the same problem, if you are in china, install Astrill VPN and change from openweb to StealthVPN, connect to a server like USA for china one and login to firebase. It will work successfully.
I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.