I am now developing a social application. But recently I noticed that Firebase is blocked in China. So I want to make sure whether firebase can be used in China?
* EDIT 24 January 2020 *
Some of the information here might be out of date.
Firebase has a China service at https://firebase.google.cn/ which is not blocked in the PRC. (Thanks to #c-an for bringing this up.)
That said, *.google.com and *.googleapis.com are still blocked in China. I'll change/update this as I get more information.
Original Answer
For now Firebase is blocked and can't be used in China, along with other Google services, because the PRC has blocked all URIs with *.google.com and *.googleapis.com.
This also means, for example, that the Play app store can't be accessed from China. If you don't know what's going on between Google and the PRC, here's a primer.
Also, according to Chinese law, user data of Chinese citizens must be stored inside of the PRC. You might be able to get away with only addressing this once you have a significant number of users, but the trend has been for the CCP to crack down more and more on foreign information, even busting VPNs and declaring them illegal despite complaints of academics who say that they need, you know, real information.
As we're now in the run-up to the 19th Party Congress this autumn, we can expect the situation to get worse before it gets better. Maybe 2018 will leave room for relaxation?
For now, very sadly, forget anything Google in China, and be prepared to store user data of PRC citizens on servers located inside the Great Firewall. Also be prepared for seemingly random degradations of your service within China, or to be blocked altogether, along with these other blocked services.
Update 2017-11-23: The 19th Party Congress has come and gone and, if anything, Google services look less likely than ever to become available in China. The great firewall is likely to continue to be strengthened as the Chinese Communist Party extends its role into corporations, and foreign firms are generally disadvantaged.
Update 2018-08-05: Google plans to open a censored version of its search in China, according to leaked documents. It seems reasonable to assume that if a censored Google Search becomes available in the PRC, then Firebase and other Google Cloud products may as well. The censored search plan, code-named Dragonfly, has reportedly been in the works since December 2017, possibly a result of meetings that month between Google CEO Sundar Pichai and an unnamed top Chinese official when they met at the World Internet Conference in Wuzhen, China, where PRC General Secretary and President Xi Jinping gave a speech.
Update 2018-12-23: It appears that Google's Project Dragonfly is now on hold if not outright abandoned. This implies that the outlook for Firebase in China has worsened.
You can build your own Rest API server outside of China, and make the server talks to Firebase rest api endpoints of Realtime db or Authentication, https://firebase.google.com/docs/reference/rest/database. So you web app talks to your rest api server (accessible from China), and your rest api server talks to Firebase.
The answer is NO :
Using a huge part of Firebase services, I contacted the support, this is the answer :
I'm glad you are considering Firebase for your project. However, in
accordance with current U.S. policies, it is not possible to use
Firebase from within certain countries. For more information about
these restrictions, please refer to the U.S. Department of the
Treasury website. The current list is of blocked countries is listed
here. If you have end-users located within China, it's quite difficult
to access Firebase there since the use of Firebase requires Google
Play Services, which most of the devices in China don't have. We
understand that access to our products has been problematic from
within mainland China. We believe it may have been caused by
networking conditions in China, rather than Google's own services.
Since access to services is determined by the respective country's
government and they don't report to Google, the Transparency Report is
the most authoritative it can be.
I just tested and I am able to access my realtime database hosted on the Singapore region in China mainland. No need to modify anything. Whatever works overseas, works in China. Tested in Beijing.
Facing the same problem, if you are in china, install Astrill VPN and change from openweb to StealthVPN, connect to a server like USA for china one and login to firebase. It will work successfully.
Related
I'm integrating with Stripe Connect, and, for tax purposes, only want to support Connected Accounts for people in the US.
I wasn't able to find anything about this in the documentation. Is there a mechanism for this?
I'm using Firebase, so an alternative pattern I've considered is gating Google accounts US IPs, but that seems like a very error-prone process.
You have mostly answered your own question but I'll just add this here to help others.
Since you are programmatically creating the accounts, my approach would be to notify your users that you are only able to support US based entities up front, then hard code the country code that you pointed out in this doc.
Additional information about the country parameter can be found in the API reference doc:
The country in which the account holder resides, or in which the business is legally established. This should be an ISO 3166-1 alpha-2 country code. For example, if you are in the United States and the business for which you’re creating an account is legally represented in Canada, you would use CA as the country for the account being created. Available countries include Stripe’s global markets as well as countries where cross-border payouts are supported.
I am looking for "authentication as a service" (fully managed, Google or any other 3rd party) that provides authentication for a web-service on Google Cloud Platform with (user) data stored on servers located in the European Union.
Currently, we use Firebase Authentication with Google as Identity Provider for authentication. After the cancelation of the US-privacy-shield last summer, we formally have to search for something else, as Firebase Authentication is currently an US service only (https://firebase.google.com/support/privacy).
Please only technical advise, as we have discussed the lets-wait-and-see option in depth already.
I am aware that you are looking for technical advise only for another Europe based authentication service, but it maybe worth mentioning that The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, Swiss, or UK personal data to the United States and onwards. In light of the recent European Court of Justice ruling on data transfers, Firebase has made updates to their terms to add the relevant Standard Contractual Clauses as adopted by the European Commission, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR.
I have a Dockerized API service destined to run using Cloud Run. The service is backed by Firestore. It's a startup project aimed at English speaking customers most likely US and UK.
In the follow article (https://cloud.google.com/solutions/best-practices-compute-engine-region-selection) it says "For a global user base, deploy in a region in the US".
Hosting the API Service and Firestore in the same region seems to make sense. In the article it says "Estimate 1 ms of round-trip latency for every 100 km traveled". Based on that, I would pick the East side of the US because that's nearer on the map to the UK. I assume the undersea cables terminate at the coast. However, maybe the UK is linked directly to another part of the US. What particular region within the US that would be most suitable and how do you arrive at this? (does it even matter?)
We are defining our privacy policy and customers (specially in the EU) are concerned where their data is located.
Is this still the right answer or did anything change since 2014?
http://grokbase.com/t/gg/firebase-talk/14axy4z42p/firebase-where-is-my-data-stored
At the Google DevFest in Amsterdam, I heard from Frank van Puffelen who presented Firebase to us that at that time (10/10/2015) they had a datacentre in the US and were planning to open one in Europe.
I'd like to give you more details but that's all I know.
I'm also hoping they will open a datacentre in the EU, since there are fresh laws about where our data collected from EU citizens can be stored and that the Safe Harbour legislation will become irrelevant from what I understand (correct me if I'm wrong).
According to the official FAQ, there are certain services that are US-Only.
For example, these are US-Only:
Firebase Realtime Database
Cloud Firestore for Firebase
The rest of the services are claimed Global, and can be hosted in any Google data center, or even a data center run by a selected external party. E.g.:
Cloud Storage for Firebase
Cloud Functions for Firebase
The FAQ also mentions, that Firestore will soon become available Globally:
Note: Though currently US-only, Cloud Firestore will soon be available at all Google Cloud Platform locations.
According to the Google guide Set a project location, you can either choose for a multi-regional location or a regional location. Multi-regional locations offer better replication over multiple regions and better write latency, but are only available in the US (as of writing). Regional locations keep your data within the region, but that means that if that region experiences e.g. a power outage, your service will become unavailable. However, for regional locations, a data center in Frankfurt, Germany is available (again, as of writing).
Side-Note: Cloud Firestore and Cloud Storage will be within the specified region, but Cloud Functions will always be in us-central1 (as of writing).
I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.