The Google Audit

As I’m sure you remember perfectly, in 2012 (!) I did something silly (no really): I scripted a teensy thing that would check what was playing on the stereo, and then search Youtube for a video that matched that as best it could (based on artist name, track title and the length of the track), and then just play the video (without sound).

To use as the background for the tiny USB monitor in the hallway that displays the weather forecast.

YES I KNOW.

It’s stupid, it’s frivolous, and it consumes Youtube resources without Google earning any of them sweet, sweet ad dollars, so I was expecting it to be shut down, or I’d just grow tired of it, or…

I mean, it’s… all kinds of stupid? Right? I agree completely. No argument there.

Over the years, there’s been some restrictions: Rate limiting on the API, and rate limiting for the website itself, and I had to fill out some forms about what I’m using it for, and… But basically, it’s been doing its stupid little thing.

Cut to August 2019:

Dear YouTube API Developer,

We are currently conducting a mandatory compliance review of your YouTube Data API Project. The review is to assess your compliance to our YouTube API Services Developer Policies (link) and to learn about how our service is being used.

At your convenience in the next seven (7) business days, please complete and submit the following information :

1 A fully functional demo account, including a username and password with which we may access your API Client. The demo account you provide will be used only for compliance inspection and the credentials will not be shared.

2 A fully completed Youtube API Audit Form

3 Screenshots of how your API Client and its users access and use the YouTube API Services

4 Documents relating to your implementation, access and use of YouTube API Services

I got the lovely email above, and I assumed that this was a very clumsy phishing attack. I mean… a demo account? With a password? Could it be more obvious?

So I ignored it, and then got further emails, and after the third “third and final notice” (I think?) I looked closer at the emails and confirmed that the address was really from @youtube.com, without any Unicode homographs, and it’s DKIM signed, and…

IT”S A REAL EMAIL FROM GOOGLE! I couldn’t believe it.

But I finally answered, and got a response from:

Which was also real! And not a phishing attack. It asked:

Regarding project key usage:

The given alphanumeric text [1 only] cannot be deciphered. Please provide us with a list of valid project keys associated with your API Client.

In order to check the project key for your API Client please login to Google API Console. After logging in go to IAM & admin -> settings -> project key.

OK, so I did that, and:

So there’s no project key? I wondered why they couldn’t just, like, look up this stuff themselves. And particularly since there’s no “project key” (whatever that is)… They should know already? Is this phishing after all? Are all those characters in @google.com really ASCII? They are.

After a few attempts at making it understood that I’m not running a web site; there’s no login; there’s no users: There’s just a stupid script running on my hallway computer, they asked to see a screencast of how it works.

Meanwhile, in the middle of all this, they stopped my access to the API, so I had to substitute a hard-coded video to play:


So… I guess… I’ll just wait…

Misunderstand me correctly: I’m not complaining or anything. I’m just… bemused. I mean, it’s just a stupid, fun little thing, and if Google says “er, perhaps don’t do that with the API?” then that’s fine. It’s their API. And I don’t envy those poor people working on the “dispute resolution” team. They probably have a script they’re running through to see whether the next Cambridge Analytica is doing something nefarious with the Youtube data (or at least have a way of saying, during the next Senate hearings, that they are doing something about that), and dealing with pissant hobbyists just using their APIs for fun is… probably not that fun?

It’s just… There’s a sort of disconnect. Whoever came up with this audit thing obviously didn’t have an option for “4c) Not using the API for anything that can even be audited because it’s just stupid”, which I think is probably 70% of the use cases. Because people do stupid shit.

So I’m amused. Bemused?

Am I Bemildred? I think I may be Bemildred. (He’s the one on the right.)

Meanwhile, I can’t have the background of the monitor all blank and stuff. So I’ve substituted it with this wonderfully glitched broken torrent download:

Uses less bandwidth, too.

Leave a Reply