A Flaw In Google Assistant And Calendars

2016-12-27

I had considered a clickbaity title for this, such as “How To Successfully Spam Google Assistant Users, 100% Guaranteed!” but lets keep this civil. What I will say is there’s a defect in Google’s services involving many of their services working together to make it really easy for spammers to annoy the shit out of anyone using Google’s new Assistant based services, and possibly their older service usable by Google search (ie: Google Now). It’s so easy to exploit and so difficult for the target to deal with, spammers should be creaming themselves over it. It’s that ideal a situation for spammers.

So now that I’m done with the sensationalism, what is this flaw?

For a while now, Google has had to deal with calendar invite spam in Gmail. Their spam system, for the most part, deals with this appropriately. The spam invite gets shuffled to the spam folder and the event doesn’t get added to your Google Calendar. This is where it use to stop. There’s nothing more to do, right? The user never sees the spam and never sees the event. Out of sight, out of mind.

What this system does not do is remove you as an invitee of the event. So while the spam has been dealt with and the event is not on your calendar, you are still invited.

Have you noticed that there are times when you use Google Search while logged in to your Google account that it will show you this neat card with information above your search results? The system that generates this card is the same as Google Now and Google Assistant. The only difference between Now and Assistant is Assistant uses a conversational AI component to make the system more humanly interactive. The point of this is you can talk to Google Search like you can with Google Assistant, just without the conversational reply. Just give it “What’s on my calendar for tomorrow?” and it will show you a card showing any events listed on your calendar.

This system accesses your calendar data differently than Google Calendar. I would expect that it should only report to you what is reported via Google Calendar, but it does a bit more.

On an invite, there’s a field in the invite on the backend called attendees[].responseStatus, which has 4 possible values. There’s another field called status. Spam invites appear to automatically get a status of “cancelled” but there is no change to attendees[].responseStatus. I’ve seen 2 possible values that this gets set to once the invite is sent, either tentative or needsAction. Unfortunately, I can’t get the value on the event I’m having issues with so I can’t tell what it’s set to.

Gmail deletes old items in your spam folder and in your deleted folder. This is where the magic for spammers happens. Most people don’t pay attention to their spam folders. For me, I never knew I had the first spam invite until I bought a Google Home and asked it to tell me about my day. When this was discovered, it was too late, the spam invite had been purged from my spam folder and I could no longer interact with it. The event gets reported by Google Assistant, doesn’t show up in my calendar, and I no longer have the invite. Now you see why this is the ideal situation for spammers.

I know this is not simply an issue with Assistant setting showDeleted to true. Just before Christmas, I got another spam invite from a different Gmail account, but at the same physical address indicating it came from the same spammer. I found out about it when my Google Home reported a new item that sounded like spam. Thankfully, I was able to locate the spam invite. I clicked “no” which set the responeStatus to declined and Google Assistant stopped reporting it. Before I clicked no, though, I checked my Google Calendar to see if it appeared there, and it did not. However, when I clicked no, it appeared in my calendar with a strikethrough, indicating I declined it. I deleted it from there.

However, the event is still there, just hidden. Using the API, I can toggle showDeleted to true and find the event. Like the first spam invite, it shows as cancelled. Like the first spam invite, I can’t get the responseStatus. These two events look the same through the API, but one is reported by Assistant and the other is not.

Now, a tech savvy person, such as a programmer, might ask the question: “Can’t you just use the API to decline the invite?” According to the documentation, you can “patch” an event with a responseStatus. The API returns a response indicating success, but I get no change in Assistant’s visbility of the event.

What about taking an existing “no” link and modifying it for the spam event? I tried this as well. Again, I get an indication of success, but it does not change Assistant’s visibility of the event. “You are no longer invited to this event.”

So all I can do at this point is hope Google fixes it. Except that they don’t seem to care. @madebygoogle reached out to me on Twitter back on November 17 and we had a back and forth about the issue until December 1, at which point they insisted I go to the Google forums. I got a post entered on December 7. Supposedly there are Google engineers that do look at these forums, but the forums are user supported. So far no Google engineers have taken interest in this issue.

As mentioned, this is an ideal situation for spammers. You might think “Well, once the event passes it’s done and never seen again, right?” and you’d be wrong. This particular spammer I’m dealing with does this neat trick called recurrence. One event recurs daily. Both of the spams I got from him were set up this way.

Google is super proud of their new Assistant, their new Pixel devices, and their new Google Home. However, left unfixed, the integration of these new things with Calendar means, at best, an usable feature, and at worst, the best way to spam a captive audience.

Am I the only one with this issue? Actually, I’m not. Spam invites are not new. People have reported mystery events on their calendars for some time now. It appears Google has made some efforts to minimize the impact of these spam invites, but Assistant is a new thing doing things in new ways. I just wish someone at Google would take this seriously. Using Assistant with my calendar is becoming useless. Assistant was one of the primary reasons I wanted a Pixel phone, and I will never consider it as long as this is an issue.

My fear is that this has to become a widespread issue before Google will address it. Until then, this is a spammer’s wet dream.