Google announced today that it is shutting down the Google+, Google’s eponymous social network months following after the company’s engineers found an API bug that might have exposed some private profile data for more than 500,000 Google+ users.
Google+ was launched in 2011 as a place to share updates, photos and videos to the public or to various “circles” or categorized groups that a user organized friends by. The social network created by Google was quickly placed into the shadows by competitors like Facebook and Twitter which held more solid user bases.
In a bombshell report this morning, the publication alleged that Google’s Privacy and Data Protection Office, an internal committee of Google executives which includes Google Chief Executive Sundar Pichai, were briefed on a plan not to report the vulnerability to users out of concern that it might “draw … scrutiny” and “cause reputational damage.”
“[It could result] in [Google] coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” a memo obtained by the Wall Street Journal reads. “[It] almost guarantees Sundar will testify before Congress.”
Company lawyers advised that Google wasn’t legally required to disclose the incident to the public. (The European Union’s General Data Protection Regulation, which went into effect in May, mandates that companies to notify regulators of breaches within 72 hours, but because the exploit was uncovered in March, it wasn’t subject to that provision.)
And the group decided that, because Google couldn’t pinpoint which developers might have obtained data, publicly disclosing it wouldn’t give any “actional benefit” to end users.
In a blog post, Google says it uncovered the vulnerability in March 2018 as part of Project Strobe, a 100-person team charged with conducting a sweeping review of third-party developer tools that permit access to Google account and Android device data.
According to the Mountain View company, a Google+ People API that enabled users to grant access to their and friends’ profile data permitted third-party apps to scrape profile fields — including name, email address, occupation, and gender — that hadn’t been marked public. (Google notes that it doesn’t include data posted or connected to Google+ or any other service, such as messages, Google account data, G Suite content, or phone numbers.)
The exploit remained undiscovered between 2015 and March 2018, when internal investigators implemented a fix, according to documents reviewed by the Wall Street Journal.
As many as 500,000 Google+ accounts were infected, Google says, and as many as 438 applications might have used the API.
However, it maintains that it didn’t discover evidence developers were aware of or abused the security flaw, or that profile data was misused. It acknowledged, however, that it has no way of knowing for sure because it doesn’t have “audit rights” over its developers and because it keeps a limited set of activity logs.
“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” Google wrote.
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Google+ will formally shut down in August 2019, following a 10-month wind-down period. (Google says it currently has “low user engagement” and that 90 percent of Google+ user sessions last less than five seconds.) In the interim months, it’ll see new features “purpose-built” for businesses.
As part of Project Strobe, Google today announced it’s rolling out a streamlined permissions management view for Google account access prompts. It’s also implementing a stricter API access policy for the consumer Gmail API to limit apps that might seek permission to access email data; from now on, only apps that “directly enhance” functionality, such as email clients, backup services, and productivity services, will be able to gain authorization.
Moreover, Finally, Google says it’ll limit Android apps’ ability to receive call log and SMS permissions on Android devices, and no longer making contact interaction data available via the Android Contacts API.
The revelations come two weeks following news that more than 50 million Facebook accounts were taken over by hackers who exploited a vulnerability in the social network’s “view as” tool. And it comes after the data of 87 million users were improperly accessed by Cambridge Analytica, a political consultancy.
