Google+ to shut down following bug that
exposed 500K profiles
Google yesterday announced that it will shut down the consumer version of Google+ following the discovery of a bug that it opted to keep secret.
In a blog post, the search giant framed the decision as one that makes sense given that very few people actively use Google+—”90 percent of Google+ user sessions are less than five seconds,” writes Ben Smith, a Google Fellow and VP of Engineering—and it doesn’t warrant the work required to keep tabs on developers.
But as the Wall Street Journal reports, the move comes after Google discovered a bug that left private user information open to developers in March, but declined to alert users for fear of regulatory scrutiny.
“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger ‘immediate regulatory interest’ and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica,” the Journal says.
Google CEO Sundar Pichai reportedly knew about the plan to forego notification.
In the blog post, Smith says Google discovered the bug in March as part of Project Strobe—”a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access.”
The bug, according to Google, meant that third-party apps had access to “profile fields that were shared with the user, but not marked as public,” like name, email address, occupation, gender, and age. Google+ posts, messages, Google account data, phone numbers, or G Suite content were not accessible.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” Smith says.
The bug, which Google patched in March, affected about 500,000 Google+ users. Was yours one of those accounts? Sorry, there’s no way to tell.
“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks,” according to Smith. “That means we cannot confirm which users were impacted by this bug.”
According to Smith, the vulnerability didn’t rise to the level of requiring a notification. “Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” he says.
It remains to be seen if regulators agree. Uber kept a 2016 data breach secret, and that just resulted in a $148 million fine.
The Google+ shutdown, meanwhile, will occur over the next 10 months, so get your fill before August 2019. If you use the service for work, though, Google+ is not going anywhere.
“Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network,” Smith says. “Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.”
As part of the announcement, Google also promised to give users “more fine-grained control over what account data they choose to share with each app.” If an app wants access to a Calendar and Drive documents, for example, you can opt to share one but not the other.
Google will also “limit the apps that may seek permission to access your consumer Gmail data,” while Google Play will limit which apps that can ask for a user’s phone (including call logs) and SMS data.