Not quite the dignified end we would have expected for Google’s long-ailing social network, Google+ is finally being closed down following a software breach that left hundreds of thousands of users’ private data exposed.
Up to 500K users were allegedly affected by a software bug in the Google+ API, which meant data that people had believed to be private was made accessible to third parties.
According to an internal memo at Google published by the Wall Street Journal, the search giant had been aware of the issue in March but did not disclose it because of the “immediate regulatory interest” it would attract. It was revealed the vulnerability had been present since 2015.
The bug’s discovery was, of course, during the same period in which Facebook was embroiled in the thick of the Cambridge Analytica scandal. Google would have undoubtedly been pulled into that melee.
In a statement, however, Google said that, at the time, a critical review of the issue resulted in a decision not to inform the public.
"Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.
"None of these thresholds were met here."
According to Google, the privately-submitted data that was made accessible was limited to “static, optional Google+ profile fields” including name, email address, occupation, gender, and age. The company said that data posted or connected to Google+, messages, account data, phone numbers, and G Suite content, was not at risk.
Google estimates that up to 500K accounts could have been affected by the bug, but as it only stores the API’s log data for two weeks, it was unable to identify individual accounts affected. Despite the breach, the company said it found “no evidence” that any developer was aware of the bug or that it had been exploited.
As the issue was fixed in March 2018, ahead of GDPR’s (General Data Protection Regulation) implementation in May, unlike Facebook, Google won’t be subject to the large fines of up to 4% of turnover, regardless of not making news of the breach public.
As noted by Forbes, it’s worth pointing out that the number of accounts potentially compromised is dwarfed by Facebook’s 50M figure. Google+’s lack of popularity and subsequent lack of users worked in its favour here – Google says 90% of user sessions were less than five seconds.
The search engine has now made the decision to “sunset” Google+ for consumers, but keep it available for use for businesses – it claims enterprise customers are still seeing “great value” from the platform – following the implementation of tighter security controls and policies across its APIs in the coming months.
That wind-down will take 10 months it says, during which time Google will provide consumers with additional information, including ways they can download and migrate their data.
In addition, the company plans to roll out much more granular controls for users to allow (or deny) the use of their personal data by third-party apps when logging in using Google’s wider palette of services. Apps would have to show each requested permission, one at a time, with their own dialogue box. Google says that if a developer requests access to both calendar entries and Drive documents, for example, that you will be able to choose to share one but not the other.
Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.