Google exposed user data, chose not to tell public – WSJ

Google is to shut down its Google+ social network after the data of 500,000 users was leaked and nobody was told. 

The tech giant has also revealed that 438 third-party apps may have had access to this data due to a ‘bug’ – in a case being compared to the Cambridge Analytica scandal that engulfed Facebook in March.

Google revealed the data breach in a statement about shutting down Google+ for consumers, seven years after its launch, citing the incident as part of the cause.

A report claims Google exposed the private data of hundreds of thousands of users of its Google+ social network and opted not to disclose the issue due to fears of regulatory scrutiny

The personal information of 500,000 people using the site between 2015 and March 2018 was compromised, according to the Wall Street Journal. 

But managers at the company chose not to go public with the bug because they worried that it would invite scrutiny from regulators, particularly in the wake of Facebook’s recent security bungle.

Shortly after the report was published, Google announced that it would be shutting Google+. 

In the announcement, Google also announced raft of new security features for Android, Gmail and other Google platforms that it has taken as a result of the bug.

Google said it discovered the bug as part of an internal audit called Project Strobe, which was initiated earlier this year.

‘The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations,’ Ben Smith, Google’s vice president of engineering, wrote in a blog post.  

News of the bug, which affected hundreds of thousands of users' sent shares of Google's parent company, Alphabet, down as much as 2.2 percent to $1,142.43 on Monday afternoon

News of the bug, which affected hundreds of thousands of users’ sent shares of Google’s parent company, Alphabet, down as much as 2.2 percent to $1,142.43 on Monday afternoon

‘Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.’    

News of the bug sent shares of Google’s parent company, Alphabet, down as much as 2.2 percent to $1,142.43 (£872.93) in New York yesterday afternoon. 

What security features did Google announce in the wake of the Google+ bug?

A software bug in Google+ meant that the personal information of ‘hundreds of thousands’ of users was exposed. The issue reportedly affected users on the site between 2015 and March 2018.

The bug allowed app developers to access information like names, email addresses, occupation, gender and more.

Google announced it would be shutting down the Google+ social network permanently, partly as a result of the bug. 

It also announced other security features. 

Now, users will be given greater control over what account data they choose to share with each app. 

Apps will be required to inform users what data they will have access to. Users have to provide ‘explicit permission’ in order for them to gain access to it. 

Google is also limiting apps’ ability to gain access to users’ call log and SMS data on Android devices. 

The firm is also ending access to contact interaction data on Android devices. 

Only an app users select as their default application for calls or texts will be able to request access to this data. 

Additionally, Google is limiting which apps can seek permission to users’ consumer Gmail data. 

Only email clients, email backup services and productivity services will be able to access this data. 

What’s more, Google says these apps will have to agree to new rules around handling Gmail data and will be subject to ‘security assessments.’  

As a result of the breach, 496,951 users’ names, email addresses, birth dates, gender, profile photos, occupation, places they lived and relationship status were potentially exposed. 

‘It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G suite content,’ Smith explained.  

The bug was a part of a flaw in an application programming interface (API) Google created to help app developers access profile and contact information for users who sign up for the service, including information shared with Google+.

The firm found that this API allowed app developers to access the information of Google+ users’ friends, even if that data was marked as private by the user. 

As many as 438 applications had access to the unauthorized Google+ data, according to the Journal.  

Google said it hasn’t yet found any evidence that the data obtained as a result of the bug was misused. 

‘We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,’ Smith said.  

Although the bug was discovered many months ago, Google didn’t disclose it right away. 

Google Chief Executive Officer Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, according to WSJ. 

A memo, prepared by Google’s legal and policy staff and shared with senior executives, warned that disclosing the incident would likely trigger ‘immediate regulatory interest’ and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica, the report said. 

Executives feared it would lead to ‘us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,’ an internal memo read. 

Google said yesterday that none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves.

The firm found that an API in Google+ allowed app developers to access the information of Google+ users' friends, even if that data was marked as private by the user

The firm found that an API in Google+ allowed app developers to access the information of Google+ users’ friends, even if that data was marked as private by the user

Security and privacy experts and financial analysts questioned the decision.

‘Users have the right to be notified if their information could have been compromised,’ said Jacob Lehmann, managing director at legal firm Friedman CyZen. 

What is Google+?

Google+ launched in 2011 as the advertising giant grew more concerned about competition from Facebook, which could pinpoint ads to users based on data they had shared about their friends, likes and online activity.

Google+ copied Facebook with status updates and news feeds and let people organize their groups of friends into what it calls ‘circles.’

But Google+ and the company’s other experiments with social media struggled to win over users because of complicated features and privacy mishaps.

Facebook introduced a feature that allowed users to connect their accounts with their profiles on dating, music and other apps.

Google followed suit, letting outside developers access some Google+ data with users’ permission. 

The bug disclosed yesterday, introduced in a software update, exposed private data including name, email address, occupation, gender and age, Google said. It could not definitely say how many users were affected because it said it keeps only two weeks of such records.

Google+ will remain an internal networking option for organizations that buy Google’s G Suite, a bundle of apps for creating documents, spreadsheets and presentations.

Google’s plan to withdraw the free version of Google+, scheduled for August 2019, could help strengthen its case to US policymakers and regulators that it is different from Facebook, which has faced political heat over allegations that data belonging to 87 million of its users was improperly shared with political consultancy Cambridge Analytica.

‘This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal.’

A Google spokesman said: ‘Every year, we send millions of notifications to users about privacy and security bugs and issues. 

‘Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

‘Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met here.

‘The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.’

Google admitted in the blog post disclosing the bug that usage of Google+ has dropped off in recent years. 

The consumer version was found to have low usage and engagement, with 90 percent of Google+ user sessions lasting fewer than five seconds, according to the firm. 

‘This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,’ Smith said. 

Google will continue to operate Google+ as an enterprise product for companies.

It plans to shutdown Google+ for consumers over the course of the next 10 months, with the platform officially retiring in August 2019.  

The announcement comes as public scrutiny has intensified around Silicon Valley tech giants’ management of user data, among other issues. 

Google has thus far been able to defer much of the criticism to Facebook and Twitter, but the Google+ bug may thrust it further into the spotlight. 

Several policies Google introduced yesterday are designed to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organizing Gmail messages.

This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal

Jacob Lehmann, managing director at legal firm Friedman CyZen

Play Store apps will no longer be allowed to access text message and call logs unless they are the default calling or texting app on a user’s device or have an exception from Google.

Gmail add-ons available to consumers starting next year will be barred from selling user data and be subject to a third-party security assessment that will cost them about $15,000 (£11,460) to $75,000 (£57,320), Google said.

Such moves could strengthen Google by making it harder for competing services to grow off its data, said Chris Messina, a designer who worked on Google+ before leaving in 2013. 

‘In 2011, you wanted casual, scrappy developers creating apps, and now it is going to require a professional class that is serious. The walls are going up.’

Read more at DailyMail.co.uk