Google Plus was a disastrous adventure, though it still has a few hundred thousand users around the world. About 90% of those users spend less than 5 seconds per session on the service but we are not talking about its business failure. On Monday, The Wall Street Journal reported that Google Plus user data of more than 500,000 people was exposed to third-party developers. Worse, the company management deliberately chose not to disclose the data breach to the public.
How a bug exposed Google Plus user data
According to internal documents reviewed by the WSJ, Google decided not to make it public for fear that it could attract regulators’ attention. Well, now the regulators have all their attention on it. The company confirmed it only after the WSJ reported on the issue. The bug has kept the Google Plus user data exposed since at least 2015, though it was discovered only earlier this year.
Google said in a blog post Monday that a bug exposed the Google Plus data of 500,000 people. The bug in the developer platform of Google Plus left private details such as email address, name, profile photo, gender, age, and occupation exposed to hundreds of third-party developers. The search engine giant claimed it found no evidence of the data being improperly accessed or misused.
As many as 438 third-party apps may have used the API (application programming interface) that gave them access to the data. The company discovered the security lapse back in March, and patched it the same month. The bug was discovered during a comprehensive review of how it shares Google and Android device data with developers. The company will now make it easier for users to control what data they want to share with apps.
Why didn’t Google disclose it?
Google did not disclose the Google Plus user data leak upon discovering it because it feared the incident could damage its reputation and trigger regulatory scrutiny. People familiar with the matter and documents reviewed by the WSJ suggested that Google’s legal and policy staff as well as the top leadership feared it could cause a potential privacy scandal similar to Facebook’s Cambridge Analytica scandal. One of the memos said sharing the incident publicly would attract “immediate regulatory interest.”
Google’s version of why it didn’t disclose the data breach is entirely different from what its internal memos said. The company said in its blog post that it didn’t disclose the Google Plus user data breach because it could not find evidence of misuse, could not accurately identify the affected users and could not determine the course of action it wanted users and developers to take.
Google’s VP of engineering Ben Smith wrote, “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.” However, legal and security experts warned that the lack of transparency could invite further trouble for Google.
Former federal prosecutor Joseph Moreno told Business Insider that not disclosing the incident soon after Google discovered it was a big mistake. When you face such an issue, the “worst thing is to downplay it or stall or pretend that it didn’t happen.” The Google Plus user data breach could give regulators one more reason to enforce increased regulatory oversight similar to what European Union did earlier this year.
Putting an end to Google Plus
Google has decided to shut down Google Plus for consumers over the next ten months. However, the company will continue to run the enterprise version used by its G Suite of business customers. The consumer version has seen ridiculously low usage and 90% of user sessions last less than five seconds. The company will allow users to download and migrate their data to another service before shutting down Google Plus.
To enhance user privacy, Google will allow people to grant individual permissions to their data. For instance, if a third-party app requests access to your data, Google will present you each permission one-at-a-time. You can choose to deny access to any individual request.
The company will also limit Gmail access to third-party apps. When someone grants access to their Gmail, they do so with certain use cases in mind. Google will now limit Gmail data access only to apps that are “directly enhancing email functionality.” It includes email productivity services, email clients, and email backup services.
Until the Google Plus user data breach came into spotlight, the search engine giant had avoided the privacy scandals that haunted Facebook, which has become the uncrowned king of user data leaks. Facebook revealed a massive data leak only a few weeks ago. Twitter has also disclosed a bug in its developer platform.