Google+, Google’s eponymous social network, is shutting down following the discovery of an exploit that could’ve allowed malicious developers parties to collect the data of hundreds of millions of users, according to the Wall Street Journal.
In a bombshell report this morning, the publication contends that Google’s Privacy and Data Protection Office, an internal committee of Google executives which includes Google chief executive Sundar Pichai, were briefed on a plan not to report the Google+ vulnerability to users out of concern that it might “draw … scrutiny” and “cause reputational damage.”
“[It could result] in [Google] coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” a memo obtained by the Wall Street Journal reads. “[It] almost guarantees Sundar will testify before Congress.”
Company lawyers advised that Google wasn’t legally required to disclose the incident to the public. (The European Union’s General Data Protection Regulation mandates that firms to notify regulators of breaches within 72 hours, but because the exploit was uncovered in March — two months before GDPR went into effect — it wasn’t subject to that provision.) And the group decided that, because Google couldn’t pinpoint which developers might have obtained data, publicly disclosing it wouldn’t give any “actional benefit” to end users.
In a blog post, Google says it uncovered the vulnerability in March 2018 as part of Project Strobe, a 100-person team charged with conducting a sweeping review of third-party developer tools that permit access to Google account and Android device data.
According to the Mountain View company, a Google+ People API that enabled users to grant access to their and friends’ profile data inadvertently permitted third-party apps to scrape profile fields — including name, email address, occupation, and gender — that hadn’t been marked public. (Google notes that it doesn’t include data posted or connected to Google+ or any other service, such as messages, Google account data, G Suite content, or phone numbers.)
The exploit remained undiscovered between 2015 and March 2018, when internal investigators implemented a fix, according to documents reviewed by the Wall Street Journal.
As many as 500,000 Google+ accounts were infected, and as many as 438 applications might have used the API. Google maintains that it didn’t uncover evidence developers were aware of or abused the security flaw, or that profile data was misused. However, it acknowledged that it has no way of knowing for sure because it doesn’t have “audit rights” over its developers and because it keeps a limited set of activity logs.
“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” Google wrote. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Google+ will formally shut down in August 2019, following a 10-month wind-down period. (Google says it currently has “low user engagement” and that 90 percent of Google+ user sessions last less than five seconds.) In the interim months, it’ll see new features “purpose-built” for businesses.
As part of Project Strobe, Google today announced it’s rolling out a streamlined permissions management view for Google account access prompts. It’s also implementing a stricter API access policy for the consumer Gmail API to limit apps that might seek permission to access email data; from now on, only apps that “directly enhance” functionality, such as email clients, backup services, and productivity services, will be able to gain authorization. Moreover, Google says it’ll limit Android apps’ ability to receive call log and SMS permissions on Android devices, and that it’ll no longer make contact interaction data available via the Android Contacts API.
The revelations come two weeks after news that more than 50 million Facebook accounts were taken over by hackers who exploited a vulnerability in the social network’s “view as” tool, and months after the data of 87 million Facebook users were improperly accessed by Cambridge Analytica, a political consultancy.