Google is in the hot seat for not disclosing a bug in its Google Plus social network that exposed thousands of users.
In a sweeping set of data privacy measures, Google is to shut down all consumer functionality for Google Plus, the final nail in the coffin for the social network.
In what is Google’s Cambridge Analytica moment, the internet giant is under fire for not disclosing a security bug that allowed third-party developers to access Google Plus user profile data since 2015.
Google discovered the bug and patched it in March but chose not to disclose the situation to the world.
What was the nature of the bug?
When a user gave permission to an app to access their public profile data, it allowed those developers to access the user’s non-public profile fields as well as those of their friends.
How many profiles were affected?
It is understood that 496,951 users’ names, email addresses, birth dates, genders, profile photos, places lived, occupations and relationship statuses were potentially exposed.
Google said it has no evidence that the data was misused by the 438 third-party apps that could have had access.
What did Google say about its review?
Google said that at the beginning of this year, it started an effort called Project Strobe, a root-and-branch review of third-party developer access to Google account and Android device data.
It said that the review “crystallised” what it knew for some time: that consumers were no longer engaging with Google Plus and that 90pc of Google Plus user sessions were for less than five seconds.
But worse was to come: a bug was discovered that meant third-party apps had access to profile fields. “We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google Plus code change.
“We made Google Plus with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that we found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any profile data was misused.”
So, it’s goodbye Google Plus?
For consumers, pretty much. Over the next 10 months, Google Plus will be wound down, with completion slated for August next year. However, Google said that it is still being used as a communications tool within many enterprises.
It will focus on its enterprise efforts and will launch new features for businesses. This suggests that Google may be preparing to enter the new enterprise fray for communications tools against players such as Slack, Microsoft Teams and Facebook Workplace or against project management players such as Asana and Wrike.
Why didn’t Google disclose the bug at the time?
A memo revealed by The Wall Street Journal that was prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would trigger “immediate regulatory interest” and invite comparisons to Facebook’s Cambridge Analytica data scandal.
Indeed, the timing was very close to the Cambridge Analytica affair that was raging at the time. That incident centred on how a political consultancy and university academics were able to use a quiz app to obtain information on about 87m people. This in turn could have been used to influence events such as Donald Trump’s US presidential election and the UK Leave vote in 2016. The incident wiped billions of dollars off Facebook’s share value and no doubt Google didn’t want to be tarred with the same brush.
Google, on the other hand, had given assurances that it was less susceptible to what had befallen Facebook and wanted to avoid the same scrutiny.
The company hasn’t helped itself in recent months after trying to avoid testifying before Congress in recent hearings about overseas tampering with US data. CEO Sundar Pichai has since agreed to testify before Congress in the coming weeks.
What about Android and the Google Play App Store?
Good point, and no one knows for sure just yet. With around 80pc of smartphones in the world running Android, the attention will no doubt shift to the relationship Google has with third-party app developers via the Google Play App Store.
Google makes data available to outside developers through more than 130 different program channels through APIs, and these normally require a user’s permission to access any information. However, the implication could be that bad actors could pose as an app to gain access to users’ data.
Unlike Apple, which takes a strict walled-garden approach to its App Store and its devices, Google follows a more open source route, enabling hundreds of manufacturers to produce smartphones, tablets and other devices. Google Play is less strict on content than Apple is, which is a concern in this situation. While Samsung, Huawei, Sony, LG and others are best known for their Android phones, there are more than 4,000 different devices in the world today from hundreds of manufacturers running the operating system.
The next big question is: how far do the vulnerabilities extend?
What’s Google doing next?
It is embarking on a slew of changes, including stopping most third-party developers from accessing Android phone SMS data, call logs and some contact information.
Gmail will restrict the building of add-ons to a small number of developers.
As well as winding down Google Plus as a consumer tool, Google will change its Account Permissions system for giving third-party apps access to your data in such a way that users will have to confirm each type of access individually rather than all at once.
Could Google be hit with a massive GDPR fine?
This is unlikely because the security hole was discovered in March before GDPR became law in Europe in May. As such, Google parent company Alphabet could be spared a fine of 4pc of its $110bn turnover, which would amount to around $4.4bn.
However, that won’t spare the company from the potential of class-action lawsuits from angry consumers, nor will it spare it the probing eye of regulators and politicians who are clamouring for better regulation of internet giants.
All in all, it is a tawdry end for Google’s foray into social networking that began in 2011 with a social network that was far from popular.