Google shuttering Google+ following disclosure of privacy-breaching bug

Mountain View made the announcement shortly after a ‘Wall Street Journal’ article alleged that executives chose not to disclose the bug sooner

Google app icon

Mountain View search giant Google has announced plans to shutter its Google+ social networking platform.

Google made the announcement shortly following a Wall Street Journal report that the company failed to disclose a bug that gave apps access to profile information that wasn’t necessarily marked as public.

According to an October 8th, 2018 media release attributed to Google fellow and vice president of engineering Ben Smith, Google undertook a review, dubbed ‘Project Strobe,’ of third-party developer access to Google account and Android device data.

The Project Strobe team studied Google’s “privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access and other areas in which our policies should be tightened.”

“We discovered and immediately patched this bug in March 2018” — Ben Smith, Google

Google claims that its Project Strobe review revealed that Google+ not only failed to achieve “broad consumer or developer adoption,” but that a bug within one of Google+’s People APIs gave apps and developers access to certain Google+ profile data, including user’s names, email addresses, occupations, genders and ages.

Smith reassured that data like Google+ posts, messages, Google account data, phone numbers and G Suite content was not accessible through the bug.

“We discovered and immediately patched this bug in March 2018,” wrote Smith, in Google’s October 8th media release.

“We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.”

“…the profile of up to 500,000 Google+ accounts were potentially affected” — Ben Smith

It’s important to note that Smith’s media release fails to address or even acknowledge an October 8th, 2018 Wall Street Journal investigation that claimed developers had access to specific Google+ profile data between 2015 and March 2018.

According to the Wall Street Journal, Google’s legal and policy staff warned senior Mountain View executives that disclosing the bug would invite “immediate regulatory interest” as well as comparisons to Menlo Park social networking giant Facebook’s Cambridge Analytica privacy scandal.

Google CEO Sundar Pichai was also reportedly briefed on the plan not to notify users after an internal committee had already reached that decision, according to “people briefed on the incident and documents” who spoke with the Wall Street Journal.

Google claims that due to the fact that Google+ API log data only kept for two weeks, the company is unable to confirm how many users were affected by the bug.

“Over the coming months, we will provide consumers with additional information…” — Ben Smith

According to Smith, Google chose not to disclose the bug because it failed to meet the company’s thresholds for providing notice to users.

“Our privacy [and] data protection office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” said Smith.

“None of these thresholds were met in this instance.”

Smith also said that the company ran an analysis “over the two weeks prior to patching the bug, and from that analysis, the profiles of up to 500,000 Google+ accounts were potentially affected.”

“Our analysis showed that up to 438 applications may have used this API,” explained Smith.

Additionally, Smith wrote that Google found no evidence that any developers were aware of the bug.

Google also found no evidence that any profile data was misused as a result of the bug.

“We’ve decided to focus on our enterprise efforts…” — Ben Smith

Google plans on sunsetting the consumer version of Google+ within the next 10 months, with plans to complete this process by the end of August 2019.

“Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data,” wrote Smith.

As a result of the shifting focus away from Google+’s consumer-facing product, the company plans on redistributing its efforts towards maintaining the social network as an enterprise product.

“Enterprise customers can set common access rules, and use central controls, for their entire organization,” said Smith.

“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses.”

“…up to 438 applications may have used this API” — Ben Smith

Smith used the October 8th media release as an opportunity to announce plans to launch “more granular Google account permissions that will show in individual [dialogue] boxes”; plans to limit the types of apps and use cases that can ask to access Gmail; as well as plans to limit apps’ ability to “receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API.”

According to a spokesperson for the Office of the Privacy Commissioner of Canada (OPC), Google has informed the Office about the incident.

The OPC will be following up with Google for more information.

Google’s discovery of a privacy-breaching bug comes in the wake of news that Sundar Pichai plans on testifying before the U.S. Congress regarding his company’s privacy environment within the coming weeks.

MobileSyrup has reached out to the Office of the Privacy Commissioner of Canada (OPC) for comment. This story will be updated with a response.

Source: Google; Wall Street Journal

Update 08/10/2018 7:46pm ET: Story updated with additional reporting.

Update 09/10/2018 5:41pm ET: Story updated with information from the OPC.