Google+ shutting down in wake of allegations of weak user data security
Google has confirmed it will be closing down the social network Google+ in August next year as part of a data protection initiative called Project Strobe, but a report alleges the initiative itself was caused through Google wanting to avoid regulatory scrutiny from exposing the private data of hundreds of thousands of users.
Project Strobe is described by Google Fellow and Vice President of Engineering Ben Smith as "a root-and-branch review of third-party developer access to Google account and Android device data," and the company's philosophy surrounding apps' data access, launched at the start of 2018. This included the operation of privacy controls, platforms with low API engagement due to data privacy concerns, areas where developers may have been "granted overly broad access," and other areas.
The first "Action" under Project Strobe is starting the process of shutting down Google+. According to the blog post, while Google had put effort into building out the social network over the years, it "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."
It is claimed the consumer version of Google+ currently has very low usage and engagement, with 90 percent of user sessions said to last less than five seconds. Google will be winding down Google+ over the next ten months, with a full closure in August 2019.
Google also admits to a bug in the Google+ APIs, that allowed apps granted access to a user's profile data full access, including to profile fields that were not marked as public. The data is said to be limited to just static, optional profile fields, including names, email addresses, occupation, gender, and age, but it doesn't include any data posted or connected to Google+, like account data, phone numbers, G Suite content, and even Google+ posts and messages.
Google notes it found and patched the bug in March 2018, but due to only retaining API log data for two weeks, it is unable to confirm which users were impacted by the bug. Analysis over the two-week period before patching suggests up to 500,000 Google+ accounts were potentially affected, but while up to 438 applications may have used the API, there is apparently no evidence any developer was aware of the bug, abused the API, or that any profile data was misused.
According to the report from the Wall Street Journal, the bug may have started in 2015, meaning the data could have been exposed for a period of three years.
An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. Following an internal committee decision to not notify users on the issue, Google chief executive Sundar Pichai was apparently informed of the selected course of action.
While noting there is no evidence of outside developers misusing the data, the memo also acknowledges it has no way of knowing for sure if the data wasn't misused. Report sources note internal lawyers advised the company wasn't legally required to disclose the incident, and the lack of knowledge of what data developers saw also meant there was no "actionable benefit to the end users" in notifying them of the bug.
The revelation of exposed user data arrives shortly after Alphabet/Google, Amazon, Twitter, AT&T, Charter Communications, and Apple representatives testified to the Senate Committee on Commerce, Science, and Transportation on the matter of privacy. During the hearing, Apple vice president of software technology Guy "Bud" Tribble signaled Apple's support for federal privacy legislation to help ensure users know their data isn't being misused.
The Project Strobe announcement also reveals Google intends to provide users with more fine-grained control over what account data they wish to share with each app. Rather than requesting on a single screen, apps will have to show each requested permission one at a time, with responses required for each individual permission type.
There will also be an update to the User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, with only apps that directly enhance email functionality able to access the data. The same apps, which includes clients, backup services, and productivity services, will also have to agree to new rules on handling Gmail data, and will be subject to security assessments.
The last action of the list is to limit app's ability to receive Call Log and SMS permissions on Android devices, as well as Google no longer making contact interaction data available via the Android Contacts API.
Project Strobe is described by Google Fellow and Vice President of Engineering Ben Smith as "a root-and-branch review of third-party developer access to Google account and Android device data," and the company's philosophy surrounding apps' data access, launched at the start of 2018. This included the operation of privacy controls, platforms with low API engagement due to data privacy concerns, areas where developers may have been "granted overly broad access," and other areas.
The first "Action" under Project Strobe is starting the process of shutting down Google+. According to the blog post, while Google had put effort into building out the social network over the years, it "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."
It is claimed the consumer version of Google+ currently has very low usage and engagement, with 90 percent of user sessions said to last less than five seconds. Google will be winding down Google+ over the next ten months, with a full closure in August 2019.
Google also admits to a bug in the Google+ APIs, that allowed apps granted access to a user's profile data full access, including to profile fields that were not marked as public. The data is said to be limited to just static, optional profile fields, including names, email addresses, occupation, gender, and age, but it doesn't include any data posted or connected to Google+, like account data, phone numbers, G Suite content, and even Google+ posts and messages.
Google notes it found and patched the bug in March 2018, but due to only retaining API log data for two weeks, it is unable to confirm which users were impacted by the bug. Analysis over the two-week period before patching suggests up to 500,000 Google+ accounts were potentially affected, but while up to 438 applications may have used the API, there is apparently no evidence any developer was aware of the bug, abused the API, or that any profile data was misused.
According to the report from the Wall Street Journal, the bug may have started in 2015, meaning the data could have been exposed for a period of three years.
An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. Following an internal committee decision to not notify users on the issue, Google chief executive Sundar Pichai was apparently informed of the selected course of action.
While noting there is no evidence of outside developers misusing the data, the memo also acknowledges it has no way of knowing for sure if the data wasn't misused. Report sources note internal lawyers advised the company wasn't legally required to disclose the incident, and the lack of knowledge of what data developers saw also meant there was no "actionable benefit to the end users" in notifying them of the bug.
The revelation of exposed user data arrives shortly after Alphabet/Google, Amazon, Twitter, AT&T, Charter Communications, and Apple representatives testified to the Senate Committee on Commerce, Science, and Transportation on the matter of privacy. During the hearing, Apple vice president of software technology Guy "Bud" Tribble signaled Apple's support for federal privacy legislation to help ensure users know their data isn't being misused.
The Project Strobe announcement also reveals Google intends to provide users with more fine-grained control over what account data they wish to share with each app. Rather than requesting on a single screen, apps will have to show each requested permission one at a time, with responses required for each individual permission type.
There will also be an update to the User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, with only apps that directly enhance email functionality able to access the data. The same apps, which includes clients, backup services, and productivity services, will also have to agree to new rules on handling Gmail data, and will be subject to security assessments.
The last action of the list is to limit app's ability to receive Call Log and SMS permissions on Android devices, as well as Google no longer making contact interaction data available via the Android Contacts API.
Comments
Thanks for this.
Anyway, Google+ was lame beyond belief, too.
I switched to Runbox out of Norway back in 2014 when I wised up about Google's services and how they monetize user data.
Your transition to another provider can be very gradual, if you want. You don't need to give up Gmail entirely while you onboard another email provider. When you're ready to make the switch — if this involved changed email addresses — just put an auto-response on your Gmail account that you can be reached at a new address now.
I don’t love the idea of a company gathering as much info about me as they can. I haven’t used Facebook in over 10 years (and when I did it was limited) and I avoid Google services as well (never had a GMail account either) though I’m sure they have both built some sort of profile on me.
But I have never heard what real negative effects there could be for having that data stolen by a third party. Have there been any actual instances of wrong-doing as a direct result of any of these data leaks?
Maybe a few that wanted to comment on YouTube back when Google tried to make it a requirement. That didn’t last long.
https://9to5google.com/2018/10/08/how-to-download-google-plus-data/
If you want to purge any or all personal user data Google may have now it's also pretty easy.
https://support.google.com/accounts/answer/7660719?hl=en
Wow.
Just … wow.
So they expose user data and then decide to keep quiet about it to save face and hide from the law.
And in one fell swoop they manage to sink to the same level of scuminess as Facebook … or perhaps lower if that’s possible.
Bad Google and I hope they get at minimum a cursory investigation by the FTC to confirm that no user profile info was actually leaked as Google would like to claim.
As for the other privacy-forward changes...
EXCELLENT.
So after suspending my account because I wasn't using my real name, but my online sobriquet, and getting into disputes with many, much more important persons than I over similar things, they're now saying that they compromised all that intimate data they insisted on.
I'd have given up, when they locked my account, except I had friends who were convinced it was the next big thing, and better than Facebook, so I needed to stay in touch with them. Also, being Google, it also affected my YouTube, Gmail, and other accounts I was already operating under that name.
Quoting: "...it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data"
Still plenty bad enough and a really bad way of handling the discovery. All it accomplished is seeding more distrust in how transparent Google really is when these issues crop up, and they almost assuredly will again.
EDIT: More evidence of the sorry state of Google+:
There were only about 400 developers who showed any interest in the platform, and fewer than 500K users of Google+ in total . On the plus side not many developers there so few had a chance to see those user profiles if they were aware they could.
Stupid and sneaky way of handling things in any event.
/s