Google+ shutting down in wake of allegations of weak user data security

Posted:
in General Discussion edited October 8
Google has confirmed it will be closing down the social network Google+ in August next year as part of a data protection initiative called Project Strobe, but a report alleges the initiative itself was caused through Google wanting to avoid regulatory scrutiny from exposing the private data of hundreds of thousands of users.




Project Strobe is described by Google Fellow and Vice President of Engineering Ben Smith as "a root-and-branch review of third-party developer access to Google account and Android device data," and the company's philosophy surrounding apps' data access, launched at the start of 2018. This included the operation of privacy controls, platforms with low API engagement due to data privacy concerns, areas where developers may have been "granted overly broad access," and other areas.

The first "Action" under Project Strobe is starting the process of shutting down Google+. According to the blog post, while Google had put effort into building out the social network over the years, it "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."

It is claimed the consumer version of Google+ currently has very low usage and engagement, with 90 percent of user sessions said to last less than five seconds. Google will be winding down Google+ over the next ten months, with a full closure in August 2019.

Google also admits to a bug in the Google+ APIs, that allowed apps granted access to a user's profile data full access, including to profile fields that were not marked as public. The data is said to be limited to just static, optional profile fields, including names, email addresses, occupation, gender, and age, but it doesn't include any data posted or connected to Google+, like account data, phone numbers, G Suite content, and even Google+ posts and messages.

Google notes it found and patched the bug in March 2018, but due to only retaining API log data for two weeks, it is unable to confirm which users were impacted by the bug. Analysis over the two-week period before patching suggests up to 500,000 Google+ accounts were potentially affected, but while up to 438 applications may have used the API, there is apparently no evidence any developer was aware of the bug, abused the API, or that any profile data was misused.

According to the report from the Wall Street Journal, the bug may have started in 2015, meaning the data could have been exposed for a period of three years.

An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. Following an internal committee decision to not notify users on the issue, Google chief executive Sundar Pichai was apparently informed of the selected course of action.

While noting there is no evidence of outside developers misusing the data, the memo also acknowledges it has no way of knowing for sure if the data wasn't misused. Report sources note internal lawyers advised the company wasn't legally required to disclose the incident, and the lack of knowledge of what data developers saw also meant there was no "actionable benefit to the end users" in notifying them of the bug.

The revelation of exposed user data arrives shortly after Alphabet/Google, Amazon, Twitter, AT&T, Charter Communications, and Apple representatives testified to the Senate Committee on Commerce, Science, and Transportation on the matter of privacy. During the hearing, Apple vice president of software technology Guy "Bud" Tribble signaled Apple's support for federal privacy legislation to help ensure users know their data isn't being misused.

The Project Strobe announcement also reveals Google intends to provide users with more fine-grained control over what account data they wish to share with each app. Rather than requesting on a single screen, apps will have to show each requested permission one at a time, with responses required for each individual permission type.

There will also be an update to the User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, with only apps that directly enhance email functionality able to access the data. The same apps, which includes clients, backup services, and productivity services, will also have to agree to new rules on handling Gmail data, and will be subject to security assessments.

The last action of the list is to limit app's ability to receive Call Log and SMS permissions on Android devices, as well as Google no longer making contact interaction data available via the Android Contacts API.
CADrmr
«13

Comments

  • Reply 1 of 43
    CADrmrCADrmr Posts: 2unconfirmed, member
    Thanks -- so necessary to know!  And how much they have betrayed their users, their so-called codes and promises, starting with: Don't Be Evil. They exemplify it MORE every day. I need to get rid of all their products, especially email -- but how?

    Thanks for this.

    Anyway, Google+ was lame beyond belief, too.
    magman1979stanthemanStrangeDaysracerhomie3razorpitlkruppchasmanton zuykovlostkiwiclaire1
  • Reply 2 of 43
    sflocalsflocal Posts: 4,243member
    Was anyone really using Google+ anyway?
    magman1979muthuk_vanalingamzroger73lostkiwiclaire1baconstangdysamoriajony0watto_cobra
  • Reply 3 of 43
    After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.
    edited October 8 Solilostkiwiclaire1baconstangwatto_cobra
  • Reply 4 of 43
    What's Google+? Did they hand out free CDs like AOL?
    magman1979noelosclaire1baconstangwatto_cobra
  • Reply 5 of 43
    After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.
    They don’t care as since they failed at becoming the new Facebook the decided to become Microsoft of the 90’s. Since the tech heads love them and hate Apple they have been able to push the chrome browser that is a WebKit fork that has been made Proprietary by installing an always running background server and then the extensions that only work with chrome on a computer. So, companies like LinkedIn are pushing chrome for more features which is crazy for a web based company in the age of mobility. 

    StrangeDaysracerhomie3magman1979berndogclaire1baconstangpalomineRayz2016watto_cobra
  • Reply 6 of 43
    Rayz2016Rayz2016 Posts: 4,201member
    sflocal said:
    Was anyone really using Google+ anyway?
    No one I know. 


    StrangeDaysmagman1979claire1baconstangwatto_cobra
  • Reply 7 of 43
    BluntBlunt Posts: 209member
    I remember a clown in the Netherlands who said that Google+ would be bigger then Facebook in no time. This quy calles himself a tech expert.
    magman1979razorpitclaire1basjhjwatto_cobra
  • Reply 8 of 43
    coolfactorcoolfactor Posts: 1,283member
    CADrmr said:
    Thanks -- so necessary to know!  And how much they have betrayed their users, their so-called codes and promises, starting with: Don't Be Evil. They exemplify it MORE every day. I need to get rid of all their products, especially email -- but how?

    Thanks for this.

    Anyway, Google+ was lame beyond belief, too.

    I switched to Runbox out of Norway back in 2014 when I wised up about Google's services and how they monetize user data.

    Your transition to another provider can be very gradual, if you want. You don't need to give up Gmail entirely while you onboard another email provider. When you're ready to make the switch — if this involved changed email addresses — just put an auto-response on your Gmail account that you can be reached at a new address now.

    claire1watto_cobra
  • Reply 9 of 43
    lmaclmac Posts: 154member
    Well that's going to disappoint the dozens of users on this platform.
    razorpitlostkiwiclaire1baconstangwatto_cobra
  • Reply 10 of 43
    After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.
    While I agree with you I also wonder...after all the years of Facebook and Google collecting user data and then finding about these potentially huge leaks of said data what is the risk to the user?

    I don’t love the idea of a company gathering as much info about me as they can. I haven’t used Facebook in over 10 years (and when I did it was limited) and I avoid Google services as well (never had a GMail account either) though I’m sure they have both built some sort of profile on me. 

    But I have never heard what real negative effects there could be for having that data stolen by a third party. Have there been any actual instances of wrong-doing as a direct result of any of these data leaks?
  • Reply 11 of 43
    sflocal said:
    Was anyone really using Google+ anyway?

    Maybe a few that wanted to comment on YouTube back when Google tried to make it a requirement. That didn’t last long.
    zroger73StrangeDaysmagman1979lostkiwiwatto_cobra
  • Reply 12 of 43
    gatorguygatorguy Posts: 19,275member
    After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.
    As far as I know any associated Google+ user data will be purged once the service shuts down. You have between now and next summer to download anything you want to keep and/or move to some other provider. 
    https://9to5google.com/2018/10/08/how-to-download-google-plus-data/

    If you want to purge any or all personal user data Google may have now it's also pretty easy. 
    https://support.google.com/accounts/answer/7660719?hl=en


    muthuk_vanalingam
  • Reply 13 of 43
    Rayz2016Rayz2016 Posts: 4,201member
    An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. 

    Wow.

    Just … wow. 

    So they expose user data and then decide to keep quiet about it to save face and hide from the law. 

    And in one fell swoop they manage to sink to the same level of scuminess as Facebook … or perhaps lower if that’s possible. 


    StrangeDaysmagman1979ericthehalfbeelostkiwiclaire1baconstangwatto_cobra
  • Reply 14 of 43
    gatorguygatorguy Posts: 19,275member
    Rayz2016 said:
    An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. 

    Wow.

    Just … wow. 

    So they expose user data and then decide to keep quiet about it to save face and hide from the law. 

    And in one fell swoop they manage to sink to the same level of scuminess as Facebook … or perhaps lower if that’s possible. 


    Agreed, it was a crappy and morally wrong way to handle it. With any luck no developers realized they could access names, email addresses, dates of birth, public profile picture, and relationship status even if the user hadn't agreed to share it with them.  Hardly anyone was using Google+ fortunately. It was time for it to die even without this. 

    Bad Google and I hope they get at minimum a cursory investigation by the FTC to confirm that no user profile info was actually leaked as Google would like to claim. 

    As for the other privacy-forward changes...
    EXCELLENT.
    muthuk_vanalingam
  • Reply 15 of 43
    anomeanome Posts: 1,118member

    So after suspending my account because I wasn't using my real name, but my online sobriquet, and getting into disputes with many, much more important persons than I over similar things, they're now saying that they compromised all that intimate data they insisted on.

    I'd have given up, when they locked my account, except I had friends who were convinced it was the next big thing, and better than Facebook, so I needed to stay in touch with them. Also, being Google, it also affected my YouTube, Gmail, and other accounts I was already operating under that name.

    watto_cobra
  • Reply 16 of 43
    gatorguygatorguy Posts: 19,275member
    anome said:

    So after suspending my account because I wasn't using my real name, but my online sobriquet, and getting into disputes with many, much more important persons than I over similar things, they're now saying that they compromised all that intimate data they insisted on.

    I'd have given up, when they locked my account, except I had friends who were convinced it was the next big thing, and better than Facebook, so I needed to stay in touch with them. Also, being Google, it also affected my YouTube, Gmail, and other accounts I was already operating under that name.

    According to the WSJ and Google no Google account data, or messages or posts or other info beyond the basic Google+ user profile was exposed to developers.
    Quoting:  "...it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data"

    Still plenty bad enough and a really bad way of handling the discovery. All it accomplished is seeding more distrust in how transparent Google really is when these issues crop up, and they almost assuredly will again. 

    EDIT: More evidence of the sorry state of Google+:
    There were only about 400 developers who showed any interest in the platform, and fewer than 500K users of Google+ in total . On the plus side not many developers there so few had a chance to see those user profiles if they were aware they could. 

    Stupid and sneaky way of handling things in any event.  
    edited October 8 muthuk_vanalingam
  • Reply 17 of 43
    StrangeDaysStrangeDays Posts: 5,605member
    gatorguy said:
    Rayz2016 said:
    An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. 

    Wow.

    Just … wow. 

    So they expose user data and then decide to keep quiet about it to save face and hide from the law. 

    And in one fell swoop they manage to sink to the same level of scuminess as Facebook … or perhaps lower if that’s possible. 


    Agreed, it was a crappy and morally wrong way to handle it. With any luck no developers realized they could access names, email addresses, dates of birth, public profile picture, and relationship status even if the user hadn't agreed to share it with them.  Hardly anyone was using Google+ fortunately. It was time for it to die even without this. 

    Bad Google and I hope they get at minimum a cursory investigation by the FTC to confirm that no user profile info was actually leaked as Google would like to claim. 

    As for the other privacy-forward changes...
    EXCELLENT.
    Yes, it's almost like privacy is a value-holding feature, huh?
    baconstangwatto_cobra
  • Reply 18 of 43
    gatorguygatorguy Posts: 19,275member
    gatorguy said:
    Rayz2016 said:
    An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. 

    Wow.

    Just … wow. 

    So they expose user data and then decide to keep quiet about it to save face and hide from the law. 

    And in one fell swoop they manage to sink to the same level of scuminess as Facebook … or perhaps lower if that’s possible. 


    Agreed, it was a crappy and morally wrong way to handle it. With any luck no developers realized they could access names, email addresses, dates of birth, public profile picture, and relationship status even if the user hadn't agreed to share it with them.  Hardly anyone was using Google+ fortunately. It was time for it to die even without this. 

    Bad Google and I hope they get at minimum a cursory investigation by the FTC to confirm that no user profile info was actually leaked as Google would like to claim. 

    As for the other privacy-forward changes...
    EXCELLENT.
    Yes, it's almost like privacy is a value-holding feature, huh?
    In a way yes. 
  • Reply 19 of 43
    dewmedewme Posts: 1,686member
    With Google+, you are the product, so effectively you're being laid off by Google because they no longer need you. I wonder if those effected will get some sort of severance package?
    baconstangwatto_cobra
  • Reply 20 of 43
    gatorguygatorguy Posts: 19,275member
    dewme said:
    With Google+, you are the product, so effectively you're being laid off by Google because they no longer need you. I wonder if those effected will get some sort of severance package?
    They can probably find something else for the three employees to do. 

    /s
    dewme
Sign In or Register to comment.