Google+ is shutting down after failure to disclose data breach

Google is shutting down Google+ for consumers after a Wall Street Journal report revealed it covered up a data leak affecting 500,000 user accounts.

In March, Google discovered that a bug in the API for Google+ had been allowing third-party app developers access to the data of not only users who had granted permission, but of their friends too. Global news media has been quick to point out the leak’s striking similarity to Facebook’s Cambridge Analytica data breach.

Witnessing Facebook and Mark Zuckerberg undergo the fallout of the Cambridge Analytica debacle, Google chose not to disclose its own leak, The Wall Street Journal (WSJ) reported yesterday.

For Google, the disclosure would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” company policy and legal officials wrote in an internal memo obtained by WSJ.

The knowledge, according to the memo, would invite “immediate regulatory interest” and “almost guarantees [Google CEO Sundar Pichai] will testify before Congress.”

Google announced the Google+ shut down in a blog post soon after the WSJ article was published.

The leak potentially affected 500,000 accounts and up to 438 different third-party applications may have had access to private information, admits the blog by Google vice president of engineering Ben Smith.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” writes Smith.

Google+ keeps the affected API’s data log for two weeks only, which means it now cannot confirm which users were impacted. It can confirm that the data was limited to static, optional Google+ profile fields including name, email address, occupation, gender and age.

“Whenever user data may have been affected,” says Smith in defence of the company’s decision not to hide the news, “we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

“Our Privacy and Data Protection Office reviewed the issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”

The search giant’s attempt at a social platform failed to gain popularity with consumers since launching in 2011. In fact, Smith’s blog mentions that 90% of Google+ user sessions are less than five seconds in duration.

“The review crystallised what we’ve known for a while,” he says, “that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption and has seen limited user interaction with apps.”

While it’s unlikely the leaked data was used maliciously – if at all – and the shutting down of a failing platform may not impact Google’s product, the ethical implications raise questions about the company’s transparency.

“Its failed Facebook knock-off from seven years ago could drag down the search giant and see it endure increasing calls for regulation, as well as testimony before Congress,” writes Josh Constine in TechCrunch.

Google+ will wind down over a 10 month period.

 

Further reading

 

Image credit: rvlsoft via 123RF

Ben Ice
BY Ben Ice ON 9 October 2018