According to a WSJ report, Google’s social media service, Google+, exposed the private profile data of almost 500,000 users for the past three years; however, the company opted not to tell anyone about it, fearing that it would face both reputation damage as well as new regulations.
Undisclosed User Data Exposure
Google learned in March that a software vulnerability that has existed in its Google+ service since 2015 could have allowed malicious third-party app developers to access users’ private profile information.
The company discovered the issue right when the Facebook-Cambridge Analytica privacy scandal was still fresh on everyone’s minds. At the time, multiple governments were scrutinizing Facebook over its data practices, and, according to WSJ's report, this seems to be the reason why Google failed to disclose its security issue to the public.
A memo by Google’s legal and policy team to the company’s senior executives and obtained by WSJ said that disclosing the incident would trigger “immediate regulatory interest” and invite comparison to Facebook’s scandal. After an internal committee had already reached the decision not to disclose the privacy and security issue to the public, Google’s CEO, Sundar Pichai, was also notified.
Google told WSJ that it came to the conclusion not to disclose the issue based on several factors, including whether the company could accurately identify the impacted users, whether there was any evidence of misuse and whether there was any action the users could have taken. The company said that “none of those thresholds were met.” The internal memo from the legal and policy staff said that the company had no evidence of any attack exploiting this vulnerability, but there was also no way to know for sure.
The exposed private profile data included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
According to WSJ’s report, the Google+ privacy issue was due to an API that allowed third-party developers to collect users’ friends data, even if that data was set to non-public. When a user granted a developer permission to their profile, any of the data related to that profile could be collected by the developer. This is very similar to how Cambridge Analytica was able to collect data on millions of users too. Although it’s not able to tell whether or not apps misused user data, Google said that up to 438 applications had access to unauthorized Google+ data.
Google+ Shuts Down
Considering that Google+ has been considered a bit of a ghost town for years already, it’s not too surprising to see it shut down. However, it’s still interesting to see the company is making this decision now, after the privacy issue became public.
The company told WSJ that shutting down Google+ is part of a recent effort to limit third-party developers access to its users’ data, including Gmail add-on developers and Android app developers.
Google said that only Gmail add-on developers that pass security audits will be allowed to continue accessing users' Gmail accounts, while “most” third-party Android developers will no longer receive access to users’ SMS messages, call logs and some additional forms of contact data on Android devices. Previous reports have found that some third-party Gmail add-on developers were reading users’ emails, supposedly to improve their algorithms.
Google CEO to Testify In Congress
Google’s lawyers advised the company’s executives, including its CEO, to avoid public disclosure of this privacy issue because the company was “not legally required” to do so. Unlike in the EU, where data breach notices are mandatory within three days of the event due to laws such as the recently passed GDPR, the U.S. doesn’t yet have federal laws regulating data breach notices.
Google also feared that disclosing the Google+ privacy issue would mean that CEO Sundar Pichai would have to testify in Congress, just as Mark Zuckerberg did. In fact, some senators did call for Google’s CEO to appear in a data privacy hearing earlier this spring. Pichai has refused to testify multiple times since then, but he recently agreed to testify in the U.S. House in the coming weeks.