Google exposed the private details of almost 500,000 Google+ users and then opted not to report the lapse, in part out of concern disclosure would trigger regulatory scrutiny and reputational damage, The Wall Street Journal reported Monday, citing people briefed on the matter and documents that discussed it. Shortly after the article was published, Google said it would close the Google+ social networking service to consumers.
The exposure was the result of a flaw in programming interfaces Google made available to developers of applications that interacted with users Google+ profiles, Google officials said in a post published after the WSJ report. From 2015 to March 2018, the APIs made it possible for developers to view profile information not marked as public, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. Data exposed didnt include Google+ posts, messages, Google account data, phone numbers, or G Suite content. Some of the users affected included paying G Suite users.
Google Chief Executive Sundar Pichai knew of the glitch and the decision not to publicly disclose it, the WSJ reported. Based on a two-week test designed to measure the impact of the API bugs before they were fixed, Google analysts believe that data for 496,951 users was improperly exposed. According to the report:
The episode involving Google+, which hasnt been previously reported, shows the company's concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.
The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Googles attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.
In a statement, Google officials said there were other reasons for withholding public disclosure of the data exposure. In the emailed statement, a Google spokesman wrote:
Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds [was] met in this instance.
The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.
Googles post said the API failures came to light through a review dubbed Project Strobe. It analyzed third-party developers access to Google account and Android device data to measure whether permissions were overly broad. One of the four findings was that Google+ faced “significant challenges” in meeting users privacy expectations. As a result (and because of the relatively low engagement shown by Google+ users in the seven years since the service was introduced), Google plans to retire it to consumers. Over the next 10 months, it will be gradually phased out. Google will continue to make Google+ available to enterprise users.
The Google post said analysts found no evidence the API bugs were actively exploited by developers. But the post also said that, to ensure privacy, the company destroys most Google+ logs after two weeks. According to the WSJ, an internal memo acknowledged there was no way to know. People who have used Google+ during the time the bugs were active should assume any exposed data is publicly available.