A Wall Street Journal report said the bug exposing data of hundreds of thousands of users had been around since 2015. When it was finally discovered in March 2018, Google decided not to disclose it in order to avoid possible regulatory scrutiny. It did, however, patch the software hole.
The API bug allowed developers “to retrieve the data of some users who never intended to share it publicly,” according to WSJ’s sources. “Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings.”
The full range of exposed profile data, according to an unnamed WSJ source, included “full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.”
Ben Smith, Google’s vice president of engineering, explained that because Google kept the API’s log data for only two weeks, it could not confirm exactly which users were impacted; 438 apps may have used the buggy API. The company’s analysis found no evidence of profile data being misused.
Google determined that it didn’t have to report the issue to users even though it goes “beyond” its legal requirement when deciding whether or not to notify users about their data being affected:
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Yet after reviewing an internal document created by Google’s legal team, the WSJ said Google was worried that disclosing the issue would trigger “immediate regulatory interest.” Google was worried that going public about the incident in March could result in “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”
Google’s Project Strobe was born after discovering the Google Plus incident. It will give users more control over the data they share with apps, starting with “more granular Google Account permissions.” When an app wants to access your Google account, “you must grant it explicit permission.” Google is limiting apps that want access to Gmail, SMS, Contacts or Phone permissions. More changes are coming somewhere down the road.
Google Plus ran out of steam
As for how you feel about the coming end of Google Plus and the bug that could have leaked personal information, you might not be overly concerned. Afterall, who still uses Google Plus? Google admitted, “The consumer version of Google Plus currently has low usage and engagement: 90 percent of Google Plus user sessions are less than five seconds.”
While you might not use Google Plus, the company certainly tried hard to force you to use it. Back in 2011 after Google Plus was launched, Google tried to pull a Facebook and require real names; this round of nymwars resulted in some people who were using pseudonyms on their profiles being banned or having their accounts suspended. Three years later, Google finally changed its tune and removed the restriction on so users could use any name. The nymwar makes a mockery of Google’s claim on Monday of: “We made Google Plus with privacy in mind.”
For over two years, you could not create a Gmail or other Google account without creating a Google Plus profile. From January 2012 until September 2014, Google did not give users any option to opt out of Google Plus. Relaxing the mandatory Google Plus creation led some to speculate that Google might be ready to admit Google Plus was a failed social media platform.
And now, four years later, Google is ready to admit it. Google Plus RIP: June 2011 – August 2019. Yeppers, it will not sunset for another 10 months, giving people a chance to download and migrate their data.