Google+ is finally closing its doors following a report that forced Google to disclose a data breach that might have affected hundreds of thousands of users.
The possibly exposed data included users’ names, email addresses, birth dates, profile photos, and genders, though not any information related to personal communication or phone numbers. Google says that it found no evidence that any developer misused profile data, though it cannot confirm which users were impacted.
Though Google allows developers to collect Google+ profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not. The company noted that information like Google+ posts, messages and G Suite content weren’t included in the breach.
The company became aware of the security breach in the spring, but didn’t make an announcement until Oct. 8.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.
The planned closure of Google+ is part of a broader review of privacy practices by Google that has determined the company needs tighter controls on several major products, the people said. In an announcement Monday, the company is expected to say it is curtailing the access it gives outside developers to user data on Android smartphones and Gmail, the people said.
Waiting to disclose the breach to users was a move designed to avoid damage to its image—and increased rules by government agencies.
Google did not initially disclose the Google+ security breach when it first discovered it this spring because it feared regulation and reputational damage, according to a Wall Street Journal report citing documents and people briefed on the incident. The Journal reports that the data of hundreds of thousands of profiles were possibly affected.
The Wall Street Journal reported:
The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.
In its blog post, Google wrote:
At the beginning of this year, we started an effort called Project Strobe—a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.
Google couched the breach and response with the following sentence: “There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.”
The company then outlined steps its taking to protect users’ data and give people more control over content privacy, including limiting and/or increasing data rules for apps accessing Gmail, along with texts, contacts and the phone app on Android devices. Google is also showing individual dialog boxes which will ask for permissions to access data and/or other apps individually.
When explaining that it’s shutting down its failed social media platform, Google admitted that 90 percent of Google+ users’ sessions are less than five seconds—far less than the time spent on competitors such as Snapchat, Instagram, LinkedIn, Twitter and Facebook.
However, Google’s delay in notifying users of the data breach still might damage its reputation.
The Journal reported:
The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Google’s attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.
CNBC also reported that after the news surfaced, company shares fell more than 2 percent.
What do you think of the company’s response, PR Daily readers? (image via)