Google is to shut down its Google+ social network after the data of 500,000 users was leaked and nobody was told, The Daily Mail reports.
The tech giant has also revealed that 438 third-party apps may have had access to this data due to a “bug” - in a case being compared to the Cambridge Analytica scandal that engulfed Facebook in March. Google revealed the data breach in a statement about shutting down Google+ for consumers, seven years after its launch, citing the incident as part of the cause.
The personal information of 500,000 people using the site between 2015 and March 2018 was compromised, according to the Wall Street Journal. But managers at the company chose not to go public with the bug because they worried that it would invite scrutiny from regulators, particularly in the wake of Facebook's recent security bungle. Shortly after the report was published, Google announced that it would be shutting Google+.
In the announcement, Google also announced raft of new security features for Android, Gmail and other Google platforms that it has taken as a result of the bug. Google said it discovered the bug as part of an internal audit called Project Strobe, which was initiated earlier this year.
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers “expectations,”Ben Smith, Google's vice president of engineering, wrote in a blog post. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.”
News of the bug sent shares of Google's parent company, Alphabet, down as much as 2.2 percent to $1,142.43 (£872.93) in New York yesterday afternoon. As a result of the breach, 496,951 users' names, email addresses, birth dates, gender, profile photos, occupation, places they lived and relationship status were potentially exposed.
“It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G suite content,” Smith explained.
The bug was a part of a flaw in an application programming interface (API) Google created to help app developers access profile and contact information for users who sign up for the service, including information shared with Google+.
The firm found that this API allowed app developers to access the information of Google+ users' friends, even if that data was marked as private by the user. As many as 438 applications had access to the unauthorized Google+ data, according to the Journal. Google said it hasn't yet found any evidence that the data obtained as a result of the bug was misused.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” Smith said.
Although the bug was discovered many months ago, Google didn't disclose it right away. Google Chief Executive Officer Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, according to WSJ.
A memo, prepared by Google's legal and policy staff and shared with senior executives, warned that disclosing the incident would likely trigger "immediate regulatory interest” and invite comparisons to Facebook's leak of user information to data firm Cambridge Analytica, the report said.
Executives feared it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” an internal memo read.
Google said yesterday that none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves. Security and privacy experts and financial analysts questioned the decision.
“Users have the right to be notified if their information could have been compromised,” said Jacob Lehmann, managing director at legal firm Friedman CyZen. “This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal.”
Google admitted in the blog post disclosing the bug that usage of Google+ has dropped off in recent years.
The consumer version was found to have low usage and engagement, with 90 percent of Google+ user sessions lasting fewer than five seconds, according to the firm.
“This review crystallized what we've known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” Smith said.
Google will continue to operate Google+ as an enterprise product for companies. It plans to shutdown Google+ for consumers over the course of the next 10 months, with the platform officially retiring in August 2019. The announcement comes as public scrutiny has intensified around Silicon Valley tech giants' management of user data, among other issues. Google has thus far been able to defer much of the criticism to Facebook and Twitter, but the Google+ bug may thrust it further into the spotlight.
Several policies Google introduced yesterday are designed to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organizing Gmail messages. Play Store apps will no longer be allowed to access text message and call logs unless they are the default calling or texting app on a user's device or have an exception from Google. Gmail add-ons available to consumers starting next year will be barred from selling user data and be subject to a third-party security assessment that will cost them about $15,000 (£11,460) to $75,000 (£57,320), Google said. Such moves could strengthen Google by making it harder for competing services to grow off its data, said Chris Messina, a designer who worked on Google+ before leaving in 2013.