Google said it will shut down the consumer version of its Google+ social network and tweak its data sharing rules after admitting that a bug the search giant found last March exposed personal identifying information on roughly 500,000 users.
The company conceded that it knew the security vulnerability handed nearly 450 third-party application developers access to the privately-marked names, email addresses, jobs, genders and ages of the affected users, but despite making an immediate patch, elected to keep it quiet. Google said it declined to disclose the flaw at the time because it didn’t know the extent of the damage. So far, officials said, there’s no evidence that any developers exercised the exposed personal data.
Google+ Data Exposure: Silence, Regulatory Concerns?
However, a new Wall Street Journal report suggested Google’s reticence may be tied to ulterior motives -- the search giant may have feared the security lapse would trigger a regulatory investigation by the Federal Trade Commission (FTC). In declining to speak on the Google incident, FTC Chairman Joseph Simons told The Hill, “When we see a significant breach that puts consumers’ private data at risk, you can be assured that we will be looking into it."
Google’s regulatory woes could extend beyond the U.S. Because the data exposure occurred before the General Data Protection Regulation (GDPR) went into effect in late May, Google is subject to examination by European Union member data authorities. Ireland’s data privacy regulator has already indicated he is looking into the breach, Reuters reported. “The Data Protection Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google,” the regulator reportedly said.
Stateside, the Attorneys General of Connecticut and New York said they are investigating further.
Google+ Data Exposure: What Went Wrong?
An audit of Google’s Project Strobe third party data access policies uncovered the flaw, said Ben Smith, Google’s vice president of engineering, in a blog post.
“At the beginning of this year, we started an effort called Project Strobe -- a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. As part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs,” Smith wrote. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance,” he said.
In the incident's wake, the search giant laid out three changes to its data access and sharing policies.
- Consumers will get more “fine-grained control” over what account data they choose to share with each app. Apps will have to show each requested permission one at a time in a separate dialog box.
- Only apps directly enhancing email functionality -- such as email clients, email backup services and productivity services -- will be authorized to access Gmail data. The apps will need to agree to new rules on handling Gmail data and will be subject to security assessments.
- Google Play will limit which apps are allowed to ask for permission to access a user’s phone and SMS data. Only the default app for making calls or text messages will be able to make these requests.
“In the coming months, we’ll roll out additional controls and update policies across more of our APIs,” Smith wrote. “As we do so, we’ll work with our developer partners to give them appropriate time to adjust and update their apps and services.”