Privacy Breach Prompts Early Shut Down of Google+

Source: WSJ - Douglas MacMillan | Published on December 11, 2018

Google to purge billions of files

After discovering a software bug that exposed the private profile information of 52 million users to outside app developers, Google said it would close the consumer version of its Google+ social network. This is the second time this year the company has acknowledged exposing private user data.

The Alphabet Inc. unit announced on Monday it introduced the bug during a software update on Nov. 6 and fixed the issue less than a week later. Google’s investigators didn’t find any evidence developers misused data, the company said in a blog post.

The announcement is likely to turn up the pressure on Chief Executive Sundar Pichai when he testifies today before Congress, with privacy issues expected to be high on the agenda. The software problem may also raise flags with regulators in Europe, whose General Data Protection Regulation requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

The Wall Street Journal reported in October that Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny.

That issue gave outside developers the ability to view private profile information, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. Google said that bug existed since 2015.

With the latest failure, Google introduced a new bug that exposed the same types of data to outside developers, the company said on Monday. This bug potentially affected many more people than the previous bug; the company discovered it within a week and informed the public within three weeks.

On Monday, after revealing the second bug, Google said it would end consumer functionality of Google+ by April, moving up the August timetable announced after the Journal reported the first bug. Google also said Monday it would close a collection of Google+ developer tools within 90 days.

“We understand that our ability to build reliable products that protect your data drives user trust,” said David Thacker, a Google vice president for product management, in a blog post announcing the changes. “We will never stop our work to build privacy protections that work for everyone.”

Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data.

Both of the bugs affecting users of the Google+ site this year were found on the same API, which was created to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+. When a user grants a developer permission, any of the data they entered into a Google+ profile can be collected by the developer.

The announcement of a new privacy problem comes weeks after Google said it plans to clamp down on the data it provides outside developers through APIs. The company said in October it will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.

With the latest bug, Google said it didn’t find evidence user data were misused, which may exempt it from U.S. and European laws requiring timely disclosure of data breaches to users. The company’s ability to audit problems like these is limited, however, because it only retains records of user activity form two weeks.

Google’s disclosure increases the likelihood that privacy will be a featured topic for Mr. Pichai’s congressional appearance Tuesday .

Google angered lawmakers on both sides of the aisle in September, when the company failed to send top leaders to appear at a Senate hearing which featured Facebook Inc.’s operating chief and Twitter Inc.’s CEO. Google’s absence was noted by an empty chair with a placard bearing the company’s name.

Later that month, Mr. Pichai traveled to Washington to meet with House Republican leaders as well as President Trump’s top economic adviser, Larry Kudlow. House Majority Leader Kevin McCarthy (R., Calif.) praised Mr. Pichai for his visit, and the White House described Mr. Kudlow’s talks as positive and productive.

Mr. McCarthy has been critical of Google’s decision not to disclose the first Google+ privacy flaw.