Alongside Facebook’s Cambridge Analytica incident, Google suffered a blow of its own. In March, a bug was found in the Google+ API that allowed third-party apps access to data of users who granted permissions to their profiles and also their friends. Evidently, Google did not disclose the finding of this bug and the subsequent data leak amid the growing concerns of data privacy across the globe and the scrutiny that Facebook was facing. Some reports also suggest that the leak was kept hush-hush due to the fear of drawing regulatory scrutiny and repetitional damage.
Disclosure of the Incident
After the disclosure of the bug online, however, Google published a blog under its Project Strobe to publicly announce the bug, its modus operandi and the ultimate shutdown of Google+. Project Strobe is Google’s data protection initiative set up early on this year. After disclosure by Wall Street Journal, Google has had to make the notification about the bug public provoking quite an uproar from its customers as well as the tech community. Google was not technically bound to disclose its breach to the users as per any law under the constraints and parameters in California, where the company is headquartered. In the blog, Ben Smith, Google Fellow and Vice President of Engineering defended this stance by writing:
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
Admittedly, the bug gave third-party apps access to data of a user’s friends but only those profile fields that were shared with the user and were not public as such. This leads to the conclusion that messages, phone numbers, GSuite data, etc. were not affected. Due to the fact that logs are not maintained for over two weeks, Google could not estimate or project the exact users affected by the bug. The blog although makes an estimate of about 500,000 users being affected.
But it has been claimed that there is “no evidence” of developers being aware of the bug and exploiting it. In the increasing ask for privacy and maintenance of Google+ given its very low usage and average user time, it was announced through the blog that the consumer version of the product would be shut down over a period of 10 months. According to Google’s blog about it, 90% of user sessions on Google+ lasted less than 5 seconds.
So, what next?
This announcement does not affect the enterprise user, however. Google recognised through their review that Google+ is actually a better enterprise solution because they see more of their enterprise customers using Google+ to engage with teams and facilitate conversations. To smoothen the process for the end users who are not enterprise customers, Google has also ensured a transparent process over the next couple of months. Users will be given the option to download their data for migration for Google+, that is now due to be shut down by August 2019. Google+ was definitively on the slope over the last couple of years but it is safe to say that the data leak made its way to cripple any efforts to revive it. More now than ever, this proves that security is going to drive companies, their products and profits.