The company also didn’t tell users about the exposure.
3 min read
This story originally appeared on Engadget
Google exposed private data from hundreds of thousands of Google+ users and then chose not to inform those affected by the issue. The Wall Street Journal reported that sources close to the matter claim the decision to keep the exposure under wraps was made among fears of regulatory scrutiny. Google said it discovered and immediately fixed the issue in March of this year.
According to the Wall Street Journal’s sources as well as documents reviewed by the publication, a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place. Google said that it also found no evidence that any of the developers behind the 438 applications that used the API in question were aware of the bug. Exposed data included names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
Though Google allows developers to collect Google+ profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not. The company noted that information like Google+ posts, messages and G Suite content weren’t included in the exposure.
“Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance,” said Google. The Wall Street Journal reports that CEO Sundar Pichai was notified of the plan to not disclose the data exposure and a document obtained by the publication warned that if it was indeed disclosed, it could result in “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”
In light of this issue, Google will be shutting down the consumer version of Google+ and will do so over the course of 10 months in order to allow users to transition out of the service. The company aims to complete that process by August of next year. Additionally, Google is giving users more control over the data they share with apps, will limit the apps that can receive permission to access Gmail data and will limit the ability of apps to retrieve call log and SMS access on Android.
While Pichai declined to appear at a Senate Intelligence Committee hearing that touched on election meddling and security, he will testify before the House Judiciary Committee next month and discuss bias, privacy and Google’s rumored work in China.