Google announced this week it will shutter Google+, a service it launched in 2011 to compete with Facebook, after discovering a bug in one of the social network’s APIs that exposed user data.
Per reports, Google failed to disclose the bug to the public fearing the news would trigger "immediate regulatory interest" and invite unfavorable comparisons to Facebook in wake of its own data privacy scandal involving Cambridge Analytica.
The Wall Street Journal got ahold of a memo on the issue prepared by Google’s legal and policy staff and broke the news Monday.
Google tucked the news into a blog post trumpeting Project Strobe, a group it claims it launched earlier this year to review third party developer access to Google and Android device data.
The company said it uncovered the bug, which essentially could have given developers access to profile data, data that may not have been necessarily marked public, as part of an audit on Google+. Data like a user's name, email address, occupation, gender, and age could have been accessed, along with other properties, according to Ben Smith, Google's Vice President of Engineering.
Google patched the issue in March but it may have lingered for years; The Wall Street Journal suggests the glitch was present as far back as 2015. Google, for its part, said the bug may have come as a result of a code change in Google+ but didn't supply a timeline. The company has numbers around the incident but they're not concrete. Upwards to 500,000 accounts may have been affected but it’s unclear which users may have had their data exposed.
The company didn't name any of them but said that based on its analysis 438 applications may have used the API. While these applications may have used the API, Google said that based on its review there was no evidence that it was misused.
Google's Privacy and Data Protection Office saw no actionable benefit to informing the public of the issue, the WSJ said, namely because it wasn't certain which developer has which data. Choosing whether or not to inform users of a data breach is also hampered by the fact that each state has its own set of laws, something that can get confusing if a company has victims from multiple states.
Smith acknowledged in the blog that there are inherent difficulties when it comes to giving users fine-grained privacy controls. That coupled with Google+'s low usage rate prompted the company to begin sunsetting the product; Google says it will be gone by next September.
As the WSJ hints, if this news had come out earlier this spring it almost certainly would have caused an uproar, especially if it was in March, around the time the Cambridge Analytica story came to light. The company has experienced a brutal year on the privacy front, first with Cambridge Analytica, then with last week's breach of 50 million users. It’s no surprise Google didn’t want to piggyback on the rash of bad news.
It's unclear if Google will suffer any setbacks, at least in the near future, following its delayed disclosure. It's unlikely the company will be penalized under the EU's General Data Protection Regulation (GDPR) as the incident happened back in March. Meanwhile the stock of Google's parent company, Alphabet, was only down 1 percent on Monday. It's more likely that Google's lack of transparency will come back to bite the company later down the road. Google's risk should be compounded by both the public and the government's renewed focus on data privacy the next time it releases a product that processes user data.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Senator Mark Warner (D-Va.), a Democrat on the U.S. Senate Select Committee on Intelligence told the press on Monday, "In the last year, we've seen Google try to evade scrutiny—both for its business practices and its treatment of user data ... This seriously questions whether the FTC enforcement model is up to the task of consumer protection when it comes to major social media platforms."
