Google Concealed Data Breach Over Fear Of Repercussions; Shuts Down Google+ Service

Google opted in the Spring not to disclose that the data of hundreds of thousands of Google+ users had been exposed because the company says they found no evidence of misuse, reports the Wall Street Journal. The Silicon Valley giant feared both regulatory scrutiny and regulatory damage, according to documents reviewed by the Journal and people briefed on the incident. 

In response to being busted, Google parent Alphabet is set to announce broad privacy measures which include permanently shutting down all consumer functionality of Google+, a move which "effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook, and is widely seen as one of Google's biggest failures." 

Shares in Alphabet fell as much as 2.1% following the Journal's report: 

The software glitch gave outside developers access to private Google+ profile data between 2015 and March 2018, after Google internal investigators found the problem and fixed it. According to a memo prepared by Google's legal and policy staff and reviewed by the Journal, senior executives worried that disclosing the incident would probably trigger "immediate regulatory interest," while inviting comparisons to Facebook's massive data harvesting scandal. 

Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.

The planned closure of Google+ is part of a broader review of privacy practices by Google that has determined the company needs tighter controls on several major products, the people said. In an announcement Monday, the company is expected to say it is curtailing the access it gives outside developers to user data on Android smartphones and Gmail, the people said.

...

The document shows Google officials knew that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.” -WSJ

The breach promises to give Google an embarrassing black eye right after it  promised that it was less susceptible to data breaches like those which have affected Facebook. The news may also complicate Google's attempts to avoid unfavorable regulation in Washington. 

Pichai has agreed to testify in front of Congress in the coming weeks. 

"Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice," said a Google spokesman in a statement. 

The decision not to disclose the vulnerability was based on "whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response," said the spokesman. "None of these thresholds were met here."

Meanwhile, Google admits that while they have no evidence that the user data loophole was abused, they have no way of knowing for sure

The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data, one of the people said.

Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data. -WSJ

Google's recently formed task force, code named Project Strobe, has conducted a companywide audit of Google's APIs, according to people briefed on the process. The team consists of over 100 engineers, project managers and lawyers, according to the Journal. Google will reportedly clamp down on the data it provides outside developers via APIs - while stopping most outside developers from being able to access to SMS messaging data, call log data and various forms of contact data found on Android phones. Gmail, for example, will only permit a fraction of developers to continue building add-ons for the email service. 

Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect. In some cases, employees at these app companies have read people’s actual emails to improve their software algorithms.

The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps. -WSJ

The Google+ problem was discovered in March of this year by the Project Strobe team - and allowed developers to retrieve the data of users who never intended to share it publicly, according to the memo and two people briefed on the matter. Thanks to a bug in the API code, profile data of users and their friends could be harvested, even if the data was specifically marked nonpublic in Google's privacy settings. 

In late march, Google ran tests for two weeks to determine the bug's impact - finding that it affected 496,951 users who could have shared private profile data with a friend, and then had that data accessed by an outside developer. Some of the exposed users included paying users of G suite - Google's array of productivity tools which includes Docs and Drive. 

Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time. -WSJ

Up to 438 apps were able to access the data, however Google says that after a full audit - none of the developers looked suspicious or had previous privacy complaints against them. That said, the admit to having a limited ability to know if any of them took advantage of the breach.