Google said Monday it was shutting down Google+, the social network it had launched in 2011 in an unsuccessful bid to rival Facebook. More importantly, Google acknowledged it had failed to disclose a massive data leak that had potentially compromised nearly 500,000 accounts.
Google’s statement, issued through a blog post, came after the Wall Street Journal, quoting from an internal memo, reported that Google had discovered the software bug in its application programming interface (API) in March this year (though it had existed since 2015), but had decided not to make it public because it would “trigger immediate regulatory interest” and invite comparisons with Facebook and the Cambridge Analytica scandal.
Google+ data leak: What happened?
A review of APIs associated with Google+ by an internal security team called Project Strobe revealed serious security flaws, and one bug in particular that granted app developers access to user profile fields, which were not marked as public. So, data that was supposed to be limited to friends and circles, was available to some app developers. In their Google+ Profiles, users can grant access to their own profile data and information from the public profiles of their friends to Google+ apps. The software bug was found in one of the Google+ People APIs.
While Google insists 90% of Google+ user sessions last less than five seconds, the problem is everyone with a Gmail or Google account automatically has a G+ account — something users may not even remember.
Google claims this data is just Profile fields like name, email address, occupation, gender and age. It insists that other data that users posted to Google+, or any other service, have not been leaked — and that Google+ posts, messages, Google account data, phone numbers or G Suite content remain secure.
How many users are impacted?
Google has said that with this particular API, it only kept the log data for two weeks, which means it cannot confirm the user accounts impacted by the bug. However, it has estimated that up to 500,000 Google+ accounts could have been affected. While up to 438 applications may have used this API, Google has said in the post that there is no “evidence that any developer was aware of this bug, or abusing the API”, and it has found “no evidence that any Profile data was misused”. But since Google is not sure which accounts were impacted, and has not named the apps using this data, users can’t even guess if they may have been affected.
So why is Google+ shutting down?
Google has determined it is no longer possible to maintain the social network, while meeting consumer needs and expectations. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” it has said. Google+ will start winding it down over a 10-month period, which will be completed by August 2019. Consumers will be given more information on how they can download and migrate their data. The enterprise version remains.
What about the data shared with apps?
Google has said it will launch more “granular” account permissions that will show in individual dialog boxes. In the current settings, when you give an app permission to access your Google account, all requested permissions are shown in a single screen and granted. In future, you will have greater control over what data you choose to share — third-party “apps will have to show you each requested permission, one at a time, within its own dialog box”. So if an app wants access to, say, your calendar and Drive documents, you can decide to share one, and not the other.
Has someone been reading your Gmail?
The WSJ reported this July that Google may have allowed third-party app developers to read private messages in Gmail, ostensibly to offer users better products and services. Both machines and humans were used to sift through messages. Google had promised in 2017 that it would stop reading users’ messages, and this was seen as a major breach of privacy.
Google has now said it will update the “User Data Policy” for the consumer Gmail API, and will limit the apps that seek permission to access consumer Gmail data. All app developers and their companies will have to agree to the new rules. “Apps that can improve email functionality — such as email clients, email backup services and productivity services (e.g., CRM and mail merge services) — will be authorised to access this data,” says the blog post.
What about the issue of apps accessing call logs and SMS?
Every single app on Android wants access to SMS, call logs and contacts, even when some of them do not require those for their basic functioning. (Apple is stricter; not all iOS apps can demand access to call log data.) Google has now said it will limit apps from getting call log and SMS permissions, and will deny “contact interaction data” available via the Android Contacts API. Google Play will start limiting the apps that are allowed to get these permissions. But it is not clear how soon this will be implemented.
How can the account be secured now?
Google is not sure which accounts were compromised. But you can still go to your Google account settings, open your Google Plus profile, and delete the G+ account information. Google has said that “some data will be kept, and some data will be deleted or converted,” and “you may lose access to some services and functionality.”