Google has confirmed that it is shutting down Google +, a social network that was launched to rival Facebook, but failed to make an impact. However, the big news is not that Google+ is finally shutting down, which seemed inevitable, but that Google hid the data leak that has compromised nearly 500,000 accounts.
According to a Wall Street Journal report, Google found the software bug in its API in March 2018, though it had existed since 2015. The company also decided against reporting the incident because it “trigger immediate regulatory interest”, adds the report. WSJ quoted from an internal memo that was reviewed by Google’s legal and policy team and took the decision not to report the problem. CEO Sundar Pichai was kept in the loop on this decision.
The report says Google was worried that making this issue public would lead to comparisons with Facebook and the Cambridge Analytica scandal.
Google finally put out a blog post highlighting the issue, but its move is likely to invite more criticism and scrutiny, especially since the company has admitted it does not even know which accounts were impacted.
An internal security team – called Project Strobe – at Google discovered the issue with Google+ and other privacy problems on products like Gmail and Android. Project Strobe carried out what Google calls a “root-and-branch review of third-party developer access to Google account and Android device data.”
It also looked at areas where developers may have been granted overly broad access, which has been a problem on Android for quite sometime. So what has happened in Google’s data leak? Here’s everything we know so far.
Google+ data leak: What happened?
The big takeaway for now is that Google+ is shutting down, but only the consumer version. An enterprise version will continue to exist. A review of APIs associated with Google+ revealed serious security flaws, and one bug in particular granted app developers access to user profile fields, which were not marked as public.
Essentially data which was supposed to be limited to friends and circles, could also be accessed by some app developers. In their Google+ profile, users can grant access to their Profile data and information from the public profiles of their friends to Google+ apps. The software bug was found in one of the Google+ People APIs.
While Google insists that 90 per cent of Google+ user sessions are less than five seconds, the problem is that everyone with a Gmail or Google account automatically has a G+ account. Many users might not even remember they have a G+ account.
Google claims this data is just Profile fields like name, email address, occupation, gender and age. It insists that other data that users posted to Google+, or any other service, has not been leaked. The company has said that Google+ posts, messages, Google account data, phone numbers or G Suite content had remained safe.
The company admits they found the bug in March 2018, but says they found no misuse of the data by app developers.
Google data leak: How many users are impacted?
Google admits that with this particular API, they only kept the log data for two weeks, which means they cannot confirm the user accounts impacted by this bug. Estimates from the company claim up to 500,000 Google+ accounts were potentially affected.
Close to 438 applications may have used this API. Google also insists there is no “evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” according to the blog.
The company insists that its “Privacy & Data Protection Office” has also reviewed the problem and found no evidence of misuse. Once again since Google is not even sure which accounts were impacted, users might not be even know if their account was compromised.
Google has not even named the apps using this data to give users a clearer view of the whole situation.
So why is Google+ shutting down?
Google claims that their review highlighted there are major challenges in maintaining their ‘social network’, and that because of the low usage, they have decided to end the consumer version of site.
Google+ will start winding it down over 10-month period, which will be completed by August 2019. Consumers will be given more information on how they can download and migrate their data. Google+ also has an enterprise version, and the company claims it is better.
“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses,” notes the blog post.
Google data leak: What about data shared with apps?
It looks like Google is tackling the issue and will launch more “granular” account permissions that will show in individual dialog boxes. So when you give an app access to your Google Account data in the future, there will be more control over what data you can choose to share.
In the current settings when you give an app permission to access your Google account, all requested permissions are shown in a single screen and granted.
In the future, third-party “apps will have to show you each requested permission, one at a time, within its own dialog box,” notes the blog.
The user will have control over which ones they do not wish to share. So if an app wants access to your calendar and Drive documents, you can decide not to share one. Each permission will have to separately approved by the user.
Google data leak: What about Gmail and third-party app access?
In July this year it was reported that Google may have let third-party app developers read private messages in Gmail. The Wall Street Journal had said that third-party app developers were allowed to go through Gmail messages under the guise of offering users better products and services.
Some of these app companies relied on machines to sift through the messages, while others had employees going through emails of users. The issue despite Google’s promise in 2017 that it would stop reading user messages, and was seen as a major privacy breach.
Now, Google has come out to say it will limit the type of use cases permitted for apps when they are granted access to Gmail by a user. The “User Data Policy” for the consumer Gmail API will be updated and it will limit the apps that seek permission to access consumer Gmail data. All the app developers and their companies will have to agree to the new rules on handling Gmail data.
“Apps that can improve email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorised to access this data,” notes the blog post.
Google data leak: Limiting apps from Call Log, SMS on Android
Google is finally addressing the issue of apps on Android accessing Call Log and SMS data. Google’s findings showed that even when users grant these kinds of permissions they have certain uses in mind for each app.
One of the problems on Android has been that every single app wants access to SMS, call logs and contacts, even when some of them do not require it for their basic functioning. On iOS for instance, Apple has a much stricter approach, and not all apps cannot demand access to Call Log data with such ease.
The company is finally limiting apps from getting Call Log and SMS permissions on Android devices. It will also deny “contact interaction data”, which was earlier available via the Android Contacts API. Google Play will start limiting which apps are allowed to get these permissions in the future.
What is not clear is how soon this will be implemented.
“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests,” notes the blog, though apps like voicemail and backup apps, will be exceptions to this rule.
Earlier Android Contacts API could also get permission for interaction data, like most recent contacts on a messaging app. Going forward this information will be removed in the API.
Again the blog mentions this will take place within the next few months, and no specific timeline has been set. Google is promising “additional controls and updated policies across more APIs.”
Google Plus issue: What can I do to secure my account?
Google is not sure which accounts were compromised in this Google+ fiasco. However, users can go to their Google account settings, and open their Google Plus profile and delete the G+ account information. In the Google Plus profile, you will see the Settings option on the right Left hand side, just below the notifications tab.
Open the settings for Google+ and keep scrolling down. At the bottom you will see an option to delete your Google+ Profile. Click on that, and Google will ask you sign into your account once again on a separate page. You will then get an option to delete the Google+ account.
Google’s page notes, “Some data will be kept, and some data will be deleted or converted. You may lose access to some services and functionality.” For those who do not remember, Google had linked G+ to YouTube accounts, so keep in mind this will have some impact there.
The page notes, “Your YouTube channel will be kept, along with your videos and playlists. You will continue to have access to YouTube. Some YouTube-related content will be kept, while other content will be deleted.”
Google’s page notes, “For content created after November, 2015, the content created on YouTube will be kept, while content created on Google+ will be deleted.”
The details further add,
Any post you created on Google+ about one of your own videos will be deleted from Google+. If it is also visible on YouTube, it will continue to appear on YouTube.
Any comment you created on YouTube in response to a video, which is also visible on Google+ as a Google+ post, will still exist on YouTube but will be deleted from Google+.
Any comment you created on Google+ that is now only visible on YouTube, in relation to a post someone else made about a YouTube video, will still exist on YouTube.
Any +1 that you added on Google+ that is now only visible on YouTube as a like, in relation to a post someone else made about a YouTube video, will still exist on YouTube.
Any other posts, replies, comments or +1s relating to a YouTube video that you created originally on either Google+ or YouTube but which only now appear on Google+ will be deleted.
Note that deleting your public profile will not affect the status of your Google Account. Your Gmail, Google Docs, Google Drive will remain untouched.