Google Exposed User Data, Feared Impact Of Public Disclosure (#GotBitcoin?)
Google exposed the private data of hundreds of thousands of users of the Google+ social network, though it didn’t find evidence of misuse.
The company opted not to disclose the issue this past spring, in part because of fears doing so would draw regulatory scrutiny.
Google opted not to disclose to users its discovery of a bug that gave outside developers access to private data. It found no evidence of misuse.
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
As part of its response to the incident, the Alphabet Inc. unit announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.
Monday’s move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. and is widely seen as one of Google’s biggest failures.
A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.
The closure of Google+ is part of a broader review of privacy practices by Google that has determined the company needs tighter controls on several major products, the people said. In its announcement Monday, the company said it is curtailing the access it gives outside developers to user data on Android smartphones and Gmail.
The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.
The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Google’s attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement.
In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”
The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data, one of the people said.
Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data.
A privacy task force formed inside Google, code named Project Strobe, has in recent months conducted a companywide audit of the company’s APIs, according to the people briefed on the process. The group is made up of more than 100 engineers, product managers and lawyers, the people said.
In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.
Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect. In some cases, employees at these app companies have read people’s actual emails to improve their software algorithms.
The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.
The Google+ data problem, discovered as part of the Strobe audit, was the result of a flaw in an API Google created to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+. When a user grants a developer permission, any of the data they entered into a Google+ profile can be collected by the developer.
In March of this year, Google discovered that Google+ also permitted developers to retrieve the data of some users who never intended to share it publicly, according to the memo and two people briefed on the matter.
Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings, the people said.
During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the people said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.
Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said.
The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.
Google believes up to 438 applications had access to the unauthorized Google+ data, the people said. Strobe investigators, after testing some of the apps and checking to see if any of the developers had previous complaints against them, determined none of the developers looked suspicious, the people said.
The company’s ability to determine what was done with the data was limited because the company doesn’t have “audit rights” over its developers, the memo said. The company didn’t call or visit with any of the developers, the people said.
The question of whether to notify users went before Google’s Privacy and Data Protection Office, a council of top product executives who oversee key decisions relating to privacy, the people said.
Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.
The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.
The document shows Google officials knew that disclosure could have serious ramifications.
Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”
A range of factors go into determining whether a company must notify users of a potential data breach. There is no federal breach notification law in the U.S., so companies must navigate a patchwork of state laws with differing standards, said Al Saikali, a lawyer with Shook, Hardy & Bacon LLP. He isn’t affiliated with any of the parties.
While many companies wouldn’t notify users if a name and birth date were accessed, some firms would, Mr. Saikali said. Some firms notify users even when it is unclear that the data in question was accessed, he said. “Fifty percent of the cases I work on are judgment calls,” he said. “Only about half the time do you get conclusive evidence that says that this bad guy did access information.”
Europe’s General Data Protection Regulation, which went into effect in May of this year, requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue. The information potentially leaked via Google’s API would constitute personal information under GDPR, but because the problem was discovered in March, it wouldn’t have been covered under the European regulation, Mr. Saikali said.
Google could also face class-action lawsuits over its decision not to disclose the incident, Mr. Saikali said. “The story here that the plaintiffs will tell is that Google knew something here and hid it.
That by itself is enough to make the lawyers salivate,” he said.
In its contracts with paid users of G Suite apps, Google tells customers it will notify them about any incidents involving their data “promptly and without undue delay” and will “promptly take reasonable steps to minimize harm.” That requirement may not apply to Google+ profile data, however, even if it belonged to a G Suite customer.
RIP Google+. We Hardly Knew Ye.
End of Google+ for consumers formalizes the failure of Google’s efforts to compete in social media.
Few tears were shed Monday over the death of Google+, the search giant’s oft-derided effort at challenging Facebook Inc. in social media.
It is easy to forget now that there was a time when Google+ represented an exclusive club, with millions of internet users clamoring to get in. At its ballyhooed launch in 2011, Google doled out private invitations, leaving the masses eager to gain access—a strategy that worked to great success with the company’s rollout of Gmail.
But then Google, now a unit of Alphabet Inc., found that socializing online was harder than it looked.
Seven years and hundreds of millions of dollars of investment later, Google has decided to abandon the effort, saying on Monday that it will kill off Google+ for consumers. Earlier in the day, The Wall Street Journal reported that Google had exposed the private data of nearly 500,000 users of Google+ and in the spring opted against informing users.
“It was dead on arrival,” said Youssef Squali, lead internet analyst at SunTrust Robinson Humphrey. When Google launched Google+, Mr. Squali said, Facebook was already dominating the space.
“Google was trying to be more powerful than the Pope.”
The move to shut down Google+ formalizes Google’s failure to build a social network with staying power and highlights the challenge for other players to compete with Facebook, the world’s most successful social platform. It is clear in hindsight, though, that the opportunity was there.
Facebook rolled out Messenger in 2011. It bought Instagram in 2012 and WhatsApp in 2014, adding to its lineup of apps as Google+ languished.
“With these business models, it’s really winner takes all,” Mr. Squali said. “Unless you’re trying to focus on a totally different niche, it’s almost impossible to displace the incumbent.”
Facebook now owns four of the top social-media apps, a degree of dominance that has helped to insulate the company from competitive challenges as it faces repeated questions over its data-handling practices.
And even in the shadow of Facebook, other companies have managed to build social networks that attract more devoted users.
Snap Inc. launched Snapchat in 2011, the same year as Google+, and now counts 188 million people who use its app daily. Twitter , which was launched in 2006, says it has 335 million people who use its service monthly.
For the social-media industry, Google’s failure is particularly notable because Google had advantages other social-media aspirants can only dream of: colossal pockets and billions of people who use its other products daily.
This spurred Facebook to take seriously the threat posed by Google. When Google+ was launched, Facebook Chief Executive Mark Zuckerberg declared “lockdown,” meaning employees should devote their full attention to the threat while it remained, according to “Chaos Monkeys,” a book by Antonio García Martínez, a former product manager for Facebook.
Google attempted to differentiate Google+ with an emphasis on so-called circles of different friend groups. But users found this organization confusing. To help juice its growth, Google temporarily required users to sign up to Google+ to perform functions on other services, such as uploading videos and posting comments on YouTube, but eventually dropped the requirement after users complained.
By 2012, Google+ was already falling short of expectations. In that year, data from comScore showed users weren’t staying on Google+. Other companies that built integrations with Google+, such as Zynga Inc. and Intel Corp. , said they were disappointed by the level of activity on Google’s social network.
While the company boasted more than 300 million members of Google+ in 2013, a high percentage of what Google counted as “active users” were just people who clicked into the site by accident from another Google page, a person familiar with the matter said.
One bright spot is that many companies still use Google+ for their employees to communicate.
Google said Monday that it plans to launch social features specifically built for businesses.
Senate Letter Criticizes Google For Failure To Disclose Data Vulnerability
Commerce committee chair Thune notes Google kept silent even amid congressional testimony on the issue.
Top lawmakers sent a stinging letter to Google on Thursday over its handling of a data vulnerability that affected hundreds of thousands of users of its Google+ social media service.
Senate Commerce Committee Chairman John Thune (R., S.D.), in a letter delivered on Thursday, joined two subcommittee chairmen in saying they found it “troubling” that Google failed to disclose the vulnerability after it was discovered.
“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the lawmakers wrote.
The letter said its authors were “especially disappointed” that Google’s chief privacy officer testified before the Commerce Committee just a few weeks ago “and did not take the opportunity to provide information regarding this very relevant issue to the committee.”
The Wall Street Journal reported earlier this week that Google exposed the private data of hundreds of thousands of users of its Google+ social network. The company, a unit of Alphabet Inc., chose not disclose the issue earlier this year, in part because of worries that news of the incident would bring on regulatory scrutiny and reputational damage, according to interviews and documents.
The letter—signed by Sens. Jerry Moran (R., Kan.) and Roger Wicker (R., Miss.), in addition to Mr. Thune—added: “Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services.” The letter requests written answers to a series of questions including whether Google disclosed the matter to federal regulators and whether it has had any similar incidents that it hasn’t yet disclosed.
The letter illustrates how Google’s troubles on Capitol Hill are mounting in the wake of the Google+ revelations. At a Senate hearing on privacy issues Wednesday, Sen. Thune said it is increasingly clear from the Google+ incident, as well as from Facebook Inc.’s earlier Cambridge Analytica scandal, that industry self-regulation is no longer sufficient to protect users’ privacy, and that a “national standard for privacy rules of the road” will be needed.
The Federal Trade Commission is probing an incident in which data of up to 50 million Facebook users was transferred to Cambridge Analytica, a data firm that worked for President Trump during the 2016 campaign.
Google didn’t immediately respond to a request for comment on Thursday.
As part of its response to the Google+ incident, Google on Monday announced a broad set of data-privacy measures that include permanently shutting down all consumer functionality of Google+. The company also said it is curtailing the access it gives outside developers to user data from smartphones that run on its Android operating system and its Gmail service.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said at the time.
At Wednesday’s hearing, Democrats joined Republicans in their criticism of Google, including the news that it had effectively sought to keep its problems quiet to avoid the same scrutiny Facebook received.
Sen. Richard Blumenthal (D., Conn.) said he would send a letter to the Federal Trade Commission urging an investigation of the Google+ incident. “I think this kind of deliberate concealment is absolutely intolerable,” he said.
Congressional legislation could beef up data-privacy protections for consumers, while handing much of the work of writing detailed rules to a strengthened FTC. The FTC currently lacks much rule-making authority when it comes to online data privacy and has limited ability to impose fines for violations. Congress also could push companies to do more to prevent data breaches.
Google to Accelerate Closure of Google+ Social Network After Finding New Software Bug
Newly discovered bug exposed data of 52 million users; move comes day before Google CEO is to testify before Congress for the first time.
Google said it would close the consumer version of its Google+ social network earlier than planned after discovering a new software bug that exposed the private profile information of 52 million users to outside app developers.
The Alphabet Inc. unit said it introduced the bug during a software update on Nov. 6 and fixed the issue less than a week later. Google’s investigators didn’t find any evidence developers misused data, the company said in a blog post.
The announcement is likely to turn up the pressure on Chief Executive Sundar Pichai when he testifies on Tuesday before Congress, with privacy issues expected to be high on the agenda. The software problem may also raise flags with regulators in Europe, whose General Data Protection Regulation requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.
The Wall Street Journal reported in October that Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny.
Soon thereafter, Google said it would end consumer functionality of Google+ by August 2019. On Monday, it said it would speed up that timetable to April.
It said it would also close a collection of related developer tools within 90 days.Go back