After months of hiding a relative pipsqueak of a data breach that happened through a Google+ API, Google on Monday ‘fessed up, said it was shuttering its Facebook-wannabe-but-never-gonna-happen social media platform, and was looking at a potential class action lawsuit that got filed within hours of the breach disclosure.
Google said in its blog post that at the beginning of this year, it began a review – dubbed Project Strobe – of third-party developer access to its data and thus came to a conclusion that everybody already knew: close to nobody likes Google+ and just about nobody uses it:
The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
OK, so… Action No. 1: shut down Google+ for consumers. Project Strobe had showed that Google+ APIs, and the associated consumer controls, were both tough to develop and a bear to maintain, Google said.
Oh, and by the way, there was a bug in the Google+ People API that affected half a million accounts… a bug that it discovered in March, immediately fixed, and only mentioned on Monday.
Google said it doesn’t know which users were affected by the bug, but it does know that the number was about 500,000 Google+ profiles. The bug meant that third parties could have gotten access to a long list of data types not meant to be seen by anybody but account owners themselves, including name, email address, occupation, gender and age, among others.
For the full list of data types handled by the People API, check Google’s developer site. Google says that up to 438 apps may have used that API.
The bug itself isn’t that big a deal. Google found it and closed it, and it only affected 500,000 people, which is nothing compared with the recent Facebook breach in either the number of people or the data leaked.
The bug allowed G+ apps to access the sort of personally identifying information (PII) that would be useful for social engineering but, again, nothing compared with what Facebook let Cambridge Analytica get at or the 2017 Equifax breach, which affected an initial 145.5 million Americans, 15.2 Brits, some 100,000 Canadians, plus a subsequent round of 2.4 million Americans.
What makes the Google+ leak newsworthy isn’t its size or the nature of the data involved. In fact, Google says it hasn’t found evidence that any developer was even aware of the bug or that any of them had abused the API, and it hasn’t found that any Profile data was misused.
What is noteworthy is the fact that we haven’t heard about the leak until now, and that it’s led to the closure of G+.
According to the Wall Street Journal, back in March, when Google first discovered the bug, it chose not to disclose it out of fear of regulatory scrutiny and a tarnished reputation.
The WSJ quoted an internal Google memo that said that coming clean about the data breach would draw “immediate regulatory interest” and would invite comparisons to Facebook’s leaking of user data to Cambridge Analytica.
Google insiders told the WSJ that shuttering Google+ is just part of a broader review of privacy practices that’s led the company to the conclusion that it needs tighter controls on several major products.
One aspect of that tighter control will be curtailment of the access it gives outside developers to user data on Android smartphones and Gmail, Google says. The company is updating its User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, for one thing. The only apps that will be authorized to get at the data will be those that directly enhance email functionality – such as email clients, email backup services and productivity services such as customer relationship management (CRM) and mail-merge services. Even those apps are going to have to agree to new rules on handling Gmail data and will be subjected to security assessments. Developers can get the details here.
Google’s also setting new limits on which apps can access phone and SMS data, including call logs. Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests, with exceptions made for apps such as those for voicemail and backup.
Google is also planning to remove API access to Android Contacts interaction data within the next few months.
Was it a coverup?
Some are accusing Google of a coverup because the discovery of the bug occurred around the time of the Cambridge Analytica breach.
The WSJ report does point to this being something that Google agreed to keep quiet, and that the Cambridge Analytica fiasco helped push Google toward that decision. Whether the lack of disclosure was, in fact, illegal could well come out if the breach comes under scrutiny in a proposed class action lawsuit filed in federal court in San Francisco on Monday.
From the civil complaint:
Worse, after discovery of this vulnerability in the Google+ platform, Defendants kept silent for at least seven months, making a calculated decision not to inform users that their Personal Information was compromised, further compromising the privacy of consumers‘ information and exposing them to risk of identity theft or worse.
Two Google+ users, Matt Matic and Zak Harris, are alleging violations of California’s Unfair Competition Law, negligence, and invasion of privacy, among other claims.
Coverup? Well, what we do know is that Google, through Project Zero, is all for the ruthless exposure of bugs, much to the (repeated) dismay of companies such as Microsoft. Through Project Zero, Google privately discloses bugs, which sets off a 90-days-to-fix deadline, after which it publicly discloses flaws, regardless of whether they’ve been fixed or not.
Is Google using a double standard for itself in this case? Did it avoid disclosure in order to avoid embarrassment and comparison to Facebook, as insiders have reportedly said?
We’ll let the potential court proceedings shed more light on the “coverup” charge, but it’s worth noting that some security researchers don’t think this Google+ API thing even merits the term “breach.” Here’s Thomas H. Ptacek:
Look, I am just not having this.— Thomas Ptacek (@tqbf) October 8, 2018
Vulnerabilities you discover internally — rather than in a security incident where they were discovered, or reported unbidden by a third party — ARE NOT BREACHES.
Words mean things.
And as far as closing down consumer Google+ goes, when Google says that…
Finding 2: People want fine-grained controls over the data they share with apps.
… we can read that as Google saying: It’s not worth the effort of tightening up G+, because it’s hard and nobody is using G+.