Google chose not to go public about bug that exposed Google Plus users’ data

Graham Cluley

Google chose not to go public about bug that exposed Google Plus users' data

Google chose not to go public about bug that exposed Google Plus users' data

The big news today is not that Google has decided to shut down Google Plus for consumers.

The big news, as the Wall Street Journal reports, is that after the personal data of hundreds of thousands of Google Plus users had been left exposed for years, Google chose not to go public about the incident, fearful of the repercussions as Facebook was facing its own Cambridge Analytica moment.

Fortunately, things could have been worse. The data exposed included names, email addresses, dates of birth, gender, profile photographs, places lived, relationship status, and occupation. What it did not include were messages and phone numbers. Still, in 2018, no-one wants an online service to leak any of the data that they consider personal and private.

No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorised Google Plus data – it has not seen any evidence that any profile data was misused.

Of course, as we all know, an absence of evidence is not evidence of absence. If the profile data had been misused, it is very possible that Google would simply have no knowledge of the fact.

What it was very aware of, however, if a memo referred to in WSJ report is to be believed, is the potential damage that could be done by details of the privacy breach becoming public – both in terms to its reputation, and to the future growth of Google Plus:

Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.

The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.

The document shows Google officials knew that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”

Google says that it will be winding down Google Plus over the next 10 months, and plans to complete the process by the end of August 2019. From the sound of things, their intention is to try to still get some value out of their Google Plus investment by offering it as a internal communications tool for the workplace – rather than for the great unwashed public.

But the really big news today is not that Google is finally shutting down Google Plus (who cares?) The big story is that Google knew months ago that user data had been exposed and chose to keep the fact quiet. Did no-one tell them that cover-ups are always worse than coming clean?

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Google chose not to go public about bug that exposed Google Plus users’ data”

  1. Given that Google actively looks for bugs in their competitors software, and chooses to publish them if said competitor doesn't fix them quickly enough for Google's liking, that's pretty shocking behaviour. Good thing no one used Google+….

  2. Must have asked Uber how best to handle this? Thankfully, there are whistle-blower's inside the "Let's Be Evil" Corp. Thank God Mr. Robot returns soon to combat "Evil Corp"!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.