Google chose not to go public about bug that exposed Google Plus users’ data

Goodbye Google Plus, no-one ever liked you.

Google chose not to go public about bug that exposed Google Plus users' data

The big news today is not that Google has decided to shut down Google Plus for consumers.

The big news, as the Wall Street Journal reports, is that after the personal data of hundreds of thousands of Google Plus users had bene left exposed for years, Google chose not to go public about the incident, fearful of the repercussions as Facebook was facing its own Cambridge Analytica moment.

Fortunately, things could have been worse. The data exposed included names, email addresses, dates of birth, gender, profile photographs, places lived, relationship status, and occupation. What it did not include were messages and phone numbers. Still, in 2018, no-one wants an online service to leak any of the data that they consider personal and private.

No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that - despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data - it has not seen any evidence that any profile data was misused.

Of course, as we all know, an absence of evidence is not evidence of absence. If the profile data had been misused, it is very possible that Google would simply have no knowledge of the fact.

What it was very aware of, however, if a memo referred to in WSJ report is to be believed, is the potential damage that could be done by details of the privacy breach becoming public - both in terms to its reputation, and to the future growth of Google Plus:

Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.

The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.

The document shows Google officials knew that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”

Google says that it will be winding down Google Plus over the next 10 months, and plans to complete the process by the end of August 2019. From the sound of things, their intention is to try to still get some value out of their Google Plus investment by offering it as a internal communications tool for the workplace - rather than for the great unwashed public.

But the really big news today is not that Google is finally shutting down Google Plus (who cares?) The big story is that Google knew months ago that user data had been exposed and chose to keep the fact quiet. Did no-one tell them that cover-ups are always worse than coming clean?

Tags: , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

2 Responses

  1. cruachan

    October 8, 2018 at 10:03 pm #

    Given that Google actively looks for bugs in their competitors software, and chooses to publish them if said competitor doesn’t fix them quickly enough for Google’s liking, that’s pretty shocking behaviour. Good thing no one used Google+.…

  2. David L

    October 9, 2018 at 4:20 am #

    Must have asked Uber how best to handle this? Thankfully, there are whistle-blower’s inside the “Let’s Be Evil” Corp. Thank God Mr. Robot returns soon to combat “Evil Corp”!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.