Yesterday, Google reported a bug discovery in one of the Google+ People APIs, which exposed user’s Google+ profile information such as name, email address, occupation, gender, and age. As per Google’s analysis, the profiles of up to 500,000 Google+ accounts were potentially affected.
According to the Wall Street Journal report, “Google opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
Google discovered this bug as a part of its Project Strobe, which began in early 2018. Strobe was started with an aim to analyze third-party developer access in Google’s various services and Android. The company says it immediately patched this bug in March 2018 post learning of its existence.
The bug provided outside developers potential access to private Google+ profile data between 2015 and March 2018, say internal investigators who discovered and fixed it. Using the API, users can grant access to their profile data, and the public profile information of their friends, to Google+ apps. However, with the bug, the apps also had an access to profile fields even when that data was listed as private and not public.
Why were users kept in the dark?
Any security breach pertaining to user data exposure should quickly be informed. However, as per the Wall Street Journal report, “A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger ‘immediate regulatory interest’ and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.”
In response to the allegations raised on Google, Ben Smith, Vice President of Google’s Engineering team, in his recent blog post mentioned, “Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
He also assured that Google’s Privacy & Data Protection Office reviewed the issue. He further added, “looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Ben said that Google found no evidence that any developer was aware of this bug or abusing the API. He also assured that no profile data was misused.
Will this delayed bug discovery announcement subject Google to GDPR?
The European GDPR (General Data Protection Regulation), which was enforced on 25 May 2018 requires companies to notify regulators of breaches within 72 hours, else the companies would be charged a maximum fine of 2% of world-wide revenue.
Al Saikali, a lawyer with Shook, Hardy & Bacon LLP, said, “The information potentially leaked via Google’s API would constitute personal information under GDPR, but because the problem was discovered in March, it wouldn’t have been covered under the European regulation.”
He further added, “Google could also face class-action lawsuits over its decision not to disclose the incident. The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate.”
The Aftermath: Google plans to discontinue Google+ for consumers
Ben’s post mentions that over the years, Google+ has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. Talking about its consumer version, Google+ currently has low usage and engagement–90 percent of Google+ user sessions are less than five seconds.
One of the priorities of Project Strobe was to closely review all the APIs associated with Google+ during which it also discovered the bug.
Ben mentions, “The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations.”
Following these challenges and the very low usage of the consumer version of Google+, Google has decided to discontinue Google+ consumer version.
This shutdown will take place over the course of the next 10 months, and will conclude in August, next year. However, Google plans to make Google+ available as an enterprise product for companies. Ben states, “We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.”
Other findings of Project Strobe and the actions taken
Project Strobe provides a ‘root and branch’ review of third-party developer access to Google account and Android device data and of Google’s philosophy around apps’ data access. The main key finding of this project is the discovery of an exploitable bug built into a core API of Google+ for three years.
The other key findings and the actions taken include:
The need for having fine-grained control over the data shared with apps
For this finding, Google plans to launch more granular Google Account permissions that will show up in individual dialog boxes. Here, instead of seeing all requested permissions in a single screen, apps will have to show the user each requested permission, one at a time, within its own dialog box. Know more about this on Google Developer Blog.
Here’s a sample of how this process will look like:
Source: Google blog
Granting access to user’s Gmail via apps is done with certain use cases in mind
For this, Google plans to limit the types of use cases that are permitted. The company is updating their User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer’s Gmail data.
Only apps directly enhancing email functionality such as email clients, email backup services and productivity services (e.g., CRM and mail merge services), will be authorized to access this data. Also, these apps will need to agree to new rules for handling Gmail data and will be subject to security assessments. To know more about this action, read the Gmail Developer Blog.
Granting SMS, Contacts and Phone permissions to Android apps are done with certain use cases in mind
As an action to this finding, Google will limit the apps’ ability to receive call log and SMS permissions on Android devices. Hence, the contact interaction data will no longer be available via the Android Contacts API.
Additionally, Google has also provided basic interaction data, for example, a messaging app could show you your most recent contacts. They also plan to remove access to contact interaction data from the Android Contacts API within the next few months.
To read more about Project Strobe and the closing down of Google+ in detail, visit Ben Smith Google post.