Google+ shutting down in wake of allegations of weak user data security

Project Strobe is described by Google Fellow and Vice President of Engineering Ben Smith as "a root-and-branch review of third-party developer access to Google account and Android device data," and the company's philosophy surrounding apps' data access, launched at the start of 2018. This included the operation of privacy controls, platforms with low API engagement due to data privacy concerns, areas where developers may have been "granted overly broad access," and other areas.

The first "Action" under Project Strobe is starting the process of shutting down Google+. According to the blog post, while Google had put effort into building out the social network over the years, it "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."

It is claimed the consumer version of Google+ currently has very low usage and engagement, with 90 percent of user sessions said to last less than five seconds. Google will be winding down Google+ over the next ten months, with a full closure in August 2019.

Google also admits to a bug in the Google+ APIs, that allowed apps granted access to a user's profile data full access, including to profile fields that were not marked as public. The data is said to be limited to just static, optional profile fields, including names, email addresses, occupation, gender, and age, but it doesn't include any data posted or connected to Google+, like account data, phone numbers, G Suite content, and even Google+ posts and messages.

Google notes it found and patched the bug in March 2018, but due to only retaining API log data for two weeks, it is unable to confirm which users were impacted by the bug. Analysis over the two-week period before patching suggests up to 500,000 Google+ accounts were potentially affected, but while up to 438 applications may have used the API, there is apparently no evidence any developer was aware of the bug, abused the API, or that any profile data was misused.

According to the report from the Wall Street Journal, the bug may have started in 2015, meaning the data could have been exposed for a period of three years.

An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. Following an internal committee decision to not notify users on the issue, Google chief executive Sundar Pichai was apparently informed of the selected course of action.

While noting there is no evidence of outside developers misusing the data, the memo also acknowledges it has no way of knowing for sure if the data wasn't misused. Report sources note internal lawyers advised the company wasn't legally required to disclose the incident, and the lack of knowledge of what data developers saw also meant there was no "actionable benefit to the end users" in notifying them of the bug.

The revelation of exposed user data arrives shortly after Alphabet/Google, Amazon, Twitter, AT&T, Charter Communications, and Apple representatives testified to the Senate Committee on Commerce, Science, and Transportation on the matter of privacy. During the hearing, Apple vice president of software technology Guy "Bud" Tribble signaled Apple's support for federal privacy legislation to help ensure users know their data isn't being misused.

The Project Strobe announcement also reveals Google intends to provide users with more fine-grained control over what account data they wish to share with each app. Rather than requesting on a single screen, apps will have to show each requested permission one at a time, with responses required for each individual permission type.

There will also be an update to the User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, with only apps that directly enhance email functionality able to access the data. The same apps, which includes clients, backup services, and productivity services, will also have to agree to new rules on handling Gmail data, and will be subject to security assessments.

The last action of the list is to limit app's ability to receive Call Log and SMS permissions on Android devices, as well as Google no longer making contact interaction data available via the Android Contacts API.