Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google+ shutting down in wake of allegations of weak user data security

Last updated

Google has confirmed it will be closing down the social network Google+ in August next year as part of a data protection initiative called Project Strobe, but a report alleges the initiative itself was caused through Google wanting to avoid regulatory scrutiny from exposing the private data of hundreds of thousands of users.

Project Strobe is described by Google Fellow and Vice President of Engineering Ben Smith as "a root-and-branch review of third-party developer access to Google account and Android device data," and the company's philosophy surrounding apps' data access, launched at the start of 2018. This included the operation of privacy controls, platforms with low API engagement due to data privacy concerns, areas where developers may have been "granted overly broad access," and other areas.

The first "Action" under Project Strobe is starting the process of shutting down Google+. According to the blog post, while Google had put effort into building out the social network over the years, it "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."

It is claimed the consumer version of Google+ currently has very low usage and engagement, with 90 percent of user sessions said to last less than five seconds. Google will be winding down Google+ over the next ten months, with a full closure in August 2019.

Google also admits to a bug in the Google+ APIs, that allowed apps granted access to a user's profile data full access, including to profile fields that were not marked as public. The data is said to be limited to just static, optional profile fields, including names, email addresses, occupation, gender, and age, but it doesn't include any data posted or connected to Google+, like account data, phone numbers, G Suite content, and even Google+ posts and messages.

Google notes it found and patched the bug in March 2018, but due to only retaining API log data for two weeks, it is unable to confirm which users were impacted by the bug. Analysis over the two-week period before patching suggests up to 500,000 Google+ accounts were potentially affected, but while up to 438 applications may have used the API, there is apparently no evidence any developer was aware of the bug, abused the API, or that any profile data was misused.

According to the report from the Wall Street Journal, the bug may have started in 2015, meaning the data could have been exposed for a period of three years.

An internal memo from Google's legal and policy staff provided to the report advised senior executives away from disclosing the incident publicly, due to it most likely drawing "immediate regulatory interest," and would be directly compared with Facebook's Cambridge Analytica scandal. Following an internal committee decision to not notify users on the issue, Google chief executive Sundar Pichai was apparently informed of the selected course of action.

While noting there is no evidence of outside developers misusing the data, the memo also acknowledges it has no way of knowing for sure if the data wasn't misused. Report sources note internal lawyers advised the company wasn't legally required to disclose the incident, and the lack of knowledge of what data developers saw also meant there was no "actionable benefit to the end users" in notifying them of the bug.

The revelation of exposed user data arrives shortly after Alphabet/Google, Amazon, Twitter, AT&T, Charter Communications, and Apple representatives testified to the Senate Committee on Commerce, Science, and Transportation on the matter of privacy. During the hearing, Apple vice president of software technology Guy "Bud" Tribble signaled Apple's support for federal privacy legislation to help ensure users know their data isn't being misused.

The Project Strobe announcement also reveals Google intends to provide users with more fine-grained control over what account data they wish to share with each app. Rather than requesting on a single screen, apps will have to show each requested permission one at a time, with responses required for each individual permission type.

There will also be an update to the User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data, with only apps that directly enhance email functionality able to access the data. The same apps, which includes clients, backup services, and productivity services, will also have to agree to new rules on handling Gmail data, and will be subject to security assessments.

The last action of the list is to limit app's ability to receive Call Log and SMS permissions on Android devices, as well as Google no longer making contact interaction data available via the Android Contacts API.



43 Comments

CADrmr 7 Years · 2 comments

Thanks -- so necessary to know!  And how much they have betrayed their users, their so-called codes and promises, starting with: Don't Be Evil. They exemplify it MORE every day. I need to get rid of all their products, especially email -- but how?

Thanks for this.

Anyway, Google+ was lame beyond belief, too.

sflocal 16 Years · 6138 comments

Was anyone really using Google+ anyway?

stantheman 11 Years · 332 comments

After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.

lordjohnwhorfin 18 Years · 871 comments

What's Google+? Did they hand out free CDs like AOL?

genovelle 16 Years · 1481 comments

After Google+ is shut down, the company should purge its servers of all user data. Users, whether knowingly or not, traded their personal data to Google in exchange for services that it rendered. Now that Google has backed out of its commitment to provide services, it should disgorge all of the personal data that it collected and exposed to hackers. We should also consider the lesson of this experience before handing personal data over to future Google ventures, Facebook and other data accumulators. The services they promise have a limited value over a limited duration, whereas their use of our personal data is limited neither by application nor duration.

They don’t care as since they failed at becoming the new Facebook the decided to become Microsoft of the 90’s. Since the tech heads love them and hate Apple they have been able to push the chrome browser that is a WebKit fork that has been made Proprietary by installing an always running background server and then the extensions that only work with chrome on a computer. So, companies like LinkedIn are pushing chrome for more features which is crazy for a web based company in the age of mobility.