Google announced on Monday that it is shuttering its Google+ social network, following revelations in a Wall Street Journal report that the company did not disclose a recently discovered bug that had exposed data from up to 500,000 Google+ users users since 2015. In the same breath, the company introduced new tools to give users more control over the data they share with apps and services that connect to Google products.
The dissonance epitomizes the broader tension data behemoths like Google and Facebook have lately grappled with over how to reconcile their competing priorities of safeguarding user trust and turning a healthy profit.
“Hiding data exposures is harmful to users—trying to keep the cat in the bag is not a sustainable strategy,” says Lukasz Olejnik, a security and privacy researcher and member of the W3C Technical Architecture Group. In this case, Google purposefully kept it quiet for months, with no apparent plans to let anyone ever know.
The vulnerability in Google+, which the company discovered and remediated in March, specifically related to one of the service’s programming interfaces for third-party developers to access user profile data. Google says the bug exposed data like user names, email addresses, occupations, genders and ages, but the company found no evidence that anyone exploited it to steal user data, or misused the data in any of the 438 applications that might have used the API while the bug was live. The company found and investigated the flaw internally, rather than from an outside researcher, and opted not to disclose it until the Wall Street Journal report effectively forced them to.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” Ben Smith, Google’s vice president of engineering wrote on Monday. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
“We’re passed the point where Google should get to decide if Google has done enough to address a problem.”
Marc Rotenberg, EPIC
The company says that the Google+ discovery spurred its focus on expanding user privacy protections, though. That initiative, called Project Strobe, gives users more control over their account data, and which information gets shared with third-party apps. This also specifically extends more protections and controls to apps that interact with Gmail and Android apps. Particularly, Google will now limit the degree to which mobile apps can access an Android user’s Call Log and SMS permissions. The company is also ending developers’ ability to pull “contact interaction” data from the Android Contacts API, which gave them access not only to who you called, but for how long.
Google further announced on Monday that all third-party applications—including mobile apps—that access sensitive Gmail APIs will need to submit to a thorough review as part of the expanded protections. “To keep user data safe, we are requiring apps to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.” Google will employ an independent auditing firm to complete the reviews, and will charge developers $15,000 to $75,000 or more to have them done.
Google had apparently worked on these protective steps for months, independent of the Google+ vulnerability, but news of the undisclosed data exposure painted a complicated picture on Monday of Google’s commitment to transparency.
“I think the new announcements could be positive steps,” says Marc Rotenberg, president of the Electronic Privacy Information Center. “But I think we’re passed the point where Google should get to decide if Google has done enough to address a problem. A company deciding on its own whether or not it thinks it should notify is never the right answer, because there’s no incentive to take the criticism and the stock hit.”
The Regulation Equation
Many analysts agree with Google’s internal assessment that the company wasn’t legally obligated to disclose the incident. But Rotenberg points out that after a series of incidents over the years—including one related to Google+ progenitor Google Buzz—the Federal Trade Commission could take up the incident in context of the company’s larger track record. “The purpose of data breach notification is to alert users about the possibility of a risk, but also make it possible for public officials to track the practices of companies that may be more or less prone to breaches,” Rotenberg says. “Establishing independent accountability is crucial.”
“Hiding data exposures is harmful to users—trying to keep the cat in the bag is not a sustainable strategy.”
Lukasz Olejnik, W3C Technical Architecture Group
The episode also brings renewed urgency to conversations about regulating companies to disclose not just data breaches, but exposed data as well. That could have the unintended consequence of discouraging companies from doing aggressive internal system testing and vulnerability analysis to catch exposures proactively, though. Given the high profile of the Google+ incident, it may become a test-case for how Google and other companies might act in similar situations in the future.
“I’m sure Google weighed the possible risks and benefits to legal liability, policy goals, reputation, user trust. And I think their people will be watching closely to see how this incident plays out for the press, public, and policymakers,” says Tiffany Li, a resident fellow at Yale Law School’s Information Society Project and former in-house counsel for the coding education startup General Assembly. “That will influence how they decide to act the next time this happens, which it will, because no system is ever 100 percent secure.”
For users, the news that Google withheld information about a privacy laps likely overshadowed the company’s efforts to appear proactive about data protection. And it underscores the tensions Google navigates every day. “Privacy should be considered a problem of technology and technology policy, rather than as an isolated legal puzzle,” Olejnik says. “All this is now intertwined.”