Share This Article
- Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
- The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
- This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
- We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
- We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
- We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
Share This Article On
In a turn of events that was impressively foretold by WordStream founder Larry Kim way back in 2015, Google is putting its long-beleaguered social media platform, Google Plus, out to pasture. While, according to the official announcement, Google dedicated quite a bit of time and resources over the years into making Google Plus a valuable platform for consumers, a data breach that occurred back in March seems to be the final straw. Google Plus was like ugly stepchild that broke the family vase. It wasn’t all that popular anyway, and this latest indiscretion gave Google overwhelming incentive to disown it.
Let’s talk a little bit more about the data breach that occurred, and some overarching ramifications of the announcement.
What Was Google Plus?
Google’s fourth attempt at building a social network, Google Plus followed the likes of Google Buzz, Google Friend Connect, and Orkut. Growth of the platform’s user base seemed promising—it enjoyed 395 million active accounts as of 2016. But also as of 2016, 91% of those accounts were empty. Today, 90 percent of Google Plus user sessions last less than five seconds. Why the huge discrepancy between number of accounts and amount of usage? For years, Google Plus integrated with apps like Photos, Hangouts, and YouTube. You had to have a Google Plus account to use and interact with these apps.
This meant that the majority of users on Google Plus were only on Google Plus to use these other apps. Unlike Facebook, which legitimately saw Google Plus as a threat in its early stages, people were not setting up Google Plus accounts to actually use the platform. For comparison’s sake—having a Facebook account makes it easier to sign into Spotify, and actually, quite a few other services, but that’s not why most people have Facebook accounts.
The breaking out over time of products and services from the Google Plus umbrella—Gmail, Photos, Streams, YouTube—ultimately rendered the platform a ghost town. But because nobody wants to publicly disown a child, no matter how problematic and unproductive it has been, Google clung onto Google Plus for longer than was probably necessary.
Then the data breach happened.
Why Is Google Plus Going Away?
This data breach was nothing on the scale of Cambridge Analytica—which accessed the private information of more than 50 million Facebook users—but it wasn’t nothing, either. Google launched Project Strobe, a data regulation effort spearheaded by Skrillex and LCD Soundsystem (not really) at the beginning of the year. According to the announcement, Project Strobe was launched independently, prior to the data breach, and therefore the data breach was something it was actively looking for, not something it accidentally stumbled upon.
The purpose of Project Strobe was to review third-party developer access across Google’s vast network of apps and services—the idea being that the more complex that ecosystem becomes, the more difficult it is for Google to regulate data privacy and security. With regard to Google Plus, here’s what it found (quoting directly from the blog post):
TL;DR: Google discovered a glitch in its system that allowed third-party apps to access some of the private information of up to 500,000 people. It fixed the glitch immediately. While it knows how many people could have had their information used for nefarious reasons, it doesn’t know how many actually did; and moreover, has found little reason to believe any actually did.
“Data breach” is a big-time trigger word in the media right now, but it looks like, all things considered, this one was pretty harmless. Still: Google Plus is no more.
What Else Did Project Strobe Uncover?
It truly gets better every time you say it: Project Strobe produced four findings altogether, only one of which was “jettison Google Plus.” The other three, in order:
People want fine-grained controls over the data they share with apps.
Google’s solution here is to, indeed, give users more granular control over which information they choose to share with third party apps. In the past, if an application wanted access to, say, your Calendar and your Drive, Google would only ask if you consented to share both sets of data. Now, it will ask if you consent to share each set, one at a time:
When users grant apps access to their Gmail, they do so with certain use cases in mind.
Google is updating its User Data Policy for the consumer Gmail API. Now, when you grant third-party access to your Gmail account, only apps that directly augment email functionality will be authorized to access your data. They’ll also need to accept Google’s new security standards, and subject themselves to regular security reviews.
When users grant SMS, Contacts and Phone permissions to Android apps, they do so with certain use cases in mind.
Same as the changes above, but for Androids—only apps that you’ve personally selected as your default apps for making calls and sending texts will be able to access your data (should you consent to share it).
Across the board, then, Google is improving security and ramping up transparency (two major themes this year) by cracking down on third-party data access.
Final Thoughts on Project Strobe
Google still maintains that Google Plus has been a useful platform for enterprises—that the companies that have seen the most success with it use it essentially as an insulated, secure network where co-workers can engage in discussions and otherwise corporate-regulated interactions. If you’re one of these companies, don’t despair—Google is implementing a 10-month “wind-down” period that will allow users to safely migrate data off the network, and will also be releasing information in the coming days on soon-to-be-released features that will mitigate this long-in-the-works, much-portended demise.