mobanmarketMOUNTAIN VIEW, CA — A bug in Google+ could’ve exposed private data of up to 500,000 users, according to the Silicon Valley tech giant, and now Google is shutting down the failed product for consumers. Google announced Monday that it had conducted a “root-and-branch” review of third-party developer access at the beginning of this year. The bug was found in one of the Google+ People APIs, the company said in a statement.
Users can grant access to their profile data — as well as the public profile information of their friends — to Google+ apps via the API. But the bug meant apps could also access profile data what was shared with the user that hadn’t been marked public. The data is limited to static, optional Google+ profile fields, such as name, email address, job, gender and age.
“It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content,” the statement said.
Google said it uncovered the bug and patched it in March. The company believes it happened after launch as a result of the API’s interaction with a subsequent Google+ code change.
Furthermore, the company, based in Mountain View, California, said it doesn’t know exactly how many users were affected by the bug because it only retains the API’s data log for two weeks. A subsequent analysis showed that up to half a million Google+ accounts were potentially affected, Google said, and 438 applications could have used the API.
But Google stressed there was no evidence that any developer knew of the bug or was abusing the API. The company also found no evidence that any profile data was misused.
“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” wrote Ben Smith, Google fellow and vice president of engineering.
Furthermore, the review found that Google+ — a product meant to compete directly with Facebook — simply gobbles up too many resources to justify its continuation. As such, Google has decided to sunset the product, with a wind-down scheduled over 10 months.
“This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” wrote Smith. He stressed that the consumer version of Google+ has low usage and engagement — 90 percent of user sessions last less than five seconds.
However, the company is keeping an enterprise version for businesses. Enterprise customers have found “great value” in using Google+ within their companies, Google said, and the review showed it’s better suited as an enterprise product where colleagues can talk internally on a secure corporate social network.
These customers will be able to establish common access rules and use central controls for the entire organization.
“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses,” the company said. Google will unveil more details in the coming days.
The Wall Street Journal reported that Google waited to disclose the breach out of concerns it would attract the attention of regulators and could result in comparisons to Facebook’s leak of user data to Cambridge Analytica.
Google+ launched in 2011 and highlighted its focus on privacy. It included tools that allowed users to decide what content they wanted to share with their contacts, according to Variety. The review showed that people want “fine-grained controls” over the data they share with apps, Google said. As such, the company plans to give Google Accounts more granular permissions that will show in individual dialogue boxes.
“Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box,” Google said. For example, if a developer requests access to both calendar entries and Drive documents, users could choose one but not the other.
Photo credit: Sean Gallup/Getty Images