The product designed by Google to take on Facebook appears to have suffered from a similar flaw in the way it allowed developers to access user data.
According to a report from the WSJ, a software glitch in Google’s social networking platform – Google+ – gave developers access to private user data between 2015 and 2018. On the surface this looks similar to the Cambridge Analytica scandal that caused Facebook so much trouble earlier this year.
In this case Google identified the glitch internally and, having resolved it, concluded the security vulnerability hadn’t been exploited. Because of this Google didn’t see any need to disclose it and that’s one of the most contentious aspects of this story, especially since it’s alleged that Google was reluctant to do so for fear of reputational damage and regulatory scrutiny.
In a blog post Google VP of Engineering Ben Smith revealed they started Project Strobe at the start of this year, which seems to have been designed, at least in part, to look into this glitch. Somewhat side-stepping the issue Smith found ‘There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.’ And as a result they’re shutting it down.
This is a tad disingenuous since Google+ looked dead in the water soon after its 2011 launch and it seems likely that Google only kept it going to avoid the embarrassment of openly admitting it’s rubbish at social networking. The post did eventually get to the specifics of the glitch, stating the following:
- Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
- The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
- This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
- We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
- We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
- We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
The last bullet is critical and Google seems to be counting on that for mitigation, to pre-empt the kind of outcry and subsequent regulatory torture faced by Facebook. As you can see from the tweet below, this position seems to be receiving some sympathy and it looks like some people actually still use it. At time of writing we have seen no reports of further adverse consequences for Google.
This WSJ article on the Google+ bug is factually incorrect in many ways.
1. You do not have to disclose a flaw that no one used!
2. No one used it, no one found it, so why is this an article?
3. Stop fear-mongering! https://t.co/s3EpED7UGC
— Ryan Satterfield (@I_am_ryan_S) October 8, 2018