Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields. 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.
The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal” according to an internal memo. Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.
The news comes from a damning Wall Street Journal report that said Google is expected to announce a slew of privacy reforms today in response to the breach. Google made that announcement about the findings of its Project Strobe security audit minutes after the WSJ report was published. The changes include stopping most third-party developers from accessing Android phone SMS data, call logs, and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10-months with an opportunity for users to export their data while Google refocuses on making G+ an enterprise product.
Google will also change its Account Permissions system for giving third-party apps access to your data such that you have to confirm each type of access individually rather than all at once. Gmail Add-Ons will be limited to those “directly enhancing email functionality”, including email clients, backup, CRM, mail merge, and productivity tools.
90 percent of Google+ sessions were less than 5 seconds
Embarrasingly, Google’s admits that “This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.” For more on G+’s demise, read our 2014 take on the beginning of the end.
Since the bug and subsequent security hole started in 2015 and was discovered in March before Europe’s GDPR went into effect in May, Google will likely be spared a 2 percent of global annual revenue fine for failing to disclose the issue within 72 hours. The company could still face class-action lawsuits and public backlash. On the bright side, G+ posts and messages, Google account data and phone numbers, and G Suite enterprise content wasn’t exposed.
Given it’s unclear whether the G+ user data was scraped or if it will be employed for a nefarious purpose, the news of the bug itself might have eventually blow over, similar to how I wrote Facebook’s recent 50 million user privacy breach may be forgotten if no evil use is found. But because Google tried to cover up the problem because it didn’t meet some threshold of severity, the company looks much worse. That casts doubt on whether Google is being transparent on tons of other controversial questions about its practices.
The fiasco could thrust Google into the same churning sea of scrutiny currently drowning Facebook, just as the company feared. Google has managed to float above much of the criticism leveled at Facebook and Twitter, in part by claiming it’s not really a social network. But now its failed Facebook knock-off from seven years ago could drag down the search giant and see it endure increasingly calls for testimony before congress and regulation.