A software glitch caused Google to expose the personal-profile data of hundreds of thousands of Google+ users, and managers there chose not to go public with the information, according to a report Monday in The Wall Street Journal.
In the wake of the publishing of The Journal's story, Google announced in a blog post late Monday morning that it had closed down the social networking service for consumers.
According to the newspaper, the glitch enabled outside developers to access the data between 2015 and March 2018. The glitch was fixed, and Google concluded that nothing nefarious was done with the information. Google+ was the company's response to Facebook. The service, however, never mustered much of a following or seriously challenged the top player in social networking.
The Journal reporters wrote that they reviewed a memo prepared by Google lawyers and policy experts who had warned that disclosing the glitch would cause "immediate regulatory interest" and "cause reputational damage."
They also said it would trigger comparisons with Facebook's scandal involving Cambridge Analytica. Google CEO Sundar Pichai was briefed on the plan after the decision not to inform the public was made, according to The Journal's sources, who were described as people briefed on the incident.
Google didn't disclose security lapse
A security lapse of this kind is exactly the kind of news Google didn't need right now, but the fact that leaders decided not to disclose is likely only to exacerbate the situation.
US lawmakers are concerned that the big tech companies have come under scrutiny for a variety of reasons in recent years. One of the questions being asked in the nation's capital is what Facebook, Google, Twitter, and the like are doing with their users' private information.
In addition, Google has been strongly criticized in recent weeks about building a search engine that would censor information as part of a possible entry into China. US President Donald Trump has also accused Google of rigging search results to make his administration look bad and to silence voices on the political right.
In Google's blog post, while the company did not directly address The Journal's story, it said it had undertaken an effort, called Project Strobe, that would review "third-party developer access to Google account and Android device data."
'We discovered a bug'
The company acknowledged that as part of the Project Strobe audit, "we discovered a bug in one of the Google+ People APIs." Google confirmed that the bug provided third parties with access to user information. The company said however, that the information that was accessible consisted of a user's name, email address, occupation, gender and age.
"We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused," Google said in the blog post.
As for why Google didn't disclose the security lapse to the public, the company said it decided that the situation did not rise to that level.
"Our Privacy & Data Protection Office reviewed this issue," Google wrote in the post, "looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance."