Google has revealed that the Google+ People APIs had a bug which potentially gave third-party developers unauthorized access to some users’ personal data—between 2015 and March 2018. While Google stresses that only the data from fields such as name, email address, occupation, gender and age were potentially revealed, it goes on to stress that no third-party developer actually discovered this vulnerability. “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” says Ben Smith, Google Fellow and Vice President of Engineering, in an official statement. At the same time, the company also states that “Our analysis showed that up to 438 applications may have used this API”.
What does this mean?
As it turns out, an internal security review called Project Strobe discovered this bug in March this year, around the same time when Facebook was facing intense scrutiny for the revelation that the data of millions of users had been compromised to Cambridge Analytica, without user consent. The Google+ bug is believed to have impacted as many as 5,00,000 user accounts. However, Google decided against reporting this at the time, for potentially the fear of additional regulatory scrutiny.
What can you do for now?
While Google is slowly deleting Google+ accounts as it proceeds with the plans to shut down the social media network, you may perhaps want to speed up the process a bit. For this, you need to head to your Gmail account, and click on your profile picture in the top right corner. If you see the text “Google+ Profile” in the pop-down, then it means your account is linked to Google+ as well. Now, click on that same text, which will take you to your Google+ page. Here, in the menu bar on the left of the screen, click on Settings. This will open a page with a lot of options. Scroll down to the bottom of the Settings page, and you will see the option “Delete your Google+ Profile”.
The next page will give you some additional information on how deleting the Google+ profile may or may not impact other Google services you may be using. Here, you can confirm by ticking the checkboxes at the bottom of the page and clicking on
Delete”.
So, why didn’t Google tell us about this earlier?
The bigger problem is, Google probably still wouldn’t have told us, if it wasn’t for a Wall Street Journal report that revealed this security issue that compromised the data of Google+ users. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” says Google. It should actually be read as something on the lines of how low usage probably meant Google didn’t want to be bothered about spending their energies on this and hoped to brush it under the carpet. And keep it there.
What still remains unanswered—what else is Google not telling us?
Not a good time for this revelation—well, there never really is a good time for such news—but this comes just after Google Chief Privacy Officer Keith Enright appeared before the US Senate to talk about the privacy practices that the company deploys. Does not portray a trustworthy picture this, does it? It is expected that Google CEO Sundar Pichai will be appearing for a Senate hearing sometime in November, and there surely will be a lot of tough questions heading his way.
This has not been a good year for many Silicon Valley based big-tech companies. Facebook just revealed last week that a data breach compromised the data of 50 million accounts, in addition to the Cambridge Analytica Scandal earlier in the year. It is also believed that the US is preparing an Executive Order which will push federal antitrust as well as law enforcement agencies to investigate the business practices of the big tech companies, in an effort to ‘regulate’ them.
