In March, Google discovered that a vulnerability in its ailing social network, Google+, could have exposed 500,000 users’ data. At the time, executives took the decision not to disclose the bug. They feared, the Wall Street Journal reports, it would trigger “immediate regulatory interest”.
On Monday, Google revealed it would be shutting the consumer version of the social network, and defended its decision not to disclose the vulnerability earlier. In a blogpost, the company’s engineering chief Ben Smith said an internal investigation found no evidence third-party developers were aware of the bug or had used it.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” Smith continued. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
But the investigation also revealed just how few people were using Google+ and the “significant challenges in creating and maintaining” the site in a way that “meets consumers’ expectations”, said Smith. Some 90 per cent of user sessions last less than five seconds, the review revealed.
In light of the investigation, Google has decided to shut the consumer version of Google+ and focus on how businesses use the network instead. It is also rolling out a range of new tools to control how much data Google users hand over to apps.
How did the bug work?
A bug in one of Google+’s programming interfaces meant developers could have gathered data, including names, email addresses, occupations and ages, from the friends of users who had signed up to their apps. Google said it found no evidence the developers behind any of the 438 applications which used the API had discovered or exploited the glitch.
What steps is Google taking to secure users’ privacy?
The US tech giant is launching what it calls “fine-grained controls” for people to manage the data they share with apps. “Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box,” said Smith. “For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other.”
The company has also unveiled plans to update the user data policy for the consumer Gmail API. Under the new rules, only apps enhancing email functionality, such as email clients, will have access to the data.
Finally, the company is stopping all Android apps, other than the one chosen by the user as the default for making calls or sending texts, from accessing calls logs and gaining SMS permissions.
Developers have 90 days from Monday 8 October to update their apps in line with the new rules.