NEWS9 October 2018

Google+ to close for consumers following data leak

Data analytics News North America Privacy Technology

US – Google is shutting down the consumer version of its social media platform Google+ following a data breach affecting up to 500,000 accounts.

A bug in a Google+ API meant third-party apps had access to profile information of users that had not been marked as public, including name, email address, occupation, gender and age.

The data did not include Google+ messages, posts, account data, phone numbers or G Suite content, according to the tech company.

Google discovered the bug in March this year as part of a review of APIs associated with Google+, but did not disclose the bug at the time. The company claimed it was unable to “accurately identify” the users involved or find evidence that the bug had led to any data being misused.

Ben Smith, the company’s vice-president of engineering, said in a blog post: "Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice." 

The thresholds for disclosure were not met, he added.

According to a report in the Wall Street Journal, which originally reported the leak, Google did not disclose the issue as it feared regulatory scrutiny. 

An analysis conducted in the two weeks prior to patching the bug showed that the profiles of up to 500,000 Google+ accounts were potentially affected, and that up to 438 applications may have used the API.

The company said the review highlighted the “significant challenges” involved in maintaining Google+, which has low usage and engagement, and as such it had subsequently decided to close the platform to consumers.

Google+ will be wound down over the next 10 months, and is expected to close fully by the end of August 2019. Organisations will still be able to use Google+ as an enterprise product for internal employee discussions.

In other privacy updates announced in the blog, the company said it is introducing more granular Google Account permissions when apps request data access. Instead of all permission requests appearing on one screen, users will need to approve each requested permission individually, on a number of screens.

Additionally, only apps that “directly enhance email functionality” will be able to seek permission from consumers to access their Gmail data.