(By Douglas MacMillan and Robert McMillan, Wall Street Journal) – Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and damage [the company’s reputation], according to people briefed on the incident and documents reviewed by The Wall Street Journal.
As part of its response to the incident, the Alphabet Inc. Google unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. FB -0.05% and is widely seen as one of Google’s biggest failures.
A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said. …
The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.
The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Google’s attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement.
In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”
The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data, one of the people said.
Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data. …
Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect. In some cases, employees at these app companies have read people’s actual emails to improve their software algorithms. …
The Google+ data problem, discovered as part of the Strobe audit [Strobe is a privacy task force formed inside Google, code named Project Strobe], was the result of a flaw in an API Google created to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+. When a user grants a developer permission, any of the data they entered into a Google+ profile can be collected by the developer.
In March of this year, Google discovered that Google+ also permitted developers to retrieve the data of some users who never intended to share it publicly, according to the memo and two people briefed on the matter. Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings, the people said.
During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the people said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.
Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.
Google believes up to 438 applications had access to the unauthorized Google+ data, the people said. Strobe investigators, after testing some of the apps and checking to see if any of the developers had previous complaints against them, determined none of the developers looked suspicious, the people said. The company’s ability to determine what was done with the data was limited because the company doesn’t have “audit rights” over its developers, the memo said. The company didn’t call or visit with any of the developers, the people said.
The question of whether to notify users went before Google’s Privacy and Data Protection Office, a council of top product executives who oversee key decisions relating to privacy, the people said.
Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.
The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.
The document shows Google officials felt that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees [Google CEO Sundar Pichai] will testify before Congress.” …
—Newley Purnell contributed to this article.
Reprinted here for educational purposes only. May not be reproduced on other websites without permission from The Wall Street Journal. Appeared in the October 9, 2018, print edition as ‘Google Hid Data Breach for Months.’ [Excerpted here. Read the article in ints entirety at wsj.com.]
A history of Google’s privacy controversies (from the WSJ article):
2004: Gmail - Gmail scanned messages and sold ads related to their content, a practice that privacy groups said was a violation of user trust. Google responded that other email providers were already using computers to scan email to protect against spam and hackers, and that showing ads helped offset the cost of its free service. In 2014, Google stopped scanning inboxes of student, business and government users and last year said it was halting all Gmail scanning for ads.
2010: Buzz - Debut of Google Buzz was fumbled when the social site publicly displayed the contact lists of its users, leading to a probe by the Federal Trade Commission. Google settled with the FTC in 2011 and agreed to undergo 20 years of privacy audits by the agency. At the time of the settlement, Google said in a blog post that the Buzz launch “fell short of our usual standards for transparency and user control.”
2010: Street View - Google said its Street View camera cars collected private data through wireless networks while driving by people’s homes. Google stopped collecting Street View images in some countries as a result.
2013: Glass - Google Glass, a wearable computer headset with the ability to record video, was seen by some as a privacy intrusion when people began wearing them into private spaces like bathrooms. Google stopped selling the device to consumers and retooled it for professionals.
2013: Prism - Leaks revealed Google was part of a program called Prism, which allowed the U.S. National Security Agency to collect data on internet users. Google denied it ever gave the government direct access to its servers.
2018: YouTube - Privacy groups complained YouTube violated a federal law protecting children’s privacy by collecting data from users under 13. The company said users under 13 aren’t permitted to use YouTube. Google and the FTC have said they will evaluate the complaint.
2018: Android - The Associated Press found that Google collects location data of Android users even after their “location history” is turned off, a policy called misleading by privacy groups and lawmakers. Google told the AP that its descriptions of its location tools are clear.
2018: Google+ - A software bug gave outside developers access to the private user profile data of a half-million Google+ users, and executives decided not to inform the public, partly out of fear of regulatory scrutiny. Google officials said the incident didn’t rise to the threshold of alerting users, and found no evidence any of the data were accessed.