On Monday this week, Google announced the closure of its social network Google+, which was originally intended to rival Facebook.
The company announced the “sunsetting” of the service in a blog post, admitting that it had never reached users in any meaningful way:
… while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
However, the public’s steadfast refusal to embrace Google+ isn’t the the only reason for its demise.
A Wall Street Journal report this week revealed that “Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
The bug in question allowed third-party developers to access data from Google+ users’ profiles, including their names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. 438 apps could have potentially had access to the above information from almost 500,000 Google+ users. The bug made user data vulnerable from 2015 until March 2018, when Google found the issue and patched it immediately.
However, Google failed to disclose the vulnerability and the reasons for doing so, according to the Wall Street Journal, were to stop the company “coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”. This quote is reportedly taken from an internal company memo.
The report then went on to say that Google would announce a number of privacy reforms in reaction to the bug. Google announced these reforms minutes after the WSJ report was published. It also made clear that it had “no evidence” that any of the vulnerable data was misused.
Google has already come under scrutiny for allowing third-party apps to access information from Gmail accounts, though it has not faced even close to the same level of criticism that Facebook has in the wake of the Cambridge Analytica scandal.
The company appears to be taking steps to improve their data privacy practices before that scrutiny hits. In their blog post, they outlined some of these changes:
Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box.
We are updating our User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access your consumer Gmail data. Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments.
Will these changes be enough to keep consumers on their side?
There’s one thing for certain: failing to disclose security bugs will not help consumers to maintain any level of trust in the company.