Just a week after news emerged that a Facebook data breach had left at least 50 million accounts vulnerable, internet giant Google announced a major security lapse of its own. It said a software glitch had exposed private information of about 5,00,000 users from its social networking platform Google+. This included details of users like email addresses and names, as well as birth dates and gender.
A report in the Wall Street Journal, citing Google’s internal documents, said that the security defect was discovered by the company in March, but it decided to keep the information private, fearing that the breach would lead to regulatory action and damage to its reputation.
Here is a primer on what we know about the security defect, why the breach of trust by Google means more than the security lapse, and why Alphabet, Google’s parent company, decided to shut down Google+.
What do we know?
The Wall Street Journal report that Google had exposed user data and then chose not to disclose the matter was published on Monday, October 8. Soon after the report was published, the company owned up. The internet giant said Google+ had security loopholes that are hard to fix and this had prompted it to shut down its social networking website.
The loophole that led to the exposure of private data was found in the Google+ Application Program Interface. APIs, as they are known, are a defined procedure for programmers to access public data from applications and websites. Google found the defect while conducting an internal audit – called Project Strobe – which is aimed at finding out how much of Google’s public data the third-party applications or developers should have access to. In March, Google found that a defect in Google+ was exposing an array of information to developers. The information exposed was from March 2015 to March 2018, and included usernames, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status, according to the WSJ report.
On whether the data was misused, Ben Smith, Google’s vice president of engineering, said in a blog post that the company had not found any “evidence” that developers were aware of the bug, and that no user data was “misused.”
Was there a breach of trust?
In its report, the Wall Street Journal cited an internal document in which Google officials acknowledge the security defect internally but chose not to disclose it to the public. This decision received more attention than the data exposure since it was seen as a breach of users’ trust. This is particularly so because new rules in the company’s home state of California require that a security lapse be disclosed. The new amendments in the state law, passed in June, a few months after the Cambridge Analytica data harvesting scandal hit Facebook, mandate heightened “transparency in data practices”.
The WSJ report suggests that Google chose not to make a public declaration of the data vulnerability, fearing a backlash in the form of additional regulatory scrutiny. The company was also concerned about Google’s Chief Executive Officer Sundar Pichai being summoned to the US Congress to be questioned about the incident.
The WSJ report said that Google’s internal memo acknowledged that revealing the information would result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”. The memo added that the glitch “almost guarantees Sundar will testify before Congress.”
Many have questioned Google’s decision not to go public about the glitch.
“You get out in front of these things,” said Joseph Moreno, a former federal prosecutor who now oversees cybersecurity cases at international law firm Cadwalader, Wickersham & Taft, BusinessInsider reported. He added that the worst thing in this situation would have been for Google to downplay the breach or pretend that it did not happen.
The incident also caught the attention of international regulators. On Tuesday, Ireland’s data protection regulator said that it would put a request to Google for more information on the security lapse, according to Reuters. The data protection commissioner in Hamburg, Germany, has also started an investigation to retrieve more information on the data security bug.
Does the breach have impact on India?
According to a report by analytics company ComScore, India has the largest user-base in Google+ after the United States.
“Google+ has a high user base in India, so it is almost certain the bug exposed private information of Indian users,” said Arun Mohan Sukumar, head at the Observer Research Foundation’s Cyber Security and Internet Governance Initiative. “The breach is notable for its scale, although the information exposed by itself may not be valuable.”
“We are very troubled by the reports about the reasons that Google chose not to report the incident to users,” said Raman Jit Singh Chima, Policy Director at Access Now, an international non-profit advocacy group. “Avoiding regulatory scrutiny or questions from policymakers is not a legitimate reason for web firms to deny users information about vulnerabilities and potential privacy breaches.”
Attempts to get a response on the glitch from the Ministry of Electronics and Information Technology were unsuccessful. As of Wednesday, there was no mention of an inquiry set up by Indian authorities on the matter. Previous incidents, like the Cambridge Analytica case, did lead to inquiries that are still ongoing.
Why Alphabet decided to shut Google+?
Google + was launched about seven years ago. It had a good start, with almost 111 million active users, but was unable to hold the interest for long, losing out to other social media applications like Facebook and Twitter. A study by a Google+ user pointed out that only 9% of the two billion profiles on the Google+ platform have publicly posted content, as mentioned on Dailydot, a digital media company.
“It has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” Google’s Ben Smith said in his blog post.