Google is closing Google+ to consumers after an investigation into third-party access to account information revealed a serious privacy bug. Google kept the vulnerability under wraps for months.
The discontinuation of Google+ for consumers follows the outcome of Project Strobe, a study that Google initiated early this year. That investigation involved access to Google accounts, Android devices and apps by developers outside of Google itself, via APIs. “Our review shows that our Google+ APIs, and associated consumer management, are difficult to develop and maintain,” Google said.
The company found a bug in the Google + People API that allowed it to access profile data and the public information of that person’s friends. Third-party apps could also access profile data that the user had indicated should remain protected. This involved static, optional data such as name, email address, work, gender and whether the person is in a relationship.
Google claims to have found the bug in March and then fixed it. An analysis revealed that potentially 500,000 Google+ accounts were vulnerable and that 438 accounts were using the affected api. At the same time, Google acknowledges that Google+ keeps the logs of only two weeks, which makes it impossible to determine the real number of vulnerable accounts.
The company’s Privacy & Data Protection Office was notified of the bug, but concluded that it should not be made public, partly because there was no evidence that the data was misused or developers were aware of the bug. According to The Wall Street Journal, however, Google was also afraid of reputational damage and that the company came under the attention of authorities. At the same time, the Cambridge Analytica case also played a role, which obtained the data of more than 50 million Facebook users via an API.
Google has ten months to close Google+ to consumers. The network is still suitable for enterprise users, the company says, recognizing that consumer and developer use is very low.
Project Strobe has also led to Google giving users more control over their Google account, with individual consent dialog boxes. In addition, Google limits the number of apps that can access Gmail and those apps must also provide email-only functionality. Google also limits the possibilities of apps on Android that have access to conversation history and SMS and its contact information can no longer be accessed via the Android Contact api.