Concerned that it would draw the ire of regulators and that its reputation would take a hit, Google hid a glitch that exposed the personal data of hundreds of thousands of users on Google+, which the company has now shuttered.
Between 2015 and March 2015, profile data was accessible to third-party developers, but while Google fixed the glitch it decided not to notify users, according to documents obtained by the Wall Street Journal as well as unnamed sources cited in the Journal’s report.
One internal memo said the situation would draw “immediate regulatory interest” as well as comparisons to Facebook’s debacle with Cambridge Analytica, the report said.
Google discovered the bug in one of its Google+ People APIs as part of a review called Project Strobe, “a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access,” the company said in a blog post.
“We believe [the bug] occurred after launch as a result of the API’s interaction with a subsequent Google+ code change,” Google said. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”
Google said it “found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
The company will “wind down” Google+ for consumers over the next ten months and will further tighten its privacy and data protection efforts.
“In my view, Google is basically pleading ignorance in order to shield itself from legal ramifications,” said Comparitech privacy advocate Paul Bischoff. “It has conveniently left out some crucial figures in its response that would give us a more clear picture of the scope of this incident.” Bischoff pointed out that “Google says 438 applications had unauthorized access to Google+ profile data, but it doesn’t say how many of its users used those apps.” And, he said, “while Google says it performed a cursory investigation and found nothing suspicious, it also notes that it didn’t actually contact or audit any of the developers of those apps.”
But “as popular and high-profile as Google is, and due to the fact that this vulnerability existed for the better part of three years, it would be reasonable to assume the number of occurrences in which Google+ data was obtained and misused is non-zero,” said Bischoff. “Although there’s no federal breach notification law in the U.S., every state now has its own breach notification law. However, these laws only apply when it’s clear that data was obtained by an unauthorized third party. By turning a blind eye as to whether this occurred and only acknowledging that a vulnerability existed, Google can plead ignorance.”
Google’s delay in revealing the potential data disclosure drew scrutiny.
“Unlike the recent Facebook breach, this disclosure timeline is incomprehensibly long and will likely provoke a lot of questions from regulatory authorities,” said High-Tech Bridge CEO Ilia Kolochenko. “Inability to assess and quantify the users impacted does not exempt from disclosure.”
While “a security vulnerability per se does not automatically trigger the disclosure duty…it seems that Google has some reasonable doubts that the flaw could have been exploited,” Kolochenko said that “further clarification from Google and technical details of the incident would certainly be helpful to restore confidence and trust among its users currently abandoned in darkness.”
He noted, “technically speaking, this is one more colorful example that bug bounty is no silver bullet even with the highest payouts by Google.”