Alphabet’s Google will shut down the consumer version of its failed social network Google+ and tighten its data sharing policies after announcing yesterday that private profile data of at least 500,000 users may have been exposed to hundreds of external developers.
Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields. Indeed, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.
The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to an internal memo. Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.
The Wall Street Journal reported earlier that Google opted not to disclose the security issue due to fears of regulatory scrutiny, citing unnamed sources and a memo prepared by Google’s legal and policy staff for senior executives.
Google feared disclosure would invite comparison to Facebook’s leak of user information to data firm Cambridge Analytica, the Journal reported, adding that Chief Executive Sundar Pichai had been briefed on the issue. Google declined to comment beyond its blog post.
Google said on Monday none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves.
Given it’s unclear whether the G+ user data was scraped or if it will be employed for a nefarious purpose, the news of the bug itself might have eventually blown over, similar to how I wrote Facebook’s recent 50 million user privacy breach may be forgotten if no evil use is found. But because Google tried to cover up the problem because it didn’t meet some threshold of severity, the company looks much worse. That casts doubt on whether Google is being transparent on tons of other controversial questions about its practices.
The fiasco could thrust Google into the same churning sea of scrutiny currently drowning Facebook, just as the company feared. Google has managed to float above much of the criticism leveled at Facebook and Twitter, in part by claiming it’s not really a social network. But now its failed Facebook knock-off from seven years ago could drag down the search giant and see it endure increasing calls for regulation, as well as testimony before Congress.