Google to Kill Google Plus Due to Possible Data Breach

Senior editor, security and privacy
Updated

Google will shut down its Google Plus social-networking service after an internal audit conducted in March 2018 found that more than 400 third-party applications may have improperly gathered the personal information of nearly 500,000 users, Google said in a blog post today (Oct. 8).

Credit: Twin Design/ShutterstockCredit: Twin Design/ShutterstockThe user data included full names, dates of birth, email addresses, cities or areas of residence, genders, marital status, occupational titles, places and dates of employment, profile photos and profile-page background photos. (A full list of the data types can be seen here.) The apps were not at fault — instead, a poorly configured application programming interface (API) let them read more user information than they should have seen.

“Our analysis showed that up to 438 applications may have used this API,” wrote Google vice president of engineering Ben Smith in the Google blog post. “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused.”

If you’re a Google Plus user — and many people don’t realize that they are, because Google signed them up automatically — you can probably rest easy. Most of the data affected matches what’s already on your Facebook and LinkedIn profiles, although we recommend keeping your date of birth private if you can. 

MORE:  What to Do After a Data Breach

Google chose not to reveal the possible data leak right away because it feared regulation and damage to its reputation, The Wall Street Journal reported today. The leak was found in the same month that Facebook’s Cambridge Analytica scandal came to light, and two months before the European Union’s GDPR regulations tightened the rules regarding possible leaks of user data.

How personal data could have leaked

Personal data could have been leaked only under certain circumstances. If you’re a Google Plus user, you can use your “About Me” page to fine-tune your own privacy settings, deciding whether each piece of personal information is kept to yourself, or is visible to your “circles” of friends, to friends of friends in “extended circles,” to the public at large or to customized groups of people.

As a result, different people can see different amounts of information about you. The problem arises when someone who can see a lot about you installs a third-party Google Plus app, which by default sees who the other Google Plus users in your friend’s Circles are.

That’s normal. But the faulty API went further — it let the third-party apps see everything about you that that user could see. That wasn’t supposed to happen.  

Say only your close friends, or “Circles,” could see your date of birth. One of your friends installs a third-party app. You don’t use this app, and in fact you’ve never even heard of it. But because someone in your Circles has installed it, it can see your date of birth, and many other piece of data you’ve chosen to keep close to the vest.

“Like the Facebook Cambridge Analytica scandal, this Google Plus data leak was not legally a ‘breach,’” wrote privacy expert and Yale Law School fellow Tiffany C. Li on Twitter. But, she added, “both incidents also highlight the privacy risks of APIs and third-party app permissions.”

This problem doesn’t happen any more because Google closed the loophole. But the company decided that it was a good enough reason to finally put Google Plus, one of the company’s biggest failures, out of its misery.

“While our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” Smith wrote in the Google blog post. “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”

Google Plus will still exist as an internal networking platform for enterprises that use Google’s G Suite of business applications. But the consumer version will be wound down over more of the next year, finally ending in August 2019.

Smith said that Google was also boosting user privacy by giving Google account users more fine-grained control over what kind of personal data third-party apps access, implementing new rules about what kind of apps can access Gmail data, and limiting which Android apps can see text-message data, call logs and contact lists.