Google’s Vice President of Engineering Ben Smith on Monday revealed that the company will shut down the consumer version of its social network Google+ because data from up to 500,000 users may have been exposed to external developers by a bug that was present for more than two years in its systems.
The company discovered in March 2018 that a bug was giving third-party developers apps access to Profile fields that were shared with the user, but not marked as public. This included private information like names, email addresses and occupations in some user profile, Smith said.
From the company’s security analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected, and up to 438 applications may have used this API.
According to Smith, Google’s Privacy & Data Protection Office reviewed the issue, looking at the type of data involved, to determine if they could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance, meaning they can’t confirm which users were impacted.
The company decided the best action in this case is to retire the consumer version of the unpopular Google+ which the company said had “low usage.”
According to Wall Street Journal, which first reported the news, Google “opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
The company reportedly did not want the type of scrutiny Facebook was getting following the Cambridge Analytica Scandal.
Google is also making some changes following the discovery of the incident, including stopping most third-party developers from accessing Android phone SMS data, call logs, and some contact information.
The platform will also change its Account Permissions system for giving third-party apps access to user data such that users have to confirm each type of access individually rather than all at once.
The attempt to cover up the security incident casts the company in an unfavorable light, even worse than what it is currently under, following dissatisfaction with its data collection practices and market practices.
The planned shutdown will take place over the course of the next 10 months, and will be concluded in August, 2019.