Google admits to potential Google+ data leak after getting caught

By Jared Newman

October 08, 2018

Google is shutting down its Google+ social network for consumers after discovering–and, for seven months, not disclosing–a bug that could have exposed private data for up to 500,000 users since 2015. The search giant says this data is limited to static profile fields such as name, email address, age, gender, and occupation, and does not include any Google+ posts or Google account data.

Although Google discovered and patched the potential data leak in March 2018, the company initially opted not to publicize it. The Wall Street Journal‘s Douglas MacMillan and Robert McMillan report that Google was worried about public perception and regulatory scrutiny, and that Google wanted to avoid comparisons with Facebook, which at the time was dealing with its own data privacy scandal. (Google claims that it kept the bug secret because it found no evidence of misuse, couldn’t identify affected users, and couldn’t provide users or developers with any course of action.)

Shortly after the WSJ’s story broke, Google announced a set of sweeping security changes:

    Google+ will shut down for consumers at the end of next August, giving users time to download or transfer their data. An enterprise version for internal company discussions will live on.

    Users who connect third-party apps with Google will get more granular control over what data gets shared. These changes will roll out over “the next few months.”

    To crack down on potential misuse data, Google will only allow third-party Gmail apps that directly involve email functionality, such as email clients, backup services, mail-merge services, and expense tracking. Apps also won’t be allowed to sell the data for marketing or ad targeting, and any human review of email data will be “strictly limited.” (An earlier WSJ piece described how some Gmail apps were allowing employees to read users’ emails and sell the data to marketers.) The changes apply to new Gmail apps immediately, and to existing ones early next year.

    Google will limit Android apps’ ability to access SMS data, call logs, and contacts. Third-party SMS apps will still be allowed, but they can only access this data if the user sets the app as their default for text messaging.

Google says it began reviewing developer access at the start of this year, so these new policies might have arrived even without the WSJ’s reporting. Now they just come off as damage control.