It seems that 2018 will forever be known as the year of the “data breach”.
Although Facebook appears to be most affected, multiple research results also show that the apps we use give away personal data without our knowledge and that many location sharing and tracking apps are knee deep in security vulnerabilities.
Recently the spotlight moved on to Google.
Do you use Google+ ?
It appears that Google tracks our location via its search and Maps services even if we explicitly tell it not to. In response to this, Google is shutting down Google+. This was expected, and let’s face it, is no great loss - no one uses Google+. But it seems the company is shutting down its failing social network not because of its lack of popularity but because a massive security flaw in Google+ API was uncovered.
Massive security flaw in Google+
This discovery was made back in March and was fixed shortly after it was detected by engineers at Google, but the problem lies in the fact that the company decided not to share its findings with the public. Instead, the story was published just a couple of days ago thanks to the WSJ.
Google did respond via a blog post detailing this flaw. However, would Google have been so forthcoming? Had the Wall Street Journal not exposed it?
An internal memo obtained by the WSJ talks about “immediate regulatory interest” (the discovery came at the same time as the infamous Cambridge Analytica scandal), and that public revelation could result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”
This security flaw was active between 2015 and March 2018, that’s three years. Three years of allowing third-party apps (about 430 apps) access to the private data of Google+ users - such as name, email address, occupation, gender, and age, no matter if users marked the data as private.
"This security flaw was active between 2015 and March 2018."
More than 500,000 accounts were directly affected by this bug but so too were all of the friends of those affected users. Meaning that the number is far larger than ever anticipated.
According to Google’s blog post, the company “found no evidence that any developer was aware of this bug, or abusing the API,” and also “found no evidence that any Profile data was misused.”
The problem now is that Google cannot know for sure if any account data was misused. The company only keeps two-week old API logs, meaning, if an app developer accessed the private data of affected Google+ users fifteen days before Google discovered this bug, they cannot be exposed.
There simply is no record.
Final curtain on Google+ is falling in August 2019
Notwithstanding, the disclosure of this bug has led to Google shutting down Google+ for individual consumers. Users will have ten months to transition, with the final curtain on Google+ falling at the end of August 2019.
The network will stay open to enterprise customers “who are finding great value in using Google+ within their companies,” according to Google. In response to the revelation of the API bug, and the Google+ shutdown announcement, the company has introduced new privacy features.
Gmail-related apps will have limited access to user data from now on and “Only apps directly enhancing email functionality — such as email clients, email backup services and productivity services (e.g., CRM and mail merge services) — will be authorized to access this data.”
Further, app developers with access to user data will be required to agree to the updated guidelines regarding the handling of said user data and also undergo security valuations prior to accessing it.
Are there consequences for Google?
Google tried to sweep these findings under the carpet and failed. Now, multiple attorney generals (including Massachusetts and California’s attorney general’s offices) have expressed concerns regarding these data breaches and will monitor the situation.
So, despite Google’s claims that the company didn’t have to disclose these findings, because no data was actually compromised, regulators could still launch an investigation.
Take Germany’s data protection commissioner, Johannes Caspar, for example, who announced that his agency had already started their investigation. It seems Google is facing a two-pronged attack.
Neither US nor EU privacy regulators are happy and seem to have the company clearly in their sights. Coming on the tail of an EU $5 billion antitrust fine and allegations by US politicians for alleged bias, are we witnessing the downfall of a company that has quite simply become too powerful to survive?