Google is shutting down its consumer-facing Google+ social network, in the wake of a major data breach that the search giant did not reveal to the public.
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
A Google+ software bug allowed third-party developers to access Google+ user profile data from 2015 to March 2018, when internal investigators discovered the glitch and fixed it.
A bug was found in a Google+ API designed to let app developers access profile and contact information about the people who used their apps. Google+ was also allowing developers to access the data of profiles set to “private.”
During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the people said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.
The security flaw was not disclosed to Google+ users, on the advice of Google’s legal staff who, in an internal memo advised against disclosure as it would invite “immediate regulatory interest” that would invite comparisons to the Facebook Cambridge Analytica scandal.
Exposed user data included names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. Developers did not have access to phone numbers, emails, timeline posts, and direct messages.
Google announced on Monday that it is shutting down Google+ for consumers and is introducing new privacy measures.
The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.
To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.
The search giant says it had put together a task force dubbed Project Strobe at the beginning of the year to review the company’s APIs.
Google says the enterprise version of Google+ will continue to be available.
At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.
Google will also be introducing several new privacy improvements. Google is going to limit the number of apps that have access to consumer Gmail data, and will offer more granular controls for granting Google account data to third-party apps.
For more information, visit the Project Strobe blog post.