Google said on Monday that it would shut down its consumer arm of Google Plus, the company’s long-struggling answer to Facebook’s giant social network, after it discovered a security vulnerability that exposed the private data of up to 500,000 users although the true figure may reach even higher.
Google did not tell its users about the security issue when it was found in March because it didn’t appear that anyone had gained access to user information, and the company’s “Privacy & Data Protection Office” decided it was not legally required to report it, the search giant had advised.
The decision to stay quiet, which raised eyebrows in the cybersecurity community, comes against the backdrop of relatively new rules in California and Europe that govern when a company must disclose a security episode, is this an incident of a giant ignoring the rules?
Around 438 apps made by many different devs and companies may have had access to a vulnerability through coding links called application programming interfaces or APIs. Those outside developers could have seen user names, email addresses, occupation, gender and age of those using it AND their friends / contacts information.
Google said it had found no evidence that outside developers were aware of the security flaw and no indication that any user profiles were touched. The flaw was fixed in an update made in March but has only recently been disclosed.
“The type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response were checked. None of these thresholds were met in this instance,”
- Ben Smith, a Google vice president for engineering
The disclosure made on Monday could receive additional scrutiny because of a memo to senior executives reportedly prepared by Google’s policy and legal teams that warned of embarrassment for the company — similar to what happened to Facebook this year — if it went public with the vulnerability.
The memo, according to The Wall Street Journal, warned that disclosing the problem would invite regulatory scrutiny and that Sundar Pichai, Google’s chief executive, would most likely be called to testify in front of Congress.
Facebook In A Similar Incident
This is echoing the recent Mark Zuckerberg incidents by yet another giant corporation earlier this year, Facebook acknowledged that Cambridge Analytica that performed work for the Trump campaign and had improperly gained access to the personal information of up to 87 million Facebook users. Mark Zuckerberg, Facebook’s chief executive, spent two days testifying in congressional hearings about that and other issues.
In May, Europe adopted new General Data Protection Regulation laws that require companies to notify regulators of a potential leak of personal information within 72 hours. Google’s security issue occurred in March, before the new rules went into effect, but were known about since that time.
Steven Andrés, a professor who lectures about management information systems at San Diego State University, said there was no obvious legal requirement for Google to disclose the vulnerability. But he added that it was troubling — though unsurprising — to see that the company was discussing how reporting the vulnerability might look to regulators.
There is no federal law requiring companies to disclose a security vulnerability. Companies must wade through a patchwork of state laws with different standards.
Arvind Narayanan, a computer science professor at Princeton University who is often critical of tech companies for lax privacy practices, said on Twitter that it was common for companies to fix a problem before it is exploited. “That happens thousands of times every year. Requiring disclosure of all of these would be totally counterproductive,” Mr. Narayanan wrote.
Sundar Pichai – Chief Executive Officer of Google
In private meetings with lawmakers last month, promised to testify before the end of the year at a hearing about whether tech companies are filtering conservative voices in their products.
He is also expected to be asked if Google plans to re-enter the Chinese market with a censored search engine. The vulnerability that was discovered in March and the company’s discussions about how regulators could react also are likely to come in his testimony.
Just last month, Google was criticised for not sending Mr. Pichai to a hearing attended by top executives from Facebook and Twitter.
When Google’s engineers discovered the vulnerability, they concluded that the work required to maintain Google Plus was not worth the effort, considering the meagre use of the product, the company said.
Google said it planned to turn off the consumer version of Google Plus in August 2019, though a version built for corporate customers will still exist.