Google said Monday it would close Google Plus, the company’s floundering answer to Facebook, after it discovered a security vulnerability that exposed the private data of up to 500,000 users of the service.
Daisuke Wakabayashi of The New York Times had the news:
When the company’s technical staff discovered the bug in March, they decided against disclosing the issue to users because they hadn’t found anyone that had been affected, the company said in a blog post on Monday.
That decision could run afoul of relatively new rules in California and Europe governing when a company must disclose a security incident. In the blog post, Google said its “Privacy & Data Protection Office” decided the company was not required to report the security issue.
Google looked at the “type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance,” wrote Ben Smith, a Google vice president of engineering.
Up to 438 applications may have had access to the vulnerability, but Google said it had found no evidence that outside developers were aware of the security flaw and no indication that any user profiles were misused.
Edward C. Baig of USA Today reported that Google Plus will close over the next 10 months:
In the blog, Smith wrote that Google discovered the bug as part of an effort it began earlier in the year called Project Strobe – “a root-and-branch review of third-party developer access to Google account and Android device data.”
The project examined privacy controls as well as “areas where developers may have been granted overly broad access and other areas in which our policies should be tightened.”
Besides shuttering Google+, the company said it was launching more granular Google Account permissions for consumers. “When an app prompts you for access to your Google account data, we always require that you see what data it has asked for, and you must grant it explicit permission,” the blog stated. For example, if a developer seeks access to both your Google Calendar entries and Google Drive documents, you will be able to choose to share one but not the other, Google says.
Among other privacy measures being implemented, Google is going to limit which Android apps are allowed to ask for permission to access text and call log data on your phone, with only an app that you’ve selected as your default app for making calls or text messages able to make such requests.
Michael Liedtke of the Associated Press reported that Congress might enact tighter restrictions as a result of this latest breach:
The desire to peer into people’s lives is one of the reasons that Google launched Plus in 2011. It was supposed to be a challenger to Facebook’s social network, which now has more than 2 billion users. But Plus flopped and quickly turned into a digital ghost town, prompting Google to start de-emphasizing it several years ago.
But the company kept it open long enough to cause an embarrassing privacy gaffe that could give Congress an excuse to enact tighter controls on data collection.
“Every data mishap strengthens the bipartisan case for Congress to take action on data protection,” said Jonathan Mayer, an assistant professor at Princeton University who formerly worked in the Federal Communications Commission’s enforcement bureau.
Europe began to impose tougher online privacy regulations in May. Those rules also include disclosure requirements for data breaches. Those rules don’t apply to the Plus problem because Google discovered it before they took effect.