Data protection commissioner was unaware of Google+ breach

Private profile data of 500,000 users may have been exposed to external developers

Google said on Monday it would shut down the consumer version of Google+ and tighten its data-sharing policies after a “bug” potentially exposed user data. Photograph: iStock
Google said on Monday it would shut down the consumer version of Google+ and tighten its data-sharing policies after a “bug” potentially exposed user data. Photograph: iStock

The data protection regulator Helen Dixon said on Tuesday that she was not aware of the data breach that led to Google’s decision to shut down the consumer version of its failed social network Google+.

She said she would seek more information from Google regarding the security issue that may have exposed the data of at least 500,000 users to hundreds of external developers.

Google said on Monday it would shut down the consumer version of Google+ and tighten its data-sharing policies after a “bug” potentially exposed user data that included name, email address, occupation, gender and age. The issue was discovered and patched in March as part of a review of how Google shares data with other applications. No developer exploited the vulnerability or misused data, the company’s review found.

“The Data Protection Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google,” the regulator said. The commissioner is the relevant data protection authority for Google in Europe.

READ MORE

The Wall Street Journal reported that Google opted not to disclose the security issue due to fears of regulatory scrutiny, citing unnamed sources and a memo prepared by Google's legal and policy staff for senior executives.

Google feared disclosure would invite comparison to Facebook's leak of user information to data firm Cambridge Analytica, the Journal reported, adding that chief executive Sundar Pichai had been briefed on the issue. Google declined to comment beyond its blog post.

Google said on Monday none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves.

Security and privacy experts and financial analysts questioned the decision.

"Users have the right to be notified if their information could have been compromised," said Jacob Lehmann, managing director at legal firm Friedman CyZen. "This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal."

Facebook challenger

Google+ launched in 2011 as the advertising giant grew more concerned about competition from Facebook, which could pinpoint ads to users based on data they had shared about their friends, likes and online activity.

Google+ copied Facebook with status updates and news feeds and let people organise their groups of friends into what it calls “circles”.

But Google+ and the company’s other experiments with social media struggled to win over users because of complicated features and privacy mishaps.

Facebook introduced a feature that allowed users to connect their accounts with their profiles on dating, music and other apps.

Google followed suit, letting outside developers access some Google+ data with users’ permission. The bug disclosed on Monday, introduced in a software update, exposed private data including name, email address, occupation, gender and age, Google said. It could not definitely say how many users were affected because it said it keeps only two weeks of such records.

Google+ will remain an internal networking option for organisations that buy Google’s G Suite, a bundle of apps for creating documents, spreadsheets and presentations.

Google’s plan to withdraw the free version of Google+, scheduled for August, could help strengthen its case to US policymakers and regulators that it is different from Facebook, which has faced political heat over allegations that data belonging to 87 million of its users was improperly shared with political consultancy Cambridge Analytica.

Google refused to send Mr Pichai to a Senate Intelligence Committee hearing on September 5th, where Facebook’s chief operating officer and Twitter’s chief executive testified. An empty chair was left for Google after the committee rejected Google’s top lawyer as a witness.

Several policies Google introduced on Monday are designed to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organising Gmail messages.

Play Store apps will no longer be allowed to access text message and call logs unless they are the default calling or texting app on a user’s device or have an exception from Google.

Gmail

Gmail add-ons available to consumers starting next year will be barred from selling user data and be subject to a third-party security assessment that will cost them about $15,000 to $75,000, Google said.

Such moves could strengthen Google by making it harder for competing services to grow off its data, said Chris Messina, a designer who worked on Google+ before leaving in 2013. "In 2011, you wanted casual, scrappy developers creating apps, and now it is going to require a professional class that is serious. The walls are going up." – Reuters