By Mary Wang. January 22, 2019.
Google+ had 300 million monthly users in 2013. A few months into 2019, it won’t even exist anymore.
In December 2018, Google CEO Sundar Pichai appeared at the Capitol for a House Judiciary Committee hearing on Transparency & Accountability: Examining Google and its Data Collection, Use, and Filtering Practices. There were many topics the hearing could have covered, including the vast amounts of data Google collects; whether conservative websites are being buried in search results; and a censored search engine, Dragonfly, which the company may be deploying in China.
Unfortunately, much of the time was spent on debate between partisan representatives, specifically over whether Google search displayed political bias. According to Issie Lapowsky, a senior writer for WIRED, a magazine discussing emerging technologies, “The rhetorical tennis match left precious little time for committee members to explore in any detail the urgent questions…[including] its recent security breaches.” During that time, they only briefly covered the recent security breaches regarding the Google+ platform, an online social network service Google offers.
Following the highly publicized security breach at Facebook involving Cambridge Analytica, the first Google Plus security breach was made public in October 2018 through a Wall Street Journal investigation. The investigation found that senior Google executives, including Pichai, knew of a software issue earlier that year that allowed developers to gain access to private Google+ profiles and related data, but they chose not to inform users or the public. Profile data left exposed under this flaw included “name, email address, occupation, gender and age” of Google Plus users.
Even though the bug was patched in March, it was not until after the Wall Street Journal article was released that the company was publicly pushed towards better accountability. At that time, Alphabet Inc. (Google’s parent company) announced further data privacy measures, including a permanent end to consumer use of Google+.
The deadline for shutting down Google+ moved up four months following another security breach publicized in December. Due to a bug in the “People:get” API (application programming interface) in a November software update, developers could again request profile data from private profiles. Once found, it was fixed within a week. In January, impacted users like myself likely received an email from the Google Apps Team—a mandatory service announcement—detailing what happened and which specific third-party apps or fields may have been affected for each user.
The email states that there were two main issues:
- “If you granted an app permission to view your profile information, such as name, email address, occupation, the app inadvertently was able to request and view more profile fields than you granted the app permission to view.” Translation: apps could view additional personal data without user permission.
- “If a person with whom you had shared profile information granted an app permission to view your public profile fields, that app was able to request and view your public profile fields, as intended, but inadvertently was also able to request and view any profile fields you had shared with that person, including profile fields that you had shared with that person but not shared publicly.” Translation: apps could view additional personal data without user permission if shared with another user, even privately.
These incidents are alarming in nature. Users were reassured that the vulnerabilities did not impact financial data or other data typically used for identity theft—although that remains to be seen—but even more alarming was what followed: covering up of the incident, delayed action on the data privacy changes, and little government response.
Google’s House hearing in December was titled “Transparency & Accountability.” Hopefully the next time a similar incident occurs, there will actually be transparency and accountability pushed by Congressional representatives.
Mary Wang is a first-year majoring in computer science and a member of the Duke Cyber Team.