Google+ Shutdown Following Data Security Flaw

Google is to shut down the consumer side of its social network Google+, following a breach which potentially exposed the private data of 'hundreds of thousands' of users between 2015 and March this year.

The Wall Street Journal quotes sources 'briefed on the incident' who say the company decided not to disclose the issue in the Spring, fearing regulatory scrutiny and damage to its reputation. Google parent Alphabet Inc is planning a raft of privacy changes, including limiting outside developers' access to user data on Android smartphones and Gmail.

Google+ was launched as long ago as 2011 as a challenger to Facebook but has never achieved a fraction of the latter's footprint. The security flaw was fixed in March 2018 when it was discovered, sources say, and lawyers advised Alphabet that with no evidence of misuse having been made and no clear advantage to users in knowing about the breach, notification at this point was not a legal requirement. In a statement, a Google spokesman said: 'Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice... [including] whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met here'. Specifically, on its blog today the company confirmed: 'We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused'.

However, the company formed a privacy task force, Project Strobe, consisting of more than 100 engineers, product managers and lawyers, to audit all its procedures. As a result, it will stop allowing the majority of 3rd party developers access to SMS messaging data, call log data and some Android phone contact data; while only a select band of developers will continue to create add-ons for gmail.

Google says as many as 438 applications had access to the unauthorized Google+ data, but checks on the ratings and reputations of the developers concerned had not revealed previous complaints or specific reasons for concern.

While GDPR requires companies to notify regulators of breaches within 72 hours, would classify the data risked here as personal and can fine those in breach up to two percent of global revenue, it only came into force in May and the problem was discovered and rectified in March, so it is not thought to be relevant here.

More information can be found in the WSJ's report at www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194 , and Google's review of Project Strobe is here: www.blog.google/technology/safety-security/project-strobe .

Google+ will be wound down over the next ten months, with the aim of switching off the consumer side by the end of August 2019. The platform will be continued, and beefed up, as an enterprise product.