Updated 01.08.2019

October 8, 2018, will be remembered as a day that didn’t change the social media landscape at all – Google announced their decision to pull the plug of the machine that supports the Google+ consumer version. Don’t know what that is? Just google it, or read on.

In a statement released that same day on Google’s blog, Ben Smith, Google Fellow and Vice President of Engineering, admits that they have been unable to create and maintain a successful Google+ service. It’s APIs have been labeled “challenging to develop and maintain.” The statement also mentions the Google+ security bug that has potentially exposed the private data of thousands of users, with the shut down of Google+ being only a cherry on the top of this unpalatable cake.

Google+ API bug explained

The Google+ API bug allowed apps to get access to a user’s data, which was normally granted only to his/her contacts (it’s as if this data had been marked “Public”). This personal data includes the user’s name, email, address, occupation, gender, and age.

How the Google+ API bug worked in real life

Google+ API bug

Let’s say someone named Mark joins Google+ in 2011. He fills his profile with personal info, such as his birth date, job title, a list of places where he lived, and so on. In 2012, he changes his relationship status to ‘Married’ and invites his lovely wife Priscilla to join his ever-growing circle of friends on this still new social network. Mark makes certain parts of his profile private, allowing only his wife to see them.

Time goes by, and one day in 2015 Priscilla signs up for an app using her Google+ credentials, thus also permitting to access her profile information. Here’s where Google+ falters: due to the bug, app developers can now also access Mark’s private profile data, shared only with his wife. It will take three years for this issue to surface and maybe even more to learn just how much information has leaked to third parties.

What kind of information could have leaked from Google+?

All fields are optional in Google+, meaning the initial number of users that could have been affected might be around 500,000. On the other hand, Google didn’t miss a chance to play this down even more and gave the full list of leak-sensitive info not in the statement, but in their website for developers. The fields listed, if filled in, translate into a full biography – enough to send a fake CV and get an interview.

The list includes important personal details Google failed to emphasize, such as:

  • Date of birth
  • The ‘About me’ section (short bio)
  • A list of current or past organizations with which this person is associated (with start and leave dates)
  • A list of places where this person has lived.

Reading through this list, we find out that not only personal data but also Google+ Pages data could have been compromised. Popular Google+ Pages that Google thought might be at risk of being impersonated (such as the official pages of local businesses) had the option to get verified. In this case, a third party who has seen the private data of a verified page can assume that information is valid. This shows the most vulnerable group of users were the enterprise people who had this crucial info added, while most consumer version users have probably stopped updating their profiles seven years ago.

What is the effect of this Google+ API bug?

Google security bug

The Google blog clearly states that the possible number of affected users may be up to 500,000, while some tech news outlets, like zdnet.com, tried to blow this up, giving the figure of “more than 500,000”. Following them, reuters.com have said “at least 500,000”. The Wall Street Journal was the first to report (even before Google published their blog post), and the number they give is 496,951. At the same time, it is impossible to know the real stats because the logs about data accessed via the API have been kept only for two weeks, as per the Google statement.

According to Google, 90% of Google+ user sessions last less than five seconds. That’s a polite way of saying that hasn’t been performing well. The other 10% are usually miscellaneous enterprises that somehow decided to use this service as a communication tool between co-workers.

The company states that the bug was found and patched in March 2018, leading Google to believe that no data had been misused, even though they’ve identified 438 apps that could’ve accessed this information via the API.

The funny thing is that the statement continues to talk about Google+ for enterprises, who have been successfully using it as “a secure corporate social network.” Now it’s up to them to decide if they will continue using Google+ after this news.

New privacy and security measures by Google

As if to redeem themselves, Google has released information about more strict Google Account permissions. This privacy-oriented update means you have to accept or deny each permission to access your personal info, such as your Calendar or Contacts, one at a time. Currently, users see all requests listed in one screen, meaning it’s more often the case that the user selects “Allow all,” even though some of the requests are purely optional.

Other, more impactful news have been hidden between the sheets of this security “scandal.” It is the decision to limit developer access to Android and Gmail device data. This will be done by implementing changes to the API, banning the option to receive call logs and SMS permissions on Android. What is more, contact interaction will no longer be possible via the Android contacts API, which also provided fundamental interaction data, for example, whom you messaged last.

Why Google kept this news away for more than six months?

Google news

The question that remains unanswered so far – why would Google speak up about this bug only after six months? Well, this information was first made public by the Wall Street Journal (WSJ). This source claims that the bug may be even worse, and may have been leaking user data since 2015. Google Developers found it by accident and covered it instead of going public, in fear of botching their ongoing preparation for the EU GDPR deadline. The reason behind waiting so long is yet to be heard from Google. According to the WSJ, the decision to keep silent was made to avoid the comparison to Facebook’s Cambridge Analytica scandal.

This scandal shows us all that user privacy is not above business interests, and that the users are the last to know – hearing it from the media first and then waiting for an official statement. It is especially painful after Google’s public assurances that they would take better care of user data. Their spokesperson has said that there is no way to determine which users might’ve been harmed and whether they’ve sustained any damage, even though there’s no way to be sure no damage has been done. Our job here is to state the obvious – Google has unilaterally decided that its users are not interested in knowing about this bug. After all, Google even has the actual number of apps which might have accessed private information. But who’s going to undertake a massive investigation to check all these companies (some of which are most likely closed) to discover clear evidence of misuse? Apparently, it won’t be Google, which has no auditing rights over those app developers.

Internal lawyers determined that Alphabet Inc’s Google didn’t have to disclose the incident. This was followed by a decision not to inform the users because the information Google had would not have any actionable benefit to the users. There was also a belief that their CEO Sundar Pichai would have probably been forced to testify before Congress. And should this incident have been found three months later, when the European GDPR kicked in, it would have required to notify users within three days and pay a fine of 2% of total revenue. Close call, eh, Google?

After three months, Google finally addresses the issue to its users

After the initial decision to keep silent about the bug, Google has sent an email with an official statement and instructions to its users on January 3, 2019. That is almost three months after the initial report about the issue. If you haven’t received this email, it means that your data probably hasn’t been compromised. If you did, just follow the instructions to make sure you’ve done everything you can to protect your privacy. In any case, here are some tips from us on how to remove your personal data from Google.

Even though such email looks tragicomically, it serves as a reminder to everyone that blindly trusting the tech giants is not the best idea. After all, compromised personal data can be collected and sold to third-parties which will find their way to make use of it. We wouldn’t be surprised that some of Google+’s data have helped the hackers with possibly the largest data leak in German history.

Seven years of Google+

7 years of Google+

A child of Vic Gundotra and Bradley Horowitz, Google+ was born in 2011 but showed weak signs of life from the start. Some might even call it a lack of will to live.

In 2012, its monthly usage time was as long as a mainstream radio song, while Facebook users would spend a full workday, skipping lunch. In 2013, the engagement more than doubled, ‘skyrocketing’ to 7 minutes of a user’s attention span, with engagement data from Facebook too obscene to put on a PG-rated website like VPNpro.com.

Despite numerous methods used to try bringing Google+ back to life (one of which was adding every Gmail user to the Google+ list), the child never stood on its feet. Gradually it became less of a social network and more like your personal account profile.

2013 was marked by one of the biggest failures of its creators – they decided to allow posting Youtube comments from your Google+ profile only, which at the time required your real name and surname. This restriction has been lifted the following year. In addition to that, there was no way to reply to old pre-Google+ comments.

In 2015, the situation got better for YouTube, with the comments no longer requiring a Google+ profile. But it got worse for Google+, as it continued disintegrating, launching Google Photos and Google Hangouts as two standalone products for photos and communication, no longer requiring a profile on this quasi-social pseudo-network.

What will happen to Google and Google+ now?

Google+ shut down

For better or for worse, Google+’s death throes, accompanied by a subdued wailing, were set to continue until August 2019. During the period of this middle-ground between Life and Death, users were to be offered to back up their data, most of which was probably last modified well before Barack Obama was re-elected.

But the process accelerated after December 10 news about the second bug. This one affected 52.5 million users whose profiles could be read by the developers even if set as private. While this window of opportunity opened in November and closed after six days, it’s hard to determine the actual effect it might have had, making users’ names, email addresses, occupations and ages visible.

Following the announced, the shutdown date was reset for April 2019. The access to all APIs will be closed in less than 90 days.

When it comes to politics, a one-party government is not the favored type. Killing off Google+ officially means serious attempts to establish an opposition to Facebook have failed. And with Facebook owning 4 out of 5 most popular social media apps, it’s hard to think we will see a challenger anytime soon. Even a synthesis of Snapchat and Twitter could not possibly fill these shoes that only Google could have, with its immense advantage of already having billions of users. The best case scenario is that it stays solid in the B2B segment, providing a means of communication for businesses who use Gmail on a daily basis and want to expand their options with Google+’s functionality. And with it comes the hope of being informed about future privacy issues – even potential ones.

The US government hasn’t missed this scandal. On Tuesday, two US states have said they are already investigating this case. EU data protection authorities will have no jurisdiction as the issue originated before the implementation of GDPR. Therefore, chances are we’re closing the book of Google+ but turning another page in Google’s well-documented story of privacy issues.

We highly recommend reading more about Google:

What does Google know about me

Is Google Incognito really private?

Google’s Gmail privacy issues