Google+ killed off following revelation of undisclosed security bug

Google+ is the company’s most recent attempt at building a social network, having been launched in 2011 as a competitor to Facebook.

The social network was integrated with YouTube and other Google services. Unlike Facebook, Google+ allowed users to post content to separate groups, allowing them to silo off personal content from professional contacts. Although the social network attracted an initial bout of interest, user engagement has been consistently low since then.

Now, the company has announced that Google+ will be shut down for consumers by August 2019, allowing users the opportunity to download their data before the service permanently goes offline. The company states that it made the decision following a security review and due to low user engagement (with 90 per cent of user sessions lasting less than five seconds).

The announcement was made following the publication of a report in The Wall Street Journal which revealed that a software error could have exposed the data of 500,000 users through access to Google+ APIs. This could have allowed up to 438 third-party developers to access personal information belonging to Google+ users, including age, gender and email address.

This vulnerability had been found and patched in March 2018 during a security review focused on third-party developer access to Google data. However, Google did not disclose the vulnerability.

According to a Google blog post written by Ben Smith, VP for Engineering at Google, the company made the decision not to disclose the vulnerability after reviewing the threatened data, finding that no third parties had gained access to the user information and deciding that it would be challenging to identify the relevant users.

According to the anonymous sources speaking to The Wall Street Journal, a memo had been circulated among senior Google staff warning that disclosing the vulnerability could cause trouble for the company. Consequences could include embarrassment, the requirement for CEO Sundar Pichai to testify before Congress (previously having declined to do so to speak about foreign manipulation via internet services) and the possibility of new regulations.

Although in most parts of the world companies are not legally required to disclose security issues to customers after a security issue has been identified and patched, it is widely considered responsible practice. The General Data Protection Regulation – introduced across the EU in May – does require companies to notify regulators of security vulnerabilities within 72 hours.

According to Etienne Greeff, co-founder and CTO of SecureData, the incident is a “textbook example of the unintended consequences of regulation”, in which businesses hide vulnerabilities in order to avoid public embarrassment.

“Google didn’t come clean on the compromise, because they were worried about regulatory consequences. While the tech giant went beyond its legal requirement in determining whether to provide notice, it appears that regulation like GDPR is not enough of a deterrent for companies to take the safety of customer data seriously. And so this type of event keeps on happening,” she said.

“Currently, business seems to care far more about covering its own back than the compromise of customer data. It’s a fine line to walk.”