|

Google’s arrogance on display: burying the lede about its Google+ vulnerability and shutdown

Google announced it would shut down its social network Google+ yesterday after revealing that it had given outside developers access to private data. At least that’s how the media is describing it. Google’s own statement just buries the news amid a whole bunch of other announcements, like a radioactive pellet in a big bag of trash.

Here’s the lede (and I do mean lede, not lead) from the story about Google+ in the Wall Street Journal, titled “Google Exposed User Data, Feared Repercussions of Disclosing to Public“:

Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.

As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. and is widely seen as one of Google’s biggest failures.

But Google execs must live in an alternate universe where exposing user data is no big deal. Here’s the statement on their site. I know this is confusing, but yes, this is the right title and the right post — the only one in which they announce the problem.

Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+

Ben Smith, Google Fellow and Vice President of Engineering

Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.

Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.

At the beginning of this year, we started an effort called Project Strobe—a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.

We’re announcing the first four findings and actions from this review today.

Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.

Action 1: We are shutting down Google+ for consumers.

Over the years we’ve received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+.

This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.

Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

  • Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
  • The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
  • This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
  • We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
  • We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
  • We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.

Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.

(This post continues with three other points that have nothing to do with the security vulnerability.)

This not only buries the lede, but pretends it’s no big deal

You have nothing to worry about. Here’s how I know. If you did, Google would have made a bigger deal about this, rather than burying the lede about Google+ privacy flaws. Instead, here’s how Google signals that, unlike the Wall Street Journal and every other news organization, it considers shutting down its social network after identifying a security flaw to be no big deal:

  • The news item is buried on its company news page, well below “A tribute to teachers” and “Ignite innovation with workplace rituals.”

  • The title mentions Google+ last, and purports to be about “protecting your data” and “Project Strobe,” which nobody outside of security geeks cares about.
  • The byline is from the VP of Engineering, rather than Google CEO Sundar Pichai.
  • The lede is “Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.” As opposed to, say “We gave developers access to your data.”
  • There is no apology anywhere in the post. Instead, we learn why no apology was needed. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
  • Despite the fact that Google learned of the problem in March, this is the first public statement about it.
  • We do learn that 500,000 profiles “were affected” and 438 applications had access to the data.
  • The only items in bold are intended to defend Google, by noting that only certain types of data were exposed, and there is no evidence of a breach (as opposed to proof that there was no breach).

It’s all about the attitude

Google’s management has our best interests at heart. That means we’re supposed to trust them.

This entire statement is written with a tone of “We are technologists and we make technology decisions. This is just one of them.” As opposed to, say, “We are the stewards of your data and we made a mistake taking care of that data, and we’re sorry about that.”

Even if this is a small problem, Google should have led with that and described how, not buried this defense of its behavior in the middle of an otherwise unremarkable statement deep in a list of items on its site.

No big deal. Except, of course, that it was a big enough deal that Google is completely shutting down Google+ after identifying the problem.

This is a moment when the arrogance of big tech companies is creating a backlash. Google’s PR staff was asleep at the switch here, and its executive management is behaving cluelessly. This is a big mistake.

The playbook is “trust us,” “deny, deny, deny,” “it’s no big deal,” “we fixed it,” and “everything is fine, move along.”

That’s what we expect from the worst of our politicians. Technology leaders need to do better.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 Comments

  1. Agree with your analysis.

    “That’s what we expect from the worst of our politicians. Technology leaders need to do better.” – They’re business people, at least at the senior levels where these decisions are made. This is common behavior for Google (especially outside The United States), too. They operate from the premise that they know what’s best (for us and for themselves), and they capitalize on data acquisition (not protection), known and unknown, authorized and unauthorized.

    I remain stunned at the number of private companies (and non-profits) who develop, maintain and store key documentation using Google tools and resources.

  2. Good piece — thank you for posting this, I’ll be sure to pass it along to my networks as well! Most people have no idea the depth and breadth of Google’s control over society!