Google took 7 months to publicly report exposure of 500,000 Google+ users’ data: is now also restricting Gmail APIs after audit of third-party API access
Google said today it was shutting down the consumer version of its Google+ social network – citing a bug that exposed the personal profiles of up to 500,000 users, with the API at fault used by 438 applications – and ramping up security assessments for the consumer Gmail API to limit the apps that can access consumer Gmail data.
A root and branch data privacy audit dubbed “Project Strobe” by the company is resulting in four actions, of which the first is the closure of Google+.
Ben Smith, Google VP of Engineering, said: “This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps.”
He added: “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”
Google+ Closed: API Bug Blamed for Data Exposure
Most alarmingly was the news that that the review (of third-party developer access to Google account and Android device data and of Google’s”philosophy around apps’ data access”) had in March this year found a bug in the People API that exposed the “static, optional Google+ Profile fields” including name, date of birth, email address, relationship status, places lived, biography and more of up to half a million people.
Google said it had no evidence that the bug had been abused. It has taken seven months to publicly disclose the issue. Under the European Union’s GDPR, if personal data is breached, a company needs to inform a supervisory authority within 72 hours.
The Wall Street Journal claimed, citing unnamed sources and internal documents, that Google had opted not to disclose the issue with its API after finding the issue in March 2018, owing to concerns over regulatory scrutiny and reputational risk.
Gmail Security Audit
The company also tightened control over API access to Gmail user data, updating its User Data Policy for the consumer Gmail API to limit the apps that can seek permission to access consumer Gmail data and saying it has “clarified that human review of email data must be strictly limited.”
“Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments,” Smith wrote.
The new policies, focused on Gmail APIs, which will go into effect January 9, 2019.