Google+ has long been the butt of many jokes as a failed social network that refuses to die, but according to a new report from The Wall Street Journal and then an official response from Google itself, it looks like it's been home to a serious security vulnerability for three years that Google chose to not disclose to the public.
Per WSJ, a "software glitch" allowed user data to be potentially exposed to unwanted eyes from 2015 all the way through March 2018 when Google learned about it.
A memo reviewed by the Journal prepared by Google's legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger "immediate regulatory interest" and invite comparisons to Facebook's leak of user information to data firm Cambridge Analytica. Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.
In other words, Google learned about the three-year-long vulnerability and chose not to say anything out of fear that it'd be bad PR.
As for what info was exposed, it's reported that "full names, email address, birth dates, gender, profile photos, placed lived, occupation, and relationship status" were all up for grabs. Info that was not exposed includes email messages, Google+ timeline posts, direct messages with other users, phone numbers and "any other type of communication data."
Shortly after this report was published, Google released its full response outlining how it plans on covering its butt and keep data safe under an initiative called "Project Strobe." The first move? Shut down Google+ for consumers. Per Google:
This review crystallized what we've known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
To make the closure of the service as seamless as possible, Google says it'll implement a "wind-down" period over the next 10 months with the goal to have everyone off Google+ and officially pull the plug by the end of August 2019. While Google+ will no longer be a consumer product, new features will be coming soon to turn it into an enterprise-focused platform.
Along with this, Google will also force app developers to provide more detailed explanations of what it intends to do with your Google Account if it's requesting access to it. Instead of seeing a single screen asking for permission to use your Google account, you'll now see individual pop-up boxes for each item an app is requesting access to with an explanation of what's being requested.
Lastly, Google says it'll be limiting access to its Gmail APIs and be stricter about what apps in the Play Store can access call logs and SMS permissions on Android devices. This should translate to only your default phone and texting apps having access to your call and SMS data.
Google ended its explanation of Project Strobe with the following:
Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that.
Google just dodged a £4.4 billion lawsuit in the United Kingdom