Google Exposed User Data, Feared Repercussions of Disclosing to Public

This content has been archived. It may no longer be accurate or relevant.

From The Wall Street Journal:

Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.

As part of its response to the incident, the Alphabet Inc. unit plans to announce a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+, the people said. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. and is widely seen as one of Google’s biggest failures.

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.

. . . .

Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.

The planned closure of Google+ is part of a broader review of privacy practices by Google that has determined the company needs tighter controls on several major products, the people said.

. . . .

The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.

The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Google’s attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement.

In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”

The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure.

. . . .

In the announcement expected on Monday, Google plans to clamp down on the data it provides outside developers through APIs, two people briefed on the matter said. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the people said.

Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect. In some cases, employees at these app companies have read people’s actual emails to improve their software algorithms.

. . . .

In March of this year, Google discovered that Google+ also permitted developers to retrieve the data of some users who never intended to share it publicly, according to the memo and two people briefed on the matter. Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings, the people said.

During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the people said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.

. . . .

The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.

Google believes up to 438 applications had access to the unauthorized Google+ data, the people said. Strobe investigators, after testing some of the apps and checking to see if any of the developers had previous complaints against them, determined none of the developers looked suspicious, the people said. The company’s ability to determine what was done with the data was limited because the company doesn’t have “audit rights” over its developers, the memo said. The company didn’t call or visit with any of the developers, the people said.

The question of whether to notify users went before Google’s Privacy and Data Protection Office, a council of top product executives who oversee key decisions relating to privacy, the people said.

Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.

The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.

The document shows Google officials knew that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”

. . . .

Google could also face class action lawsuits over its decision not to disclose the incident, Mr. Saikali said. “The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate,” he said.

Link to the rest at The Wall Street Journal

PG notes that Google removed its well-known motto, “Don’t be evil,” from its Code of Conduct earlier this year.

Given all the negative publicity originating in large tech firms in recent months, PG wonders if, as a group, tech startups are more reliable than the established tech giants. He also notes that, when the code underlying a product or service becomes sufficiently complex, it becomes more and more difficult to locate and identify flaws in that code.

31 thoughts on “Google Exposed User Data, Feared Repercussions of Disclosing to Public”

  1. Gotta say a security breach at Google+ is a lot of fuss over nothing. I browsed Google+ not that long ago and it’s a ghost town.

    The cover-up. That’s another story. Just shows how trustworthy google isn’t.

  2. woah.

    “…whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response…”

    so, we don’t know who it affected and we weren’t sure what to do about it. …so we did nothing.

    that meets the legal requirements??

    • “that meets the legal requirements??”

      Well, let’s compare.

      Bookface tracks even non-members all over the place and lies to congress about it, Softmicro’s Ver .10 collects your every keystroke and randomly removes programs/data/settings on updates, most ISPs are sniffing your packets to better serve up adds and throttle anything competing with them …

      All in all this seems pare for the course.

      Oh, and this was published just today:

      https://www.blog.google/technology/safety-security/project-strobe/

      “Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.

      Action 1: We are shutting down Google+ for consumers.”

      So the problem is solved – right? 😉

      • while I agree collecting my data without permissions is par for the course (unfortunately), if you have a data breach, you have to […should have to…] let the customer base know.

        When does it not give you’re company a black eye?

        but yet companies do let their customers know when it happens. There are hopefully consequences for withholding this information.

        • When does it not give you’re company a black eye?

          When it is successfully kept secret.

          And customers? If I don’t pay the provider, I’m not a customer.

      • You pay for your cell phone plan and your internet, and that doesn’t stop them from tracking your information and selling it. You pay for the stuff you buy in Walmart and Home Depot and that doesn’t stop them from tracking your purchases and your movement through the store. You paid an ATM fee when withdrawing money from your bank account in Vegas and that didn’t stop the ATM company from selling your information to the casino.

        (OK, maybe FTJ didn’t do the last. But ATMs were selling transaction histories of customers to the casinos 15 years ago.)

        Paying for the service doesn’t protect the consumer from tracking, from data being sold, and data being compromised.

        • But it stops *Google* from scanning my mail.
          Their betaware has never been enticing enough for their “free” offers to draw me in.
          Most everybody else with access to my data owes me a minimum level of service.

          As for ATMs, I actually don’t use them.
          The credit union has offices right in the cafeteria building. 🙂

  3. Gawd. This comes on the heels of finding out that Chrome scans files on users computers for ‘malware’. Without so much as a ‘by your leave’. Given that most people who make it into triple digits have their own anti-virus software, bought and paid for, where does Google get off invading someone’s computer files? So what if they’re looking for malware that might affect the browser?
    More and more, any semblance of choice is being whittled away by tech companies that are too big to fail.

    • Neither Google nor Facebook are too big to fail.

      Facebook is a one trick pony and Google isn’t much better. And both are way too dependent on ads.

      Even Apple relies too much on iPhone. The day could come that they regret backburning the Macs.

      Single product companies are vulnerable to the vagaries of the market so the best run companies try to develop multiple major revenue streams. Getting 80% of your money from one product is not healthy.

      Check this out:

      https://www.zdnet.com/article/google-microsoft-apple-where-does-the-money-come-from/

      • Interesting numbers, especially the ones for Microsoft. I had no idea it had diversified so thoroughly. Not my favourite company but certainly healthier than Google.

        • It’s probably the healthiest of the big tech companies. It doesn’t have as much cash in its stash as Apple, but it’s a plenty big one and its biggest cash flow is coming from the biggest growth area in Tech: cloud computing.

          And its bets on super-premium hardware, things like Hololens and Surface Hub, are opening entirely new revenue streams. The near term is bright and their mid-range future looks both stable and solid.

          With so many people writing them off as old and dying, they have been flying under the radar of the naysayers. Which suits Nadella just fine. He’s a low key kind of leader anyway. They chose wisely with him.

          • Must admit I was rather impressed with the Hololens myself. Would love to own one. -cough-I guess Microsoft has become like IBM, quiet but powerful.

    • where does Google get off invading someone’s computer files?

      When they started Gmail, they made it very clear they read the emails to generate ads. I definitely made an informed choice.

      Same with the Chrome book. I knew how they operated, scanned for virus, did auto-updates, etc. I chose it because I wanted a throw-away machine that I didn’t have to maintain.

      The Acer Chromebook looks like it has been run over by a truck, but keeps going and going, and there hae never been a single software problem.

      It’s a choice.

      • It may have been a choice for you, but it certainly wasn’t for me, and I assume, millions of other people like me.

        I didn’t know and would never have touched gmail if I had.

        Now that I do know, I’ve deleted the worst of the offenders. For the rest, I do make a choice, but it’s still an angry one.

        • Were you online a lot in 2004?

          From the WP last year:

          “A brief report in The Washington Post announcing the arrival of Gmail touted the fact that it would come with a whopping 1 gigabyte of free storage, “more than 100 times what some popular rivals offer.” (Gmail now offers 15 GB, and Yahoo offers 1 terabyte.) But the caveat that still creeps many people out to this day was that “to finance the service, Google will display advertising links tied to the topics discussed within the e-mails.”

          From two days after Gmail was introduced:

          https://www.theregister.co.uk/2004/04/03/google_mail_is_evil_privacy/

          “Google’s Gmail privacy policy points out that your email will be retained even after you close your account –

          “The contents of your Gmail account also are stored and maintained on Google servers in order to provide the service. Indeed, residual copies of email may remain on our systems, even after you have deleted them from your mailbox or after the termination of your account.”

          So deleting your messages achieves very little.

          If you run an online search (Bing? 😉 ) for “google gmail 2004 reads emails” you’ll find a continuing stream of articles like this, from 2004 onwards, like clockwork. 2012, 2014, 2017, and the biggest mess this year.

          THIRTY-ONE PRIVACY AND CIVIL LIBERTIES ORGANIZATIONS URGE GOOGLE TO SUSPEND GMAIL

          “San Diego, CA, April 6, 2004 (Updated April 19) — The World Privacy Forum and 30 other privacy and civil liberties organizations have written a letter [inserted below] calling upon Google to suspend its Gmail service until the privacy issues are adequately addressed. The letter also calls upon Google to clarify its written information policies regarding data retention and data sharing among its business units.

          The 31 organizations are voicing their concerns about Google’s plan to scan the text of all incoming messages for the purposes of ad placement, noting that the scanning of confidential email for inserting third party ad content violates the implicit trust of an email service provider. The scanning creates lower expectations of privacy in the email medium and may establish dangerous precedents.

          Other concerns include the unlimited period for data retention that Google’s current policies allow, and the potential for unintended secondary uses of the information Gmail will collect and store. ”

          It has long been a bone of contention that Google just ignored because Ads are their main source of revenue. Their betaware brings in very little profit and Android is mostly a feeder to the ad business. They do make decent enough money in cloud hosting but even there they are also-rans behind Amazon and Microsoft, just hanging with the second tier pack of IBM, ORACLE, Salesforce.com, etc.

          There’s a reason the saying endures that “if you’re not the paying customer, you’re the product.”

          “Tanstaafl!”

          • lol – Yes I was online in 2004 but no, I wasn’t interested in all that ‘stuff’. I had my own website and used the emails associated with that website. I only knew Google as the search engine. When I did, finally, get an gmail account in tandem with my proper email address, it was mostly just a place where I could direct ‘junk’.

            In short, I knew nothing at all about Google’s reputation. In fact, it was not until just after the Cambridge Analytica debacle that I started looking into the whole privacy issue.

            I guess I have the angry fervour of the newly betrayed.

            Btw, that saying is no longer relevant because we’re now tracked, invaded and used as a product even when we do pay for the product. That is the ultimate insult.

            • I caught on to Google’s schemes early because they started talking about how ad-supported would replace paid software.
              Except their ad-supported software was buggy, incomplete, and worth little. Yet they were raking the money by the boatload. Got my wondering.

              So I did a little research and quickly saw what their game is. I use their stuff as little as possible and nothing important runs through their ecosystem.

              • I tried to get rid of everything Google, including the GPS on my Android phone. Discovered that my fire warning app doesn’t work without the GPS. Duh. Can’t afford an iPhone so I’m stuck with Google on my phone.

                It’s very hard to get out of that ecosystem, which is why I get so angry. Buyer beware doesn’t work when the buyer has no other options. lol And no, living without a phone is not an option. 😉

                • That is what walled garden economics are all about.
                  Once you commit, you’re committed through thick and thin.
                  Locked in.
                  Getting an iPhone would only lock you into a different ecosystem. Same song, different verse.

                  The best you can do is limit your exposure.
                  And hope the owner of your ecosystem isn’t selling you out to other businesses. That is where Google, Twitter, and Facebook are different from Nintendo, Sony, Apple, Amazon, and Microsoft. The latter reserve your data for their own uses so they try to protect it as best they can. To them it is a competitive advantage rather than a product to market.

                  So yes, everybody collects data, but not everybody sells it.

  4. ‘..everybody collects data, but not everybody sells it’.

    I wonder if that’s because Nintendo, Sony, Apple, Amazon and Microsoft all have actual products to sell. The social media giants only have us, and what /we/ produce. No one acknowledges that we are giving them free content every time we log on. Without us, there’s just a lot of silent potential.

    • That is it exactly.

      For all the fuss over Apple and MS collecting data, what they are tracking is how their products are used and how they fail.
      The data goes into making the products better. And both are constantly fighting governments to keep user data secret.

      Amazon, of course, uses the data they collect to offer up stuff we might want and are castigated for keeping it secret.

      There’s no angels out there but not everybody is a devil. Some are just businesses making a buck more or less honestly.

      • I have respect for companies that actually create something. I even have a [very] grudging respect for Microsoft, but the others? Not devils, just leeches.

            • We all wish we could forget them but that’s what they want. It would make their scams easier.
              Sadly they’re not alone.
              Caveat emptor still applies.

              • No, they’re not. 🙁 Like hydra, expose one scam and they grow another, but I’m not sure caveat emptor applies. They come so close to breaking the law that I think I’d give the victims the benefit of the doubt.

                • I suspect it’s more than that. For most goods and services, we would say someone who buys a second time was satisfied the first time.

                  And that would say some folks might just be getting the product they want, and don’t care if we approve. Worse, they might not even care about me.

                  God Bless the free market, for it meets many needs.

  5. @ Terrence OBrien

    ‘..someone who buys a second time was satisfied the first time.’

    That’s not really comparing apples with apples. If I buy a shoe and the heel falls off after the first day, I /know/ what to expect, and I know I’ve been sold a shoddy product.

    Most of the people who get sucked in by these scam artists are so ignorant, they don’t even know the difference between a publisher, a self-publisher and a vanity press. They think it’s ‘normal’ to be charged such huge sums of money ‘to be published’.

    Blaming them for not knowing what we know is neither fair nor realistic. We all had to learn. Some of us were damn lucky to be mentored by those with more experience. For me it was Indies Unlimited. I assume someone helped you along too.

    I don’t think blaming the victim will stop Author Solutions and the other snake oil salesmen from preying on the ignorant.

Comments are closed.