Google uses bad news to bury its social media site
Providing a connected social experience while protecting privacy is something of a tightrope walk for social media providers.
In October, Google revealed that they slipped off the rope by putting the privately protected data of 500,000 members of its Google+ user base at risk over a three year period due to an API bug.
As part of the same announcement, the tech giant said it would be winding up the commercial version of its Google+ social network.
What happened and how?
The personal information exposed included users' names, email addresses, occupations, genders and dates of birth.
The issue was due to a bug in a Google People API which, following a Google+ code update, was able to read some optional, static, non-public fields on user profiles.
Due to the erasure of API log data (Google only keeps two weeks' worth for privacy reasons), the exact exposure is impossible to nail down. However, up to 438 applications may have used the API and up to 500,000 accounts could have been accessed.
How the story broke
The story made the headlines on the morning of October 8th with a hard-hitting headline in the Washington Street Journal. The headline bluntly stated, 'Google Exposed User Data. Feared Repercussions of Disclosure to Public.'
In response (according to 'The Verge'), Google immediately made that disclosure with an understandably softer, more positive angle. Their headline read, 'Project Strobe: Protecting your Data; Improving our Third Party APIs and Sunsetting Google+.'
To their credit, Google did identify and deal with the bug themselves and the reason they gave for not telling its users was that it failed to meet any of its three thresholds for user notification. The affected users could not readily be identified, the bug had not been exploited and there were no actions that users or developers could take to solve the issue.
This process, taken on face value, appears to give Google the high ground over Facebook who failed to notice when Cambridge Analytica accessed their users' private data. That breach only came to light following a media investigation and a Cambridge Analytica whistleblower.
However, the Google bug was three years old when they claim they unearthed and removed it so Google were arguably just luckier than Facebook. Had the bug been abused by a rogue third party developer, would Google have come clean about it?
The Wall Street Journal claimed that Google hid their initial discovery due to fears that the regulators would lump them together with Facebook, exposing them to similar legal action and damage to their reputation.
Certainly, the timing of the discovery of the Google+ bug is a point of interest: March 2018, the same month that the Guardian, Observer and New York Times broke the news of the Facebook breach.
The billions of dollars wiped off Facebook's shares in the aftermath of the public outcry make Google's silence even more understandable. Whether it was justifiable is another matter.
What now for Google +
In truth, Google + has often been a running joke among social media users, treated as the poor cousin of Facebook, Twitter and the rest. As a result, this near-disaster looks to have provided the final nail in the G+ coffin.
With fewer than 400 million regular users, 90% of sessions lasting less than five seconds and associated APIs difficult to develop and maintain, the risk v benefit equation seems to have made Google+ unviable. Ironically, the lack of popularity of Google+ rather than effective policing is likely to have saved Google from the same fate as Facebook.
The phase out of Google+ is scheduled to take place over ten months, concluding in August 2019. However, Google will continue to develop the platform as an enterprise product.