Google is going to shut down the consumer version of Google+ over the next 10 months, the company writes in a blog post.
The decision follows the revelation of a previously undisclosed security flaw that exposed users’ profile data that was remedied in March 2018.
In a Blogpost about the shutdown, Google disclosed the data leak, which it said potentially affected up to 500,000 accounts. Up to 438 different third-party applications may have had access to private information due to the bug, but Google apparently has no way of knowing whether they did because it only maintains logs of API use for two weeks.
“We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any profile data was misused,” Ben Smith, the vice-president of engineering, wrote in the blog post.
Smith defended the decision not to disclose the leak,
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice. None of the thresholds for public disclosure was met”, Smith said.
This March, as Facebook was coming under global scrutiny over the harvesting of personal data for Cambridge Analytica, Google discovered a skeleton in its own closet: a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.
Google says “Google+ currently has ‘low usage and engagement’ and 90 percent of Google+ user sessions last less than five seconds. Still, the company plans to keep the service alive for enterprise customers who use it to facilitate conversation among co-workers. New features will be rolled out for that use case”.
In addition, the company announced new privacy adjustments for other Google service. API changes will limit developers’ access to data on Android devices and Gmail. Developers will no longer receive call log and SMS permissions on Android devices and contact interaction data won’t be available through the Android Contacts API. That same also API provided basic interaction data, like who you last messaged, and that permission is also being revoked.
As for the Gmail changes, the company is updating its User Data Policy for the consumer version of the email service. This will limit apps and the scope of their access to user data.
“Only apps directly enhancing email functionality — such as email clients, email backup services and productivity services will be authorized to access this data.” Said Ben Smith, Google fellow and VP of engineering.
Any developer who has this access will have to undergo security assessments and agree to new rules about data handling, like not transferring or selling user data for targeting ads, market research, email campaign tracking, or other unrelated purposes.
There is no federal law that obliges Google to disclose data leaks, but there are laws at a state level. In California, where Google is headquartered, companies are only required to disclose a data leak if it includes both an individual’s name and their Social Security number, ID card or driver’s license number, license plate, medical information or health insurance information.
Google also announced a series of reforms to its privacy policies designed to give users more control on the amount of data they share with third-party app developers.
Image credit: RT.com