Google+, a social networking service launched to compete with Facebook by Google will shut down the consumer version of the social network. The failure occurred due to a security bug which allowed third party developers to access Google+ user profile data since 2015, but it was detected in March 2018 by the company. It was found that around 400 third party applications may have gathered information of 500,000 users. The user data included full names, dates of birth, email addresses, cities or areas of residence, genders, marital status, occupational titles, places and dates of employment, profile photos and profile-page background photos. The apps were not at fault instead, a poorly configured application programming interface (API) let them read more user information than they should have seen.
The Wall Street Journal was the first to report regarding the bug and after the report, Google announced the findings of its security audit team known as Project Strobe. The company’s top executives justified the cover up of data leak and delay in putting the information in public domain by the fear of public and regulator scrutiny. Google insists there is no “evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” according to the blog posted by them.
Europe’s General Data Protection Regulation (GDPR) enacted and applicable from May,2018 makes it mandatory to report within 72 hours breach of any personal data by an organisation. But since, the Google+ security hole started in 2015 and was discovered before 2 months of GDPR, Google is likely to be spared a 2% of global annual revenue fine for failure of disclosure and along with it the company may face class-action lawsuits and public backlash.
In addition to shutting down Google+, Google has drafted policy to improvise the security level-
- To limit the access provided by it to developers to user data on Gmail and Android devices. This essential impact of this will be that the developers will no longer get call logs and SMS permissions on Android devices.
- Instead of showing all permissions required in a single-screens, apps will have to each and every requested separately for better knowledge to users. This will help users to limit the domain of permissions granted. For example, if a developer request access to gallery and calendar entries, the user may give permission for only one request.
By- Tanishka Grover
Student Reporter INBA