Google introduced it might shut down its social community Google+ yesterday after revealing that it had given outdoors builders entry to non-public knowledge. At the least that’s how the media is describing it. Google’s personal assertion simply buries the information amid an entire bunch of different bulletins, like a radioactive pellet in an enormous bag of trash.
Right here’s the lede (and I do imply lede, not lead) from the story about Google+ in the Wall Road Journal, titled “Google Exposed User Data, Feared Repercussions of Disclosing to Public“:
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. and is widely seen as one of Google’s biggest failures.
But Google execs must live in an alternate universe where exposing user data is no big deal. Here’s the statement on their site. I know this is confusing, but yes, this is the right title and the right post — the only one in which they announce the problem.
Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+
Ben Smith, Google Fellow and Vice President of Engineering
Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.
Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.
At the beginning of this year, we started an effort called Project Strobe—a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.
We’re announcing the first four findings and actions from this review today.
Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.
Action 1: We are shutting down Google+ for consumers.
Over the years we’ve received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+.
This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:
- Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
- The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
- This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
- We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
- We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
- We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.
To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.
At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.
(This post continues with three other points that have nothing to do with the security vulnerability.)
This not only buries the lede, but pretends it’s no big deal
You have nothing to worry about. Here’s how I know. If you did, Google would have made a bigger deal about this, rather than burying the lede about Google+ privacy flaws. Instead, here’s how Google signals that, unlike the Wall Street Journal and every other news organization, it considers shutting down its social network after identifying a security flaw to be no big deal:
- The news item is buried on its company news page, well below “A tribute to teachers” and “Ignite innovation with workplace rituals.”
- The title mentions Google+ final, and purports to be about “protecting your data” and “Project Strobe,” which no one outdoors of safety geeks cares about.
- The byline is from the VP of Engineering, quite than Google CEO Sundar Pichai.
- The lede is “Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.” Versus, say “We gave developers access to your data.”
- There isn’t any apology anyplace in the publish. As an alternative, we study why no apology was wanted. “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
- Regardless of the proven fact that Google discovered of the drawback in March, that is the first public assertion about it.
- We do study that 500,000 profiles “were affected” and 438 purposes had entry to the knowledge.
- The one gadgets in daring are meant to defend Google, by noting that solely sure varieties of knowledge have been uncovered, and there isn’t a proof of a breach (versus proof that there was no breach).
It’s all about the angle
Google’s administration has our greatest pursuits at coronary heart. Meaning we’re alleged to belief them.
This complete assertion is written with a tone of “We are technologists and we make technology decisions. This is just one of them.” Versus, say, “We are the stewards of your data and we made a mistake taking care of that data, and we’re sorry about that.”
Even when this can be a small drawback, Google ought to have led with that and described how, not buried this protection of its conduct in the center of an in any other case unremarkable assertion deep in an inventory of things on its website.
No huge deal. Besides, in fact, that it was a large enough deal that Google is totally shutting down Google+ after figuring out the drawback.
This can be a second when the arrogance of massive tech corporations is making a backlash. Google’s PR employees was asleep at the change right here, and its government administration is behaving cluelessly. This can be a massive mistake.
The playbook is “trust us,” “deny, deny, deny,” “it’s no big deal,” “we fixed it,” and “everything is fine, move along.”
That’s what we anticipate from the worst of our legislators. Know-how leaders have to do higher.