Having found a security vulnerability on Google Plus that exposed sensitive personal data of almost 500,000 users; Google announced on Monday that it will be shutting down Google Plus which it had started as an answer to Facebook’s giant social network.
Google’s blog post read that the security issue was first discovered in March but the company’s “Privacy & Data Protection Office” decided that it was not legally bound to report it or share it with its users since there was no indication that anyone had gained access to user information.
The relatively new rules in California and Europe that are enforced when a company is required to disclose a security episode have raised many eyebrows in the cybersecurity community after Google’s non- disclosure of the security issue after discovering it.
According to Google, through coding links referred as application planning interfaces, upto 483 applications that have not been made by Google but other companies; might have got access to the security vulnerability. User names, e mail addresses, occupation, age and gender details could have been seen by the outside developers, whereas phone numbers, Google Plus posts or data from other Google accounts could not have been accessed by them.
A vice president for engineering at Google, Ben Smith informed in the company’s blog post that after investigating thoroughly on aspects such as- the type of data involved, whether the users can be accurately identified to inform, whether there are any evidence that shows there has been misuse and whether there are any actions a developer or user could take in response; they found that none of the thresholds were met in this situation. After no evidence was found of any user profile being touched or if the outside developers had found about the security glitch, the issue in security was fixed in March in an update.
The Wall Street Journal reported that the company’s policy and legal teams had sent a memo to senior executives warning them against disclosing about the security vulnerability to avert embarrassment that the company might have to face like Facebook had to go through last year in a similar case. The memo added that disclosure will lead to regulatory scrutiny and that Google’s CEO Sundar Pichai will be required to testify in front of the Congress. However, according to a Google spokesman, Rob Shilkin, the disclosure announcement was moved up instead of later in the week pertaining to the Journal’s article. He declined to comment on the memo.
Google’s security issue occurred before Europe enforced the new General Data Protection Regulation laws requiring notification from companies within 72 hours of personal information breach. California’s new privacy laws goes into effect in 2020 that entitles customers to sue for up to $750 each for data breach and gives the right to the state’s attorney general to go after companies for intentional violations of privacy.
Eminent professionals from the field recognize that federal law doesn’t require companies to disclose security vulnerability.
There are certain aspects regarding which Sundar Pichai, Google’s CEO has promised the lawmakers that he will testify before the year ends. He will be testifying about whether tech companies are filtering conservative voices in their products. Secondly he will be asked whether or not Google plans to re- enter the Chinese market with censored search engine. Company’s discussion about how regulators will respond regarding the March issue is also expected to come in his testimony.
Having missed attending a hearing last month, Google was slammed for not sending Mr. Pichai given that it was attended by the top executives of giants like Facebook and Twitter.
Google Plus was introduced in 2011 as a competitor to Facebook, however apart from a few loyalists its usage was very low. Google has not specified a number but it said that 90% of its users’ sessions last for not more than 5 seconds. Considering the below average use of the product, its engineers realized that the maintenance was not worth the effort. By August 2019 the consumer version of Google Plus will be turned off according to Google, however the corporate customers will still exist.
Russian disinformation and other such issues that have been pressurizing for Facebook and Twitter, however, Google is relieved of that pressure with Google Plus failing.
13 Google Plus accounts had to be closed in August as they were suspected of ties with Iranian influence campaigns; as against Facebook’s 652 accounts.