Google is closing the Google+ social network after an error exposed the private data of hundreds of thousands of users last spring, in an incident which the company never disclosed to those affected.
Google put the “final nail in the coffin” of the Google+ product by shutting down “all consumer functionality,” the Wall Street Journal reported citing an internal memo.
The project launched in 2011 as an alternative to other social networks ended up being a huge failure for the company. The breach happened after a software glitch in the site gave outside developers potential access to private profile data including names, email addresses, birth dates, genders, occupations and more.
The memo viewed by the Journal said that disclosing the incident publicly would possibly trigger “immediate regulatory interest” and do damage to the company’s reputation. Reporting the incident would result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” it warned.
The Journal reported that the Google+ breach exposed Google’s “concerted efforts to avoid public scrutiny of how it handles user information” at a time when regulators and the public are trying to do more to hold tech companies to account.
Google goes “beyond legal requirements” and applies “several criteria focused on our users” when deciding whether to provide notice, a spokesperson said in a statement. The company said it had considered whether or not it could accurately identify which users to inform, whether there was any evidence of misuse and whether there were any actions a developer or user could take in response. “None of these thresholds were met here,” the spokesperson said.
The leaked memo says that while there is no evidence that outside developers misused any data, there is still no way to know for sure.
As part of a slew of new security measures, Google is expected to clamp down on the amount of data it provides to outside developers through application programming interfaces (APIs), sources told the Journal.
As part of an audit of APIs, Google also discovered that Google+ had also been permitting developers to obtain data from users who never wanted it to be shared publicly — but a bug in the API meant they could collect data even if it was explicitly marked non-public through Google’s privacy settings.
New European General Data Protection Regulation (GDPR) rules which went into effect in May would have required Google to disclose the information to regulators within 72 hours under threat of penalty, but the Google+ leak was discovered in March, before the GDPR regulations came in and therefore was not covered by the European rules, according to Al Saikali, a lawyer who spoke to the Journal.
Saikali said it was possible that Google could face class action lawsuits over its decision not to disclose the breach. “The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate,” he said.