Skip to Content
Policy

Google Plus is to be shut down after private data of half a million users was exposed

October 9, 2018

The tech firm kept quiet for months about a security flaw that gave third-party apps access to private information on the Google+ social network.

The cover-up: According to a report in the Wall Street Journal, Google discovered a bug in Google+ code in March and promptly fixed it, but decided not to reveal its existence. An internal Google memo cited by the newspaper showed that executives were worried about the damage the news would do to Google’s reputation at a time when Facebook was already under fire for mishandling customer data in the Cambridge Analytica affair.

That fiasco had raised questions about the privacy practices of other big tech firms, including Google. So a group of the company’s executives ruled that the firm should stay quiet about the flaw, and reportedly informed Sundar Pichai, Google’s CEO, of their decision.

The bug: It had been around since 2015 and was found in code that lets third-party app developers access publicly available Google+ profile data about users and their connections, so long as the user gives permission. The glitch meant developers could access private details about people’s friends too, including things like their e-mail addresses, birthdays, profile photos, occupations, and relationship status.

Google+ minus people: In a blog post published after the article ran, Google said it had found no evidence data had been abused, and that it would shut off consumer access to Google+ (a corporate version will presumably continue to run). However, it’s possible that data was abused and Google just doesn’t know about it yet. By the company’s reckoning, up to 438 applications may have been able to access private profile data because of the software bug. Google ran an internal test and found that as many as 496,951 users may have had their data compromised, according to the Wall Street Journal.

The consequences: The cover-up will fuel attempts by privacy activists to get tougher laws in place to force companies to reveal actual and potential data leaks. Because Google discovered the flaw in March, it wasn’t subject to Europe’s new data protection regime, which came into effect in May. It requires companies to inform users of possible data breaches within 72 hours of uncovering them.

The US doesn’t yet have a federal data breach law, and it’s unclear if Google had an obligation to reveal the bug under any state ones. California recently passed a tough new privacy law with some similar requirements to Europe’s framework, and there’s been a big push to get federal legislation passed too. This latest data scandal, along with another recent breach at Facebook, will increase the pressure on US politicians to crack down on cover-ups.

Deep Dive

Policy

Is there anything more fascinating than a hidden world?

Some hidden worlds--whether in space, deep in the ocean, or in the form of waves or microbes--remain stubbornly unseen. Here's how technology is being used to reveal them.

Africa’s push to regulate AI starts now        

AI is expanding across the continent and new policies are taking shape. But poor digital infrastructure and regulatory bottlenecks could slow adoption.

Yes, remote learning can work for preschoolers

The largest-ever humanitarian intervention in early childhood education shows that remote learning can produce results comparable to a year of in-person teaching.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.