Now Google+ is about to have its Cambridge Analytica moment which happened in March 2018, multiple media outlets broke news of Cambridge Analytica’s business practices. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields. Indeed, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.
The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to an internal memo. Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.
The news comes from a damning Wall Street Journal report that said Google is expected to announce a slew of privacy reforms today in response to the bug. Google made that announcement about the findings of its Project Strobe security audit minutes after the WSJ report was published. The changes include stopping most third-party developers from accessing Android phone SMS data, call logs and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10 months with an opportunity for users to export their data while Google refocuses on making G+ an enterprise product.
Google also will change its Account Permissions system for giving third-party apps access to your data such that you have to confirm each type of access individually rather than all at once. Gmail Add-Ons will be limited to those “directly enhancing email functionality,” including email clients, backup, CRM, mail merge and productivity tools.
Given it’s unclear whether the G+ user data was scraped or if it will be employed for a nefarious purpose, the news of the bug itself might have eventually blown over, similar to how I wrote Facebook’s recent 50 million user privacy breach may be forgotten if no evil use is found. But because Google tried to cover up the problem because it didn’t meet some threshold of severity, the company looks much worse. That casts doubt on whether Google is being transparent on tons of other controversial questions about its practices.
The fiasco could thrust Google into the same churning sea of scrutiny currently drowning Facebook, just as the company feared. Google has managed to float above much of the criticism leveled at Facebook and Twitter, in part by claiming it’s not really a social network. But now its failed Facebook knock-off from seven years ago could drag down the search giant and see it endure increasing calls for regulation, as well as testimony before Congress.