The Google+ API Bug

Remember the big Facebook scandal of Cambridge Analytica? That was not a good time for the good people of Facebook. And now, just as the scrutiny over Facebook settles, there’s another heavy hitter in the world of tech who is being asked to answer questions. You see, it’s been discovered that the API for Google+ has a bug in it. A bug that has caused a pretty big upset. It’s upsetting because this particular bug allows third-party app developers to access not only the data of people who have granted their permission for access but also their friends. Yikes.

Sounds familiar? It is. This is because Facebook did exactly the same thing not so long ago. After Zuckerberg fronted US Congress, the backlash was swift and severe, which led to a great deal of negative press. So, it’s no surprise that when Google’s breach was discovered the company chose not to disclose the data leak. This ‘flying under the radar’ was scuppered when the Wall Street Journal revealed Google’s breach on Monday 8 October 2018.


What’s The Consequence of This?

Because of Google’s breach, it’s likely that Google will be subject to the same sort of analysis that Facebook faced. It’s pretty likely that Google SEO Sundar Pichai will testify before Congress with immediate regulator consequences most likely. Apart from having to face the music, the other big consequence is that Google announced that they would shut down consumer access to Google+.

Yep, that’s right – Google is shutting down Google+ thanks to the privacy data for over 500,000 users being compromised. While Google found and fixed the bug way back in March (yes, around the same time that the Cambridge Analytica story was reaching a crescendo) Google was undertaking severe control.

But in our opinion the biggest issue wasn’t the fact that there was a bug – anyone can make mistakes (although this is less common with a powerhouse like Google) – but the fact that the coverup was so elaborate. The bug attack was fixed up in March as we said, but Google didn’t actually admit to the issue until some seven months later! And this was only done under duress when the Wall Street Journal got hold of some internal memos which were talking about the bug! Come on Google – you need to do better than that to encourage confidence with your users.


Confusion About What Went Wrong

When a problem happens with a tech company there is often confusion about who is responsible for what, and how much you should disclose. After all, legally, Google is in the clear. Because while the bug was problematic what happened to Google+ wasn’t technically a breach. The General Data Protection Regulation (GDPR) outlines what the world standard is for the law is around breaches and data privacy and protection, and while there was a bug there was no record of data actually being taken – despite it being available.

As Ben Smith, vice-president of engineering wrote in his blog; “We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any profile data was misused.” Smith even went on to talk about why Google chose not to disclose the leak, stating that wherever anything like this takes place Google “goes beyond its legal requirements and applies several criteria in determining whether to provide notice.”

Clearly in this instance, the requirement was not high enough. And while there are no federal laws that require Google to disclose data the state law in California requires a disclosure where an individuals’ name and their social security number or ID information is disclosed. So as far as Google’s lawyers were concerned, it was a breach, but it wasn’t enough to have to disclose.


So, What Does this Mean for Our Relationship With Our Tech Providers?

The contract between tech companies and its users feels fragile, stretched as it was by the Cambridge/Facebook leak saga – and while users are happy to forgive a genuine apology, the issue here seems to be the lack of trust. Because after all, it’s not the fact that data has potentially been compromised; it’s the deeper confusion about what companies owe to us, and how much control we really have.

This leak is clear evidence that global tech companies need more regulation, and more insight. The bottom line is that it falls to us, the users, to ensure that the data and information we share is kept to a minimum if we are concerned, but to know that our data could be compromised in some way provided it is there to be used.

Want to know more about how we keep your information secure? Call us! We would love to go through our methods with you.