Google+ is finally shutting down on a particularly sour note.
Sources have told the Wall Street Journal that Google’s social network, had a major vulnerability that allowed app developers to collect private data — name, date of birth, gender, relationship status, job title and employer as well as profile pictures — of users who are related to those who signed up for the app.
The vulnerability worked like this: one user would be able to share those intimate details with friends they choose who are on the network. When those friends signed into apps using Google+, app developers ask for permission to get profile information and are granted. Somehow, the intimate data of the first user would be included in the collection profile.
Google found and patched the hole this March and an engineering team had briefed CEO Sundar Pichai on the issue along with its prposed intention to not disclose the vulnerability for fear of government investigation and loss of public trust.
Google, replying to requests for comment, defended its decision not to disclose. From the Journal:
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement.
In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”
Google claims there was no evidence of misuse of the data.
Among other challenges such as a lack of engagement from users and enterprise — over 90 percent of sessions last less than 5 seconds — Google has announced in a post on its The Keyword blog that it will take 10 months to wind down the consumer-facing Google+ before shutting it down. Enterprise users should expect a refresh soon.
The closure of Google+ is one objective of Project Strobe. Others include limiting what sorts of data that can be collected per transaction when users share their Gmail accounts and phone numbers. For one thing, soon, only Android apps which the user has assigned as their default for use will be allowed to request certain permissions like making calls and sending SMS. Google is also following from its limiting of Gmail scans by limiting which applications — namely, down to email apps — can do so.
Google+ launched in 2011.