Google Exposed User Data, Feared Repercussions of Disclosing to Public
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and damage [the company’s reputation], according to people briefed on the incident and documents reviewed by The Wall Street Journal.
As part of its response to the incident, the Alphabet Inc. Google unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. FB -0.05% and is widely seen as one of Google’s biggest failures.
A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said. …
The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people.
The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook. It may also complicate Google’s attempts to stave off unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement.
In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”
The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure. The profile data that was exposed included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data, one of the people said.
Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data. …
Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect. In some cases, employees at these app companies have read people’s actual emails to improve their software algorithms. …
The Google+ data problem, discovered as part of the Strobe audit [Strobe is a privacy task force formed inside Google, code named Project Strobe], was the result of a flaw in an API Google created to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+. When a user grants a developer permission, any of the data they entered into a Google+ profile can be collected by the developer.
In March of this year, Google discovered that Google+ also permitted developers to retrieve the data of some users who never intended to share it publicly, according to the memo and two people briefed on the matter. Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings, the people said.
During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the people said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.
Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time.
Google believes up to 438 applications had access to the unauthorized Google+ data, the people said. Strobe investigators, after testing some of the apps and checking to see if any of the developers had previous complaints against them, determined none of the developers looked suspicious, the people said. The company’s ability to determine what was done with the data was limited because the company doesn’t have “audit rights” over its developers, the memo said. The company didn’t call or visit with any of the developers, the people said.
The question of whether to notify users went before Google’s Privacy and Data Protection Office, a council of top product executives who oversee key decisions relating to privacy, the people said.
Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.
The memo from legal and policy staff wasn’t a factor in the decision, said a person familiar with the process, but reflected internal disagreements over how to handle the matter.
The document shows Google officials felt that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees [Google CEO Sundar Pichai] will testify before Congress.”
Article Source :https://www.studentnewsdaily.com/daily-news-article/google-exposed-user-data-feared-repercussions-of-disclosing-to-public/
ImageSource: https://www.studentnewsdaily.com/wp-content/uploads/2018/10/Google_security-820x475.jpg" class="img-thumbnail" alt="Google Exposed User Data, Feared Repercussions of Disclosing to Public
VOCABULARY WORDS
1.Expose/verb : make (something) visible, typically by uncovering it.
2.Repercussion /noun : an unintended consequence occurring some time after an event or action, especially an unwelcome one.
3.Disclose/verb : make (secret or new information) known.
4.Regulatory/adjective : serving or intended to regulate something.
5.Scrutiny/noun : critical observation or examination.
6.Functionality/noun : the quality of being suited to serve a purpose well; practicality.
7.Glitch/noun : a sudden, usually temporary malfunction or irregularity of equipment.
8.Executive/adjective : having the power to put plans, actions, or laws into effect.
9.Regulatory /adjective : serving or intended to regulate something.
10.Committee/noun : a group of people appointed for a specific function, typically consisting of members of a larger group.
11.Susceptible/adjective : likely or liable to be influenced or harmed by a particular thing.
12.Complicate/verb : make (something) more difficult or confusing by causing it to be more complex.
13.Accurately /adverb : in a way that is correct in all details; exactly.
QUESTIONS FOR DISCUSSION
1. The first paragraph of a news article should answer the questions who, what, where and when. List the who, what, where and when of this news item. (NOTE: The remainder of a news article provides details on the why and/or how.)
2. a) When did Google become aware of the data breach? – For how long had it been going on before Google became aware of it?
b) How many users’ were potentially hacked?
c) Why didn’t Google notify Google+ users of the security breach (only doing so after the Wall Street Journal publicized it)? Be specific: see para. 1, 3, 5
3. What action did Google take after The Wall Street Journal made the security breach public?
4. What are government regulators and consumer privacy groups trying to get tech companies to do?
5. How did Google explain the fact that it hid the data breach from Google+ users?
6. Why doesn’t Google know which Google+ users were affected, and what type of data was taken from them?