Google User Data Exposed, Dreaded Impact of Public Disclosure

As part of its response to the incident, the

Alphabet
Inc.

GOOGL -1.01%

The unit announced a full set of data privacy measures, including the final shutdown of all Google+ consumer features. Monday's move actually puts the last nail in the coffin of a product launched in 2011 to

Facebook
Inc.

FB 0.17%

and is widely regarded as one of Google's biggest failures.

A software issue on the social site gave external developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators uncovered and corrected the problem, according to documents and informed people about the problem. incident. In a revised Journal note prepared by Google's legal and policy staff and shared by senior management, disclosure of the incident would likely trigger "immediate regulatory interest" and encourage Cambridge companies to compare user information with Facebook's data leak.

The CEO, Sundar Pichai, was informed of the plan to not notify users after an internal committee made that decision, people said.

The closure of Google+ is part of a broader review of Google's privacy practices, which determined that the company needed tighter controls on several major products, officials said. In its announcement on Monday, the company announced that it was restricting access to developer data on Android and Gmail smartphones, apart from developers.

The episode involving Google+, which has not yet been reported, shows the company's concerted efforts to prevent the public from being closely scrutinized by how it treats user information, particularly to at a time when regulators and consumer privacy groups are laying the blame for holding tech giants accountable. considerable power over the personal data of billions of people.

The snafu threatens to give Google a black eye on privacy after the public has assured it that it was less likely to blunder data like the ones that hit Facebook. It could also complicate Google's attempts to avoid unfavorable regulation in Washington. Mr. Pichai recently agreed to testify before Congress in the coming weeks.

"Whenever user data has been affected, we go beyond our legal obligations and apply several criteria focused on our users to determine whether to give notice," said a spokesman for Google in a statement.

When considering disclosing the incident, the company considered "whether we could accurately identify which users to report, whether there was evidence of misuse, and whether the developer or user could take action. in response, "he said. "None of these thresholds has been reached here."

The internal memo from legal and policy staff indicates that the company has no evidence that external developers have used the data in an abusive manner, but acknowledges that it has no way of knowing for sure. The exposed profile data included complete names, email addresses, dates of birth, gender, profile pictures, populated places, occupation, and relationship status; this did not include phone numbers, emails, timeline messages, direct messages or any other type of communication data, said one of the people.

Google makes user data available to external developers via more than 130 different public channels, called application programming interfaces or APIs. These tools usually require the user's permission to access all information, but they can be misused by unscrupulous actors masquerading as application developers to access sensitive personal data.

A privacy working group formed within Google, under the code name Project Strobe, has been auditing the company's APIs in recent months, according to people who are aware of the process. The group is made up of more than 100 engineers, product managers and lawyers, officials said.

In an article published Monday on his blog, Google has announced its intention to restrict the data provided to external developers via APIs. The company will stop letting most external developers access SMS messaging data, call log data, and some forms of contact data on Android phones. Gmail will only allow a small number of developers to continue to create add-ons for the mail service. company said.

Google was in a hurry to restrict developers' access to Gmail earlier this year, after a Wall Street Journal review that found that developers typically use free email apps to entice users to give up the email. access to their inbox without clearly indicating the data they collect. In some cases, employees of these application companies have read people's actual emails to improve their software algorithms.

The upcoming changes reflect a broader discussion of data privacy at Google, which has in the past imposed few restrictions on how external applications access users' data, as long as those users give their data. authorization. Limiting access to the APIs will hurt some developers who helped Google create a world of useful applications.

The Google+ data problem, discovered as part of the Strobe audit, was the result of a flaw in an API created by Google to help app developers access a set of information profile and contact people who have registered to use their apps. the people they are connected to on Google+. When a user grants a developer permission, the developer can collect the data entered into a Google+ profile.

Last March, Google discovered that Google+ also allowed developers to retrieve data from certain users who had never intended to publicly share them, according to the memo and two people informed about it. Due to a bug in the API, developers could collect profile data from their users' friends even though this data was explicitly marked as non-public in Google's privacy settings, added the users.

During a two-week period in late March, Google performed tests to determine the impact of the bug, said one of the people. He revealed that 496,951 users who had shared private profile data with a friend could have accessed this data from an external developer, said the person. People whose data has been exposed to potential misuse include paid users of G Suite, a set of productivity tools including Google Docs and Drive, said the person. G Suite customers include businesses, schools and governments.

Since the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data could potentially have been inappropriately collected, said the two people. informed about it. The bug had existed since 2015 and it was unclear if more users could have been affected during this time.

Google estimates that up to 438 apps have had access to unauthorized data from Google+, respondents said. Strobe's investigators, after testing some of the apps and checking to see if any of the developers had already complained, determined that none of the developers seemed suspicious, officials said. The ability of the company to determine what was done with the data was limited because it does not have "audit rights" on its developers, said the memo. The company has not called or visited any of the developers, say the interviewees.

The question of whether to inform users was brought before the Google Privacy and Data Protection Bureau, a board of key product managers who oversee key privacy decisions, said the interviewees.

Internal lawyers said Google was not legally required to disclose the incident to the public, said the interviewees. Because the company did not know which developers could have which data, the group also did not think that notifying users would give an end-user profit, said the users.

The note from legal and policy staff was not taken into account in the decision, said a person familiar with the process, but expressed internal disagreements about how to deal with the issue.

The document shows that Google officials knew that disclosure could have serious consequences. Revealing the incident would probably result in "that we will become a star next to or even in place of Facebook, even though we stayed under the radar throughout the Cambridge Analytica scandal," says the memo. This "almost guarantees that Sundar will testify before the Congress".

A number of factors come into play in determining whether a company should inform users of a potential data breach. There is no federal law on the notification of offenses in the United States. Companies must deal with a mosaic of laws governed by different standards, said Al Saikali, a lawyer at Shook, Hardy & Bacon LLP. He is not affiliated with any of the parties.

Saikali said many companies would not notify users if a name and date of birth were being consulted. Some would do it. Some companies inform users even when it is not clear that the data in question has been accessed, he said. "Fifty percent of the cases I work on are judgments," he said. "Only half the time, you have conclusive evidence that this villain had access to information."

The European General Data Protection Regulation, which came into force in May this year, obliges companies to notify regulators within 72 hours, on pain of a fine of up to 2% of the figure. 39, world affairs. The information potentially disclosed through the Google API would constitute personal information within the meaning of the General Regulation, but as the problem was discovered in March, it would not have been covered by European regulations, Saikali said.

Google could also file a class action suit for its decision not to disclose the incident, Saikali said. "The story told here by the plaintiffs is that Google knew something and hid it. That's enough to salivate the lawyers, "he said.

In its contracts with paid users of G Suite applications, Google tells customers that it will warn them of any incident involving their data "promptly and without undue delay" and that it "will promptly take reasonable steps to minimize the damage ". This requirement might not apply to Google+ profile data, however, even if they belonged to a G Suite client.

-Newley Purnell contributed to this article.

Write to Douglas MacMillan at [email protected] and Robert McMillan at [email protected]