Earlier this week, Google dropped a bombshell: in March, the company discovered a “bug” in its Google+ API that allowed third-party apps to access private data from its millions of users. The company confirmed that at least 500,000 people were “potentially affected.”

Google’s mishandling of data was bad. But its mishandling of the aftermath was worse. Google should have told the public as soon as it knew something was wrong, giving users a chance to protect themselves and policymakers a chance to react. Instead, amidst a torrent of outrage over the Facebook-Cambridge Analytica scandal, Google decided to hide its mistakes from the public for over half a year.

What Happened?

The story behind Google’s latest snafu bears a strong resemblance to the design flaw that allowed Cambridge Analytica to harvest millions of users’ private Facebook data. According to a Google blog post, an internal review discovered a bug in one of the ways that third-party apps could access data about a user and their friends. Quoting from the post:

  • Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
  • The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

It’s important to note that Google “found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.” Nevertheless, potential exposure of user data on such a large scale is more than enough to cause concern. A full list of the vulnerable data points is available here, and you can update the privacy settings on your own account here.

Potential exposure of user data on such a large scale is more than enough to cause concern.

What would this bug look like in practice? Suppose Alice is friends with Bob on Google+. Alice has shared personal information with her friends, including her occupation, relationship status, and email. Then, her friend Bob decides to connect to a third-party app. He is prompted to give that app access to his own data, plus “public information” about his friends, and he clicks “ok.” Before March, the app would have been granted access to all the details—not marked public—that Alice had shared with Bob. Similar to Facebook’s Cambridge Analytica scandal, a bad API made it possible for third parties to access private data about people who never had a chance to consent.

Google also announced in the same post that it would begin phasing out the consumer version of Google+, heading for a complete shutdown in August 2019. The company cited “low usage” of the service. This bug’s discovery may have been the final nail in the social network’s coffin.

Should You Be Concerned?

We know very little about whose data was taken by whom, if any, so it’s hard to say. For many people, the data affected by the bug may not be very revealing. However, when combined with other information, it could expose some people to serious risks.

Email addresses, for example, are used to log in to most services around the web. Since many of those services still have insecure methods of account recovery, information like birthdays, location history, occupations, and other personal details could give hackers more than enough to break into weakly protected accounts. And a database of millions of email addresses linked to personal information would be a treasure trove for phishers and scammers.

Furthermore, the combination of real names, gender identity, relationship status, and occupation with residence information could pose serious risks to certain individuals and communities. Survivors of domestic violence or victims of targeted harassment may be comfortable sharing their residence with trusted friends, but not the public at large. A breach of these data could also harm undocumented migrants, or LGBTQ people living in countries where their relationships are illegal.

Based on our reading of Google’s announcement, there’s no way to know how many people were affected. Since Google deletes API logs after two weeks, the company was only able to audit API activity for the two weeks leading up to the bug’s discovery. Google has said that “up to 500,000” accounts might have been affected, but that’s apparently based on an audit of a single two-week slice of time. The company hasn’t revealed when exactly the vulnerability was introduced.

Even worse, many of the people affected may not even know they have a Google+ account. Since the platform’s launch in 2011, Google has aggressively pushed users to sign-up for Google+, and sometimes even required a Google+ account to use other Google services like Gmail and YouTube. Contrary to all the jokes about its low adoption, this bug shows that Google+ accounts have still represented a weak link for its unwitting users’ online security and privacy.

It’s Not The Crime, It’s The Cover-Up

Google never should have put its users at risk. But once it realized its mistake, there was only one correct choice: fix the bug and tell its users immediately.

Instead, Google chose to keep the vulnerability secret, perhaps waiting for the backlash against Facebook to blow over.

Google wrote a pitch when it was supposed to write an apology.

The blog post announcing the breach is confusing, cluttered, and riddled with bizarre doublespeak. It introduces “Project Strobe,” and is subtitled “Protecting your data...” as if screwing up an API and hiding it for months was somehow a bold step forward for consumer privacy. In a section headed “There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations,” the company explains regarding the breach, then gives a roundabout, legalistic excuse for not telling the public about it sooner. Finally, the post describes improvements to Google Account’s privacy permissions interface and Gmail’s and Android’s API policies, which, while nice, are unrelated to the breach in question.

Overall, the disclosure does not give the impression of a contrite company that has learned its lesson. Users don’t need to know the ins and outs of Google’s UX process, they need to be convinced that this won’t happen again. Google wrote a pitch when it was supposed to write an apology.

Public trust in Silicon Valley is at an all-time low, and politicians are in a fervor, throwing around dangerously irresponsible ideas that threaten free expression on the Internet. In this climate, Google needs to be as transparent and trustworthy as possible. Instead, incidents like this hurt its users and violate their privacy and security expectations.