Google+ axed after huge privacy bug spotted but kept secret

Google is shutting down Google+ for consumers, axing the little-loved social network in the aftermath of a huge privacy flaw it failed to reveal until months later. Launched in 2011 to great fanfare, Google+ was to be not only a social networking site to compete with Facebook, but a mechanism to authenticate identity online.

Indeed, at one point Google was embedding Google+ profiles into some of its highest-profile services. Google News, for instance, would show the identify of the reporter responsible using Google+, while Google+ profiles were used as the underlying link for Gmail, YouTube, Google Maps, and more. Google also introduced a "+1" button for third-party content, which acted in a similar way to Facebook's "Like" button.

Now, the consumer version of Google+ is going away. It comes after a significant security review that Google is calling Project Strobe, which identified a sizable bug in one of the Google+ APIs. That bug, exposed by the WSJ today, meant that apps with nefarious intent could have extracted data including name, email address, occupation, gender, and age from a person's profile.

"It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content," Ben Smith, Google Fellow and VP of Engineering, said today. However, Smith admits that "the Profiles of up to 500,000 Google+ accounts were potentially affected."

Since the Google+ APIs only keep log data for two weeks, Google isn't entirely sure how many people were affected. However, it says it has tracked down "up to 438" apps that may have used the API in question. "We found no evidence that any developer was aware of this bug, or abusing the API," Smith says, "and we found no evidence that any Profile data was misused." It patched the issue – which could have been present since 2015 – in March 2018.

Likely to be equally – or more – controversial, though, is Google's reaction. According to Smith, the security glitch was handed over to the Privacy & Data Protection Office to review, which decided that none of the thresholds for public disclosure – which include factors like evidence of misuse or actions a user might take in response – were met. As a result, Google opted not to reveal the issue publicly, but it did sound a death knell for the consumer version of Google+ itself.

According to Smith, "while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds."

Those metrics will likely come as little surprise to anybody familiar with Google+. However, the company says that there is one area in which it's still flourishing, and that's businesses. As a result, not all of Google+ will be killed off.

"Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network," Smith explains. "Enterprise customers can set common access rules, and use central controls, for their entire organization. We've decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses."

As for consumers, Google is now promising new security rules and tools to avoid a similar goof again. That will include fresh limits around Android apps to access Call Log and SMS permissions, while the Android Contacts API will now no longer allow contact interaction data to be accessed. The consumer Gmail API, meanwhile, will be subject to tougher new rules, and limits around what can be connected.

Finally, there'll be new Google Account permissions dialog boxes, which will split different access permissions for third-party apps and services into individual screens. "Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box," Smith explains. "For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other."

As for the wind-down of Google+, that will be taking place over a 10 month period. Google says that if all goes to plan, it expects the consumer version to be shuttered by the end of August 2019.