This March, as Facebook was coming under global doubt over the harvesting of personal data of Cambridge Analytica. Google discovered a skeleton in its own closet. A bug in the API for Google plus had been allowing third-party app developers to access the data. Not only of users who had granted permission but of their friends too.
In a post about the shutdown, Google disclosed the data leak. This potentially affected up to 500,000 Google Plus accounts. 438 different third-party applications have left Google apparently no way of knowing whether they did because it only maintains logs of API use for two weeks.
Google said it had found no evidence that outside developers were aware of the security flaw. Moreover, there is no indication that any user profiles were touched. In March, an update gives a fix to the flaw.
Any developer who has this access will have to undergo security assessments and agree to new rules about data handling. Like not transferring or selling user data for targeting ads, market research, email campaign tracking, or other unrelated purposes.
Smith defended the decision not to disclose the leak. Writes: “whenever user data may have been affected, we go beyond our legal requirements and apply several criteria to focus on our users in determining whether to provide notice”.
Google says Google+ currently has “low usage and engagement”. 90 percent of Google plus user sessions last less than five seconds. Still, the company plans to keep the service alive for enterprise customers who use it to facilitate conversation among co-workers. New features will roll out for that use. Google is focusing on a “secure corporate social network,” which is odd considering this announcement comes. The news that the company left profile details unprotected.
In addition to sunsetting Google+, the company announced new privacy adjustments for other Google service. API changes will limit developers’ access to data on Android devices and Gmail. Developers will no longer receive call log and SMS permissions on Android devices and contact interaction data won’t be available through the Android Contacts API. The API provides basic interaction data.
Google also announced a series of reforms to its privacy policies designed to give users more control on the amount of data they share with third-party app developers.
Users will now be able to have more “fine-grained” control over the various aspects of their Google accounts that they grant to third-parties (ie calendar entries v Gmail), and Google will further limit third-parties’ access to email, SMS, contacts, and phone logs.