Google revealed Monday that its soon-to-be-shut social network Google+ has suffered from another security lapse, a software bug that could have enabled third-party apps and developers to gain access to 52 million users’ personal information without their permission.
For six days in November, an update to the underlying code of Google+ meant that apps seeking to access users’ profile information — including their names, email addresses, occupations and ages — could view that data even if it were “set to not-public,” Google said in a blog post. Apps could have accessed some non-public profile data that had been shared with a user as well.
Google, a unit of Alphabet Inc., said its systems had not been compromised and that there’s “no evidence that app developers” were aware of the bug or “misused it in any way.” But the revelation threatens to sharpen the scrutiny of the company’s chief executive, Sundar Pichai, when he testifies before a House panel Tuesday.
The security mishap is the latest stumble for Google’s social media offering. In October, Google admitted that it had failed for six months to reveal information about a bug that put at risk the data of hundreds of thousands of users.
Among those looped into those discussions about delaying public notification was Pichai, a person familiar with the matter said at the time. Google said it delayed the release of the information because it was initially uncertain about which users were affected and whether the data had been misused.
Pichai’s Tuesday testimony comes more than three months after he turned down an invitation to testify in August, to the consternation of some lawmakers. Some members of Congress are mulling whether tougher regulations to curb the power of Google, Facebook and other technology companies are needed in addition to demanding tighter controls over digital privacy.
In response to its latest findings, Google said Monday that it will shut its social network in April, five months sooner than it initially announced. It also said it would inform affected users, including “any enterprise customers.”
“We understand that our ability to build reliable products that protect your data drives user trust,” wrote David Thacker, a vice president for product management at Google. “We will never stop our work to build privacy protections that work for everyone.”
Google discovered its earlier Google+ security bug in March, the same month Silicon Valley rival Facebook Inc. was facing scrutiny over its role in allowing people affiliated with political consultancy firm Cambridge Analytica to collect data on 87 million users. That incident prompted demands that Facebook CEO Mark Zuckerberg testify on Capitol Hill, and he soon did.
Even if the latest Google+ privacy gaffe didn’t cause any major damage, it nevertheless marks another embarrassing incident for Google. The company’s business model relies on it being seen as a trustworthy guardian of the personal information it collects about the billions of people who use its search engine, Gmail, Chrome browser, maps and Android mobile operating system.
Like Facebook, Google makes most of its money by selling ads that draw upon what the company learns about the interests, habits and locations of people who use its free services.
The desire to peer into people’s lives is one of the reasons that Google launched Google+ in 2011. It was supposed to be a challenger to Facebook’s social network, but it turned into a digital ghost town that Google began to de-emphasize several years ago.
The Federal Trade Commission has investigated privacy incidents at Google and other leading technology companies on several occasions. Google signed a consent decree with the FTC in 2011 to settle allegations that an earlier social media platform, Google Buzz, mishandled user data.
Romm and Timberg write for the Washington Post. The Associated Press was used in compiling this report.