Google announced on Monday that it is shuttering its Google+ social network, following revelations in a Wall Street Journal report[1] that the company did not disclose a recently discovered bug that had exposed data from up to 500,000 Google+ users users since 2015. In the same breath, the company introduced new tools to give users more control over the data they share with apps and services that connect to Google products.
The dissonance epitomizes the broader tension data behemoths like Google and Facebook have lately grappled with over how to reconcile their competing priorities of safeguarding user trust and turning a healthy profit.
"Hiding data exposures is harmful to users—trying to keep the cat in the bag is not a sustainable strategy," says Lukasz Olejnik, a security and privacy researcher and member of the W3C Technical Architecture Group. In this case, Google purposefully kept it quiet for months, with no apparent plans to let anyone ever know.
Google Minus
The vulnerability in Google+, which the company discovered and remediated in March, specifically related to one of the service's programming interfaces for third-party developers to access user profile data. Google says the bug exposed data like user names, email addresses, occupations, genders and ages, but the company found no evidence that anyone exploited it to steal user data, or misused the data in any of the 438 applications that might have used the API while the bug was live. The company found and investigated the flaw internally, rather than from an outside researcher, and opted not to disclose it until the Wall Street Journal report effectively forced them to.
"Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether