Google is at the centre of controversy this morning over a report of a massive user data breach that occurred last year, with the result that they will be introducing finer grain controls to limit access to user data on the web and Android – and also shutdown Google+ for consumers.
A report from the Wall Street Journal quotes sources as well as memo reviewed by them which was prepared by Google’s ‘legal and policy staff’ stating that Google was the subject of a data breach which exposed Google+ user data including
full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data.
According to the WSJ, Google chose not to divulge the data breach because ‘the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica’.
In their blog post announcing the data breach, they advised that access to user data which occurred between some time in 2015 and March 2018 was through a loophole in an API, that meant that third-party apps had access to profile fields that were shared with the user but not marked as public, Google said.
Google advised that they discovered and patched the breach in March this year, at the same time assuring users that
We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
Even with the data patched, Google has advised they will be shutting down Google+ for consumers. The shut down will take place over a 10 month period, with the social network shutting down in August 2019. Google further said that the enterprise version of Google+ will continue.
As a part of the announcement of the breach, Google has decided to implement more fine-grained permissions for accessing user data from apps.
Google says that going forward, rather than bundling permissions together for a single approval, each and every permission requested by an app will be shown one at a time, within its own dialog box.
Google is also going to be limiting access to the apps seeking access to your SMS and Gmail data.
For Gmail apps requesting permission to user data Google will only grant access to apps which ‘directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)’.
Apps requesting user data in SMS ‘only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests’. Google has also advised they will remove access to the contact interaction data from the Android Contacts API which allowed apps to show you your most recent contacts, within the next few months.
These actions are only the beginning, with Google advising they will roll out additional controls and update their policies across more APIs in the coming months.