Posted on: 20 Mar 2019
What were the Google data breaches?
First came Google’s announcement that it will shut down all Google+ APIs. January 28, 2019 marked the beginning of the shutdown, one that concluded on March 7, 2019. As part of the shutdown, Google+ sign-ins have been deprecated. Google encouraged developers to switch to the Google sign-in system as an alternative. The decision to shut down Google+ APIs was taken in the aftermath of the first data breach that began in 2015 and continued till March 2018. A software glitch within Google+ allowed third-party developers access to hundreds of thousands of user’s private data.
Google used Project Strobe to address the issue. Google knew about the security glitch several months prior to taking action and yet decided not to disclose the security glitch due to fears of regulatory scrutiny and damage to reputation! According to Google, no developer abused the Google+ API vulnerability or misused the private data from users’ profiles. Shutting down Google+ APIs is a step in the right direction for Google; however, not disclosing the breach any earlier has brought the internet search giant a ton of mistrust.
The second data breach impacted approximately 52.5 million users. The data breach potentially exposed their public and private information to developers. This new vulnerability was found in a software update that was introduced in November 2018. The vulnerability exposed information such as names, email addresses, occupations, and age to developers. Earlier, apps could access such information even when shared privately with another user. Google finally plugged the leak within a week of discovering it. Google claimed that none of its systems was compromised, but it was unable to provide evidence that the information was not abused.
Google notified impacted users and enterprise customers that it would shut down API access to Google+ within the next 90 days. In 2018, trust in Facebook had dropped by 66% since the Cambridge Analytica scandal. When internet giants are unable to protect their user’s privacy, we must ask the question: How safe is my information on the Internet?
In an extensive blog by Google on Project Strobe, the following points are explicitly stated:
1. Google+ would be shut down: Google admitted that Google+ had low usage and engagement—90% of Google+ user sessions were less than five seconds. Google also claimed that every year they send millions of notifications to users about privacy and security bugs. Google intends to maintain strong communication to minimize user vulnerabilities. Considering the low usage by everyday customers, shutting down Google+ makes sense. However, in the case those particular enterprise customers of Google+ who are among its heavy users, Google will revamp the social media network toward a more corporate social network.
2. Google account permissions will be detailed: Google will now require its users to give explicit permission before every single instance of the app accessing user data. This would give users far more control over apps accessing say Calendars but not Google Drive. This flexibility is a welcome move for users concerned about data security.
3. Google is limiting access to Gmail based on types of use cases: Google has updated its User Data Policy for the consumer Gmail API to limit apps that may seek permission to access consumer Gmail data. Only apps that directly enhance email functionality will be authorized to access this data.
4. Limiting access to SMS, contacts, and phone permissions in Android: Google will be limiting the apps’ ability to receive call log and SMS permissions on Android devices and will no longer be making contact interaction data available via the Android Contacts API.
Google hopes to support a wide range of useful apps but at the same time give its users the confidence that their data is safe and secure. Also, developers will be given far more stringent rules to follow to ensure data is used carefully.
1. Android Authority – https://www.androidauthority.com/google-plus-api-shut-down-936878/
2. Google Blog – https://www.blog.google/technology/safety-security/project-strobe/