Slashdot Mirror
The Breach That Killed Google+ Wasn't a Breach At All (theverge.com)
An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
I like how they try to tie it to the Cambridge Analytics scandal to get a rise out of the community. Yes, Google is not required to report every bug they fix when no breach occurred. There's nothing wrong with that. As for for shutting down Google+, it was as good a time as any. If they're going to start having to worry about bad press over a dead product they're going to finish killing it.
This reads like a hit piece on google. I can't imagine why.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Lost in all this discussion is the ineptitude of Google's engineers, security auditors, API designers, testers and who knows who else that would let something like this slip through unnoticed for so long. I no longer question Googel's ethics (they're bad) but more and more I'm questioning what kind of tech sweatshop they're running.
And what else is lurking out there that will (un?)intentionally give those of us pause that have already absolved ourselves of everything G.
It always frustrated me how "cool" it became to dig on Google+. Journalists, podcasts, etc... it seemed once it caught on that "we all hate Google+ now" it seemed everyone was falling over themselves to make fun of Google+, but without any real substantial reason other than it was the popular thing to do.
The truth is, there was a LOT about Google+ that was better than Facebook. The Circles thing was extremely smart and useful. Nevermind that the average user is too fucking stupid and/or lazy to bother to learn or make use of it... that doesn't make the feature any less good. It's a failing of the userbase, not the service.
Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.
Even to this day though Google+ has had the advantage of being a community with far less BS, trolling and spam than Facebook. The signal-to-noise ratio for the Google+ communities I participate in is exponentially better than anything on Facebook. This will be a great loss.