Slashdot Mirror
The Breach That Killed Google+ Wasn't a Breach At All (theverge.com)
An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
The company that thinks it's okay to censor US citizens, and now Chinese citizens, build weapons for the US government, track every citizen on the planet, also has no problem covering up leaks of... tracking every citizen on the planet?
Tim "Don't-be-Evil is was the stupidest rule ever." Cook
Color me surprised.
I like how they try to tie it to the Cambridge Analytics scandal to get a rise out of the community. Yes, Google is not required to report every bug they fix when no breach occurred. There's nothing wrong with that. As for for shutting down Google+, it was as good a time as any. If they're going to start having to worry about bad press over a dead product they're going to finish killing it.
This reads like a hit piece on google. I can't imagine why.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Lost in all this discussion is the ineptitude of Google's engineers, security auditors, API designers, testers and who knows who else that would let something like this slip through unnoticed for so long. I no longer question Googel's ethics (they're bad) but more and more I'm questioning what kind of tech sweatshop they're running.
And what else is lurking out there that will (un?)intentionally give those of us pause that have already absolved ourselves of everything G.
But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
In this particular case, it seems they would need to provide evidence that no data was accessed, rather than saying that they see no evidence that data was accessed.
There were 400 people who could have accessed a list og names and email addresses if they figured out how, and there is no reason to believe any of them did.
If that's the standard for a situation that has to be reported, nearly every company in the world has a situation to report, because there are 400 people who can access customer data, if they figure out how.
For every large company, 400 employees have some access to customer data. For all the smaller companies, half of the attendees at Defcon (7,000 people) could access their data - and that's 7,000 people just in one room.
Actually never mind hackers, have you ever heard of a phone book? That's a much larger list of names, and the phone book even includes physical addresses. It's delivered to everyone, not just available to a few hundred people.
If it were credit card information, as opposed to phone book information, that would have been different. My company once had a potential vulnerability that could, in theory, expose credit cards, though that was unlikely. I personally called every customer who could have been affected and let them know they should check their credit card statement just in case.
It always frustrated me how "cool" it became to dig on Google+. Journalists, podcasts, etc... it seemed once it caught on that "we all hate Google+ now" it seemed everyone was falling over themselves to make fun of Google+, but without any real substantial reason other than it was the popular thing to do.
The truth is, there was a LOT about Google+ that was better than Facebook. The Circles thing was extremely smart and useful. Nevermind that the average user is too fucking stupid and/or lazy to bother to learn or make use of it... that doesn't make the feature any less good. It's a failing of the userbase, not the service.
Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.
Even to this day though Google+ has had the advantage of being a community with far less BS, trolling and spam than Facebook. The signal-to-noise ratio for the Google+ communities I participate in is exponentially better than anything on Facebook. This will be a great loss.
Yes, but the situation is a little more shady than that. It's not really 438 people, it's 438 third-party applications and therefore 438 organisations. How many people behind those organisations ?
Furthermore, it appears that Google only keeps the log of the third-party API access for two weeks. Given the time window of this vulnerability, it seems quite misleading to go out and say that there is no evidence that this was used.
I agree with you that the information leaked seems pretty benign. Therefore, they should have had no problems in disclosing the vulnerability... And furthermore, the phone book example you gave is interesting, because it seems that combining the information available within it with the information potentially leaked would give a good basis for identity theft. So, I do not know if this should be considered so benign.