FStech Awards

Experts criticise Google for data breach cover-up

Written by Peter Walker
10/10/18

Security experts have criticised Google for failing to reveal a data breach back in March, for fear of regulatory scrutiny.

At the same time Facebook was getting a grilling for harvesting personal data for Cambridge Analytica, Google discovered a bug in the Application Programming Interface (API) for the Google+ social network had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.

At that stage, Google chose not to disclose the data leak in order to avoid the public relations problem and potential regulatory enforcement. Documents obtained and published by the Wall Street Journal earlier this week showed executives believed disclosure would result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”.

In response to the revelations, Google announced that it will close consumer access to Google+ and improve privacy protections for third-party applications.

In a blog post, Google stated the leak potentially affected up to 500,000 accounts, while up to 438 different third-party applications may have had access to private information, but the tech giant has no way of knowing whether they did or not, because it only maintains logs of API use for two weeks.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” wrote vice-president of engineering Ben Smith.

In the US there is no federal law that obliges Google to disclose data leaks, but in California, where Google is headquartered, companies are required to disclose a data leak if it includes both an individual’s name and their Social Security number, ID card or driver’s license number, license plate, medical information or health insurance information.

Google also announced a series of reforms to its privacy policies designed to give users more control on the amount of data they share with third-party app developers.

Bill Holtz, chief executive of web security provider Comodo CA, said that Google’s tagline, ‘people should assume that the web is inherently safe’, fosters confidence in many people but skepticism in many others.

“The web may be inherently safe based on large numbers, but try telling that to the people who get hurt daily on the web because their identity is compromised, their credit cards are compromised, or their privacy is invaded,” he continued. “Honesty and full disclosure are necessary in the security business - it’s the difference between being in business or not, and we are fine with that - we are in the trust business and should be held to a high standard.”

Gary McGraw, vice president for security technology at Synopsys, said software problems continue to expose ‘the product’, which in the case of advertising-driven tech companies, is your data.

“Just as was the case in the Facebook ‘View As’ design flaw, we see evidence in this Google+ case of just how tricky solid software engineering can be even for tech wizards,” he commented. “The mind boggling complexity of today’s commercial systems is a major factor here, making systematically uncovering and correcting design flaws when software is being designed and built harder than ever.”

Dr Ben Marder, senior lecturer in marketing at University of Edinburgh Business School, believes the cover-up was a “murky way to save face” amid the failure of the network.
“Another day, another social media privacy breach, but not every day does this cause a social network to shut down – especially one born with a silver spoon in its mouth, such as Google+,” he opined.

“It looks like Google has been considering pulling the plug on its social media network for years and the latest privacy issue was either the straw that broke the camel’s back, or a thorny but convenient means to remove their slightly embarrassing contribution to the world of social media, without the ever so proud Google saying they had failed.”