Google Data Leak Raises EU Data Protection Concerns

Ireland’s data protection regulator has said it is seeking more information from Google on a data breach in its social network Google+ that the company announced this week, saying it had not previously been made aware of the issue.

The breach exposed the private data of up to 500,000 users to hundreds of third-party app developers, Google said.

Google disclosed the breach, which it said it uncovered in March, following a newspaper report that said the company had decided not to make it public earlier because it would attract unwanted regulatory attention.

After making the incident public Google said it would shut down Google+ because of low user engagement.

Regulatory interest

Google also said separately it has decided not to bid for a US Department of Defence cloud contract that would have involved handling sensitive military data.

“The Data Protection Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google,” the Irish data protection authority said.

Because Google does not yet have a lead EU supervisory authority, all European data protection authorities have the authority to engage individually with the company over the breach.

Google acknowledged that in March it discovered that the Google+ API allowed users to give third-party apps access not only to their own profile data, but also to their contacts’ profile information, including fields that had been privately shared with that user.

At the time, Facebook was being grilled by US regulators over its own massive data leak involving the use of user data for political campaign purposes by Cambridge Analytica.

In a report published late on Monday, the Wall Street Journal said Google had decided not to disclose the problem, citing an internal memo that said it would probably lead to Google’s chief executive having to testify before Congress, as Facebook’s Mark Zuckerberg had done.

Such a disclosure would also invite “immediate regulatory interest”, the memo said.

Immediately following the Journal’s report, Google announced it plans to shutter the consumer-facing aspects of Google+, while continuing to allow its use to power private corporate social networks.

In a blog post, the company acknowledged the data breach reported by the Journal, saying it estimated up to 500,000 Google+ users were affected, with up to 438 applications having potentially made use of the API.

The company said it has no way of accurately determining the impact of the breach because it keeps logs of API use for only two weeks, out of privacy considerations.

‘No evidence’

Google said its privacy and data protection office reviewed the issue and decided not to disclose it because it would not be able to identify which users to inform and did not have any evidence of misuse, and because there were no actions developers or users could take in response.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” Google vice president of engineering Ben Smith said in the post.

Industry observers have speculated for years that Google might shut down Google+, and in the wake of the data breach Smith readily downplayed the network’s popularity with consumers.

“It has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” he wrote. “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”

Smith said Google will phase the network out over a period of 10 months, up to the end of next August, giving users time to migrate their data elsewhere.