When and what should be disclosed if a company discovers a software vulnerability but apparently no evidence of a data breach has been highlighted by admission that Google chose not to tell users their personal information was at risk after discovering earlier this year that an application programming interface (API) in its Google+ social network code could have leaked data.
The decision only came out Monday because the Wall Street Journal reported that Google executives opted against notifying users earlier because of concerns it would catch the attention of regulators and draw comparisons to the Cambridge Analytica data privacy scandal at Facebook.
According to the Journal, the vulnerability dated back to 2018 until it was patched in March.
The same day Google said in a blog that as a result of an internal review of Google+ APIs it discovered — and patched — the vulnerability in March. That particular API allowed users to grant access to their Profile data, and the public Profile information of their friends, to Google+ apps. However, the apps also had access to Profile fields that were shared with the user, but not marked as public.
Google said the data was limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not, Google emphasized, include any other data a user may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
Log data on that particular API was kept by Google for only two weeks, meaning the company can’t confirm which users were impacted. “However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected,” the blog says. “Our analysis showed that up to 438 applications may have used this API.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
Still, as a result of the incident, and because it hasn’t achieved wide adoption, the consumer version of Google+ will be wound down over the next 10 months. The paid enterprise version will remain.
Google also announced in the blog privacy enhancements for its other services.
The incident didn’t impress Canadian privacy expert Ann Cavoukian. “It’s time that Google stepped up its data protection measures,” she said in an email to ITWorldCanada. “Strong security is essential these days, and a company the size of Google should be leading with the strongest security in order to avoid data breaches such as this. Add to that the total lack of transparency, in an effort to keep this breach under wraps, brings insult upon injury.”
According to the Google blog explaining the refusal to notify users, the company’s Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether it could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance, the blog says.
Cavoukian doesn’t buy the argument that would justify holding back notifying users. “Just because the data was not accessed (and we can’t be certain it wasn’t accessed; the harm from a breach often arises after news of the data breach subsides), doesn’t mean it wasn’t a data breach! Their security was weak and the personal data of 500,000 Google Plus users was exposed to third party developers – that certainly sounds like a breach to me.”
Canadian privacy lawyer Imran Ahmad of the Miller Thompson law firm in Toronto said in an interview he is surprised at the news. “You would expect a company like Google to have rock-solid security in multiple layers, and then act as quickly as possible … I was surprised at them [reportedly] fearing disclosure.”
“Either from a precautionary standpoint or from risk mitigation, once they confirmed [the vulnerability] they should have started the notification process.”
Starting Nov. 1 companies covered under Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) mandates companies that have suffered a breach of security safeguards on personal data to the extent that it could cause real and significant harm to a person must notify the person and the federal privacy commissioner.
Which raises a question: After Nov. 1 if a Canadian organization discovers a vulnerability but can’t determine if there’s been a data breach, should users and the commissioner should be notified? Ahmad said it would be a “grey zone,” and depend on the data that might have been exposed. Data as simple as a name, address, email address and occupation, he said, could be used to impersonate a victim. “Out of an abundance of caution I may want to notify” victims, he said.
Ilia Kolochenko, CEO of security vendor High Tech Bridge, said in an email that unlike the recent Facebook breach, this disclosure timeline is “incomprehensibly long and will likely provoke a lot of questions from regulatory authorities. Inability to assess and quantify the users impacted does not exempt from disclosure. Although a security vulnerability per se does not automatically trigger the disclosure duty, in this case it seems that Google has some reasonable doubts that the flaw could have been exploited. Further clarification from Google and technical details of the incident would certainly be helpful to restore confidence and trust among its users currently abandoned in darkness.
Google has a vulnerability — bug bounty — program, which last year paid out US$2.9 million. But, Kolochenko said, “this is one more colourful example that bug bounty is no silver bullet even with the highest payouts by Google. Application security is a multi-layered approach process that requires continuous improvement and adaptation for new risks and threats. Such vulnerabilities usually require a considerable amount of efforts to be detected, especially if it (re)appears on a system that has been already tested. Continuous and incremental security monitoring is vital to maintain modern web systems secure.”
The incident has gained wide coverage. “The big story is that Google knew months ago that user data had been exposed and chose to keep the fact quiet,” commented British security reporter Graham Cluley. “Did no-one tell them that cover-ups are always worse than coming clean?”
Pierluigi Paganini, a member of the European Union Agency for Network and Information Security’s threat landscape stakeholder group, said it is “very bad news for Google.”
The privacy changes announced by Google include more granular Google Account permissions that will show in individual dialog boxes; limiting the types of use cases that are permitted if users want to allow third-party apps to access their Gmail data; limiting apps’ ability to receive Call Log and SMS permissions on Android devices; and no longer making contact interaction data available via the Android Contacts API.
(This story has been updated from the original to add comments from Imran Ahmad)
