Ben Smith, the tech giant’s VP of engineering, announced in a blog post on Monday that the bug was discovered in March and immediately fixed, but that the profiles of up to 500,000 Google+ accounts were possibly affected.
The glitch in the application programming interface (API) for Google+ meant that third-party app developers were able to access users’ details – such as email addresses, occupation, gender and age – as well as their friends.
Smith revealed that 438 apps may have used the API to gain access to users’ data, but that Google couldn’t be certain because it deletes API log data every two weeks.
But he insisted: “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused.
“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
However, it is precisely the issue about the amount of notice given to users that has proven controversial because the blog post only appeared shortly after the Wall Street Journal reported that Google opted not to disclose the bug, at least in part, to avoid damage to its reputation and possible regulatory scrutiny.
The flaw was discovered in the same month that Facebook was coming under huge pressure over the harvesting of user data for Cambridge Analytica, and a memo seen by the Journal suggests that scandal influenced Google’s actions.
According to the Journal, a memo prepared by Google’s legal and policy staff – and shared with senior executives – warned that disclosing the Google+ bug would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to Cambridge Analytica.
It said disclosure would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”. It “almost guarantees Sundar will testify before Congress”, the memo added, in reference to CEO Sundar Pichai.
Sourced from Google, Wall Street Journal; additional content by WARC staff