Google to Restructure Security Efforts after Google Plus Shuts Down
If you opened any form of social media or news platform on October 8th, you likely read “Google Plus shuts down” everywhere. Google ousted consumer access to the Google Plus platform and here’s what we uncovered. A bug in the API for Google+ had been allowing third-party app developers to access the data to all Google Plus members who granted permission, and even their friends who did not.
This may sound oddly familiar because it’s almost the same set of circumstances that had Mark Zuckerberg in the US Congress hot seat a few months back. According to The Wall Street Journal, Google realized the similarities and decided not to disclose the breach in fear of damaging their reputation, and by now we’re sure they’re wishing they followed in Taylor Swift’s footsteps taking their BIG reputation in stride.
Shortly after the article was published, Google announced in a blog post the four main findings they uncovered during their internal API review, which they referred to as Project Strobe. The first finding leading to a company-wide decision to close the consumer access door to Google Plus for good, the other three enhancing what’s left of the Google suite as a whole.
Meeting consumer expectations just isn’t going to happen.
It has been more than a year since I’ve personally used the platform. Google wasn’t naive to the fact that consumers and developers weren’t waking up first thing and scrolling through their Google Plus feed for fear of missing out on what their friends and idols did last night. On top of that, their third-party app interaction was next to nothing with Google reporting that:
90% of Google+ user sessions are less than five seconds.
During this audit, they discovered the bug that openly shared public profile information including name, email, address, occupation, gender, and age. Google stressed this list did not include any other data outside of what is listed on their developer site, and that this bug was patched and fixed in March 2018, immediately after it’s discovery. While they cannot pinpoint an exact number, Google believes up to 500,000 accounts were potentially affected, and that 438 applications may have used the API in question.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” Ben Smith – Vice-President of Engineering, Google’s blog post.
With the stress of trying to meet consumer expectations and the realization of minimal usage, Google Plus will provide consumers with the opportunity to move and download their data over the next 10 months, while building up the enterprise side of the platform for businesses, which apparently is somewhat thriving. Here at SIS, I can’t imagine us using Google Plus for internal communication, but never say never. In the coming months, it will be very interesting to monitor the changes made and conduct some usability testing.
In order to build trust, consumers need extreme control over what they share.
The finding that stood out most to me as someone who interacts with apps more than I do humans was the need for users to have the highest control over what individual account data they share with each app. Google has promised to give users that fine tooth comb we have long desired. Typically when an application requests permissions you get a list of all the things it “needs” access to in order for you to move forward.
Now Google will be implementing individualized permission screens for each requested access point. This gives consumers full control over whether or not they want to grant the application access to its calendar, but maybe not its Google Drive files and so on. Having the option to approve or deny access to each request individually is something I hope all platforms begin to adopt.
Users grant access to applications that have a purpose, especially when it comes to Gmail.
The consumer Gmail API will no longer be allowing just any application to request permission to access your consumer Gmail data. Simply put, if you wouldn’t use the application to enhance your emailing experience (mail merge tools, CRMs), it doesn’t need access to your data. New rules will be set in stone soon, and even the applications we want to use will need to agree to new security terms. I question why this wasn’t that way from the start with something as sensitive as mail.
Android users who grant SMS, Contacts, and Phone permissions to apps, do so for specific reasons.
In their final discovery, Google found some applications were requesting permissions for things they simply didn’t need. If you’re using a 3rd party app to send your text messages because you want your message windows to display a unique design or font, you may have granted certain contact and phone permissions, and maybe you’re ok with that.
Without permission, those messaging applications wouldn’t be able to pull your contacts to text your friends and family. From here on out, Google will only give permissions to access your contacts and call logs to the apps you’ve selected as the main applications that will make calls and send messages. Voicemail and backup applications will also be granted that access for obvious reasons.
Moving forward it sounds like Google is implementing practices that we hope all platforms begin to adopt– more rules for developers, and more control for users. If you want to get a head start on cleaning up your own security, you can partake in a simple and quick security checkup at any time using Google’s Security Checkup tool. This is a great way to see how many apps you have given data access to.
What are your thoughts on Google Plus shutting down the consumer side and their new security promises? Will you be trying out their new enterprise platform when it launches? Let us know in the comments!