Do you still trust Google? | The Tylt

Do you still trust Google?

In early October, The Wall Street Journal revealed data from hundreds of thousands Google+ accounts were exposed from 2015 to March 2018, something Google knew but failed to notify users about. Google says there was no evidence of nefarious activity, thus no need to notify the public. But an internal memo revealed another motive: avoiding “regulatory scrutiny” and “reputational damage.” Some users feel betrayed by what they see as Google’s negligence; others argue the company was under no legal requirement to notify users of the breach. Did Google betray its users? 

FINAL RESULTS
Culture
Do you still trust Google?
A festive crown for the winner
#IStillTrustGoogle
#GoogleBetrayedUs
Dataviz
Real-time Voting
Do you still trust Google?
#IStillTrustGoogle
#GoogleBetrayedUs

The Wall Street Journal broke the news about the breach, saying that nearly 500,000 users of the Google+ social network were affected. According to the Journal’s Douglas MacMillan and Robert McMillan:

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue...The internal memo from legal and policy staff says the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure.
Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings, the people said.

Google is shutting down Google+ for consumers as a result; whether this is because of the breach or the news leak of said breach remains to be seen.

#GoogleBetrayedUs

If you are currently a panic-stricken Google+ user, here’s what you need to know:

496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.

And yet, Google did not feel obligated to notify users that, for up to three years, their data might have been accessed by outside developers, regardless of their privacy settings on the network.

Given the quagmire that Facebook and Twitter have gone through over the last year regarding protecting user data, Google’s failure to notify users in inconceivable. But according to The Wall Street Journal, Facebook’s plight in particular served as a cautionary tale for Google. An internal Google memo showed the company’s true colors:

The document shows Google officials felt that disclosure could have serious ramifications. Revealing the incident would likely result ‘in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,’ the memo said. It ‘almost guarantees Sundar [Pichai] will testify before Congress.”
#IStillTrustGoogle

But... odds are you are not a panic-stricken Google+ user, due to the fact that the social network is considered to be one of Google’s greatest failures. TechCrunch’s Josh Constine reports that according to sources within Google:

90 percent of Google+ user sessions are less than five seconds.

Constine continues, saying:

Given it’s unclear whether the G+ user data was scraped or if it will be employed for a nefarious purpose, the news of the bug itself might...blow over....

Plus, Google (pun intended) was under no legal obligation to notify users. According to the Wall Street Journal and its sources:

Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said.

At the end of the day, the data made accessible due to the breach was somewhat trivial. 

#GoogleBetrayedUs

Regardless of how many Google+ users the company amassed, nearly 500,000 users were still affected–a number that cannot be ignored. Furthermore, according to The Wall Street Journal

Some of the individuals whose data was exposed to potential misuse included paying users of G Suite, a set of productivity tools including Google Docs and Drive, the person said. G Suite customers include businesses, schools and governments.

The G Suite user-base is certainly much larger than Google+, and users need to know if their personal documents might have been accessed by outside developers. The matter goes against basic privacy expectations, and Google is spot-on in aligning this data breach with Facebook; both companies have now betrayed the trust of their wide user base. 

Google set expectations for transparency between its software, products, and users. The Wall Street Journal notes:

In its contracts with paid users of G Suite apps, Google tells customers it will notify them about any incidents involving their data 'promptly and without undue delay' and will ''promptly take reasonable steps to minimize harm.' That requirement may not apply to Google+ profile data, however, even if it belonged to a G Suite customer.

Google's failure to do so was motivated entirely by self-interest and preservation. Once again, users lose out without a trusted source to turn to. 

#IStillTrustGoogle

Google alone is responsible for notifying users of a potential data breach; there is no federal law requiring companies to do so in the U.S. The Wall Street Journal reports on the predicament:

...companies must navigate a patchwork of state laws with differing standards, said Al Saikali, a lawyer with Shook, Hardy & Bacon LLP. 
While many companies wouldn’t notify users if a name and birth date were accessed, some firms would, Mr. Saikali said. Some firms notify users even when it is unclear that the data in question was accessed, he said. 'Fifty percent of the cases I work on are judgment calls,' he said. 'Only about half the time do you get conclusive evidence that says that this bad guy did access information.'

Upon learning of the breach, Google made a determination completely within its rights. The company has no actionable advice for users affected, nor can it pinpoint which users may have been affected at all. Google should not be punished as a result. 

FINAL RESULTS
Culture
Do you still trust Google?
A festive crown for the winner
#IStillTrustGoogle
#GoogleBetrayedUs