Google+ API Bugs — 60s explainer (B03)

01 / 08 · Setup

GOOGLE+

remember? 2011–2019

02 / 08 · Tension

PRIVATE ? LEAKED.

people api bug for 3 years

03 / 08 · Reveal

GOOGLE KNEW SINCE MARCH.

disclosed in october

04 / 08 · Mechanism

app asks → API also returns "private" friends' data

Third-party app

438 apps with access

2015–2018 · 3 years

Google+ People API

returns private profiles

name, email, occupation, relationships — all leaked

05 / 08 · Scale

500,000 ACCOUNTS. FOR 3 YEARS.

2015 bug created Mar 2018 Google found it Oct 2018 disclosure

500k

accounts (first bug)

52.5M

accounts (second bug Nov 2018)

6 mo.

of silence

06 / 08 · Discovery

OCTOBER 2018

Wall Street Journal

Douglas MacMillan

internal memo

"CA-like inquiry"

Sundar Pichai

"didn't want panic"

memo leaked: "disclosure will trigger inquiry comparable to Cambridge Analytica"

07 / 08 · Consequence

SHUT DOWN

Google+ shut down Oct 8, 2018, one week after disclosure

$7.5M class action settlement. Google: "low-usage product." Truth: violation of transparency principle.

08 / 08

GOOGLE+

Shut down not because it wasn't popular. Shut down because the breach leaked.
Card B03 in Big Tech Files.