View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 8, 2018updated 09 Oct 2018 10:19am

Google Restricts Gmail API Access, Kills Google+ After Data Exposed

Google took 7 months to publicly report exposure of 500,000 Google+ users' data: is now also restricting Gmail APIs after audit of third-party API access

By CBR Staff Writer

Google said today it was shutting down the consumer version of its Google+ social network – citing a bug that exposed the personal profiles of up to 500,000 users, with the API at fault used by 438 applications – and ramping up security assessments for the consumer Gmail API to limit the apps that can access consumer Gmail data.

A root and branch data privacy audit dubbed “Project Strobe” by the company is resulting in four actions, of which the first is the closure of Google+.

google+Ben Smith, Google VP of Engineering, said: “This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps.”

He added: “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”

Google+ Closed: API Bug Blamed for Data Exposure

Most alarmingly was the news that that the review (of third-party developer access to Google account and Android device data and of Google’s”philosophy around apps’ data access”) had in March this year found a bug in the People API that exposed the “static, optional Google+ Profile fields” including name, date of birth, email address, relationship status, places lived, biography and more of up to half a million people.

Google said it had no evidence that the bug had been abused. It has taken seven months to publicly disclose the issue. Under the European Union’s GDPR, if personal data is breached, a company needs to inform a supervisory authority within 72 hours.

The Wall Street Journal claimed, citing unnamed sources and internal documents, that Google had opted not to disclose the issue with its API after finding the issue in March 2018, owing to concerns over regulatory scrutiny and reputational risk.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Gmail Security Audit

The company also tightened control over API access to Gmail user data, updating its User Data Policy for the consumer Gmail API to limit the apps that can seek permission to access consumer Gmail data and saying it has “clarified that human review of email data must be strictly limited.”

“Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments,” Smith wrote.

The new policies, focused on Gmail APIs, which will go into effect January 9, 2019.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.