Google chose not to disclose the flaw out of concern it would trigger regulatory backlash, especially in the wake of criticism against Facebook Inc. for its privacy failures, according to the Wall Street Journal, which initially reported the news Monday. In a statement posted to its blog minutes after the report, Google said it plans to shut down Google+ for consumers and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.
The internet giant found the flaw in March during an extensive privacy and security review, Ben Smith, Google vice president of engineering, said in the statement. An internal committee decided not to disclose the potential breach of Google+ because there wasn’t evidence of any misuse of the exposed data, which included names, email addresses, ages and occupations, Smith said. The bug was immediately fixed at the time, he said.
Alphabet shares fell 1 percent to $1,157.06 at 2:52 p.m. in New York, after earlier dropping to $1,135.40, the lowest intraday price since July 5.
The news adds to Google’s woes and further erodes the narrative that Facebook is the worst offender of the major technology companies on data privacy. Facebook has received months of harsh criticism for allowing a developer to spirit away user information and pass it to a political firm that worked in 2016 for Donald Trump’s election campaign. In the last two months, U.S. politicians on both sides of the aisle have stepped up their attacks on Google, with Republicans accusing it of harboring biases against them and Democrats questioning whether the company has gotten too big and powerful.
“This has been going on for too long,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “Companies like Google experience these breaches. They don’t report them. They don’t suffer consequences.”
The Federal Trade Commission needs to step up and start investigating the company’s privacy practices, he said.
The FTC, as the nation’s chief privacy watchdog, has the authority to investigate data breaches. In 2011, it found that Google broke its own privacy policies when it introduced its Buzz social network — a precursor to Google+. The company is still under a consent decree stemming from that incident that requires it to implement a privacy program. The FTC can fine companies when they violate terms of a consent decree.
Google+ never caught on as a social network. Even so, many users still technically have a profile that has personal information on it. Google will shut it down over the next 10 months for consumers, but keep a version built for businesses open and operating.
The other changes Google is making include requiring apps to ask separately for each type of information they want from a user, such as access to calendars or address books. On Gmail, Google’s ubiquitous email service, only apps that improve email functionality will be allowed to request access.