Poorly Written Blog Post Hides Google+ Data Breach

That hissing sound you hear is the Edelman Trust Barometer dropping like a lead zeppelin. The main culprit this time is Google. Did you read its Oct. 8 blog post? In “Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+,” the search engine leader says, among other things, it's phasing out Google+.

If you started to read the 1,500-word post you might not have reached about one-quarter of the way through. Unfortunately, you missed a big item. More than 330 words in, Google revealed something left out of the blog’s title, namely that Google+ suffered a data breach with potential exposure of 500,000 users' information.

Again, if you read the post you might recall you had to wade through sentences describing how Google does its best to protect users’ privacy. An example: “Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.”

[A tip: When you read a statement that begins with praise for how well a company is doing something, in badly written work it’s a prelude to announcing  a failure.]

Project Strobe

The blogger, Ben Smith, a VP of engineering and a Google Fellow, writes, “At the beginning of this year, we started an effort called Project Strobe…[that] looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.”

Now remember, the post's title promised news about closing Google+, right? Here it comes: “Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations. Action 1: We are shutting down Google+ for consumers.”

[A painfully obvious tip: Get to the news at the top of a statement. Another tip: Due respect to Mr. Smith, let engineers engineer and writers write, particularly when your target audience is consumers. The details Smith includes might interest engineers, but mean little to the rest of us.]

After a bit more verbiage we arrive at: “[Project Strobe] crystallized what we’ve known for a while…the consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.” Translation: Google+ is closing owing to poor consumer demand. This also should have been said closer to the top. And, right, we’ve still not seen anything about a breach.

A Comforting Thought?

Finally, after more than 330 words, we read Project Strobe “discovered a bug in one of the Google+ People APIs…” Go 100+ additional words and we see: “We discovered and immediately patched this bug in March 2018.”

So Google discovered a breach some 7 months ago, it’s telling you of it now, but not to worry, it was “patched immediately.”

If you'd stopped reading there you might feel better, right? Sure, but only if you’re supremely confident in big tech’s dubious track record for protecting user data. Oh, and if you’d not heard of Cambridge Analytica or were too deep in Kavanaugh-mania to hear of Facebook’s latest and largest data breach, which occurred Sept. 25 and was announced just three days later.

What Should I Do?

More likely after reading the above you asked with anxiousness, “Was my data compromised?” Ugh, well. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. [Extraneous detail.] That means we cannot confirm which users were impacted by this bug.” [Despite the passive voice, not bad, but still too much detail without offering a direct answer or the number of users compromised.]

The post continues: “However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected.” So now you wonder, am I one of those 500,000?

Calm down. Google then says it found “no evidence” that any developer was aware of the bug, or evidence that any Profile data “was misused.” Great, but why wait 7 months to tell us?

The 7-Month Itch

“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”

That’s a long way of saying Google didn’t see a reason to alert users this time. But if the breach was minor, not a crisis, why not in the name of transparency alert users and do so promptly? Case over, maybe.

Perhaps Google thought it could sneak this one past regulators? It doesn’t seem to have worked and looks bad. As PR vet Arthur Solomon says, “It’s better to announce bad news before it leaks out. Whether intentionally or not, sitting on bad news gives the impression that you’re trying to hide it.” Having a VP of engineering write the post, as opposed to the CEO, makes it look even more like Google was trying to bury the breach.

A Free Press

In this case, it seems Google might in fact have been trying to cover up the breach, per the Wall St Journal. Note how the Journal correctly leads its Oct. 8 story: “Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.”

Says Curtis Sparrer, principal at Bospar PR, “My suspicion is Google thought it could sit on the data, gambling that no one cared about a social network no one used.” The story came out now only because "the Wall Street Journal’s reporting...push[ed Google parent] Alphabet into the ABCs of transparency.”  Sparrer also notes the breach was discovered in the midst of Cambridge Analytica and calls for Mark Zuckerberg to testify on Capitol Hill. The nervousness of that period could be another reason Google sat on the news.

Seth Arenstein is editor of PR News.  Follow him: @skarenstein