|Google Closes G+ And Rolls Out New Security|
|Written by Lucy Black|
|Tuesday, 09 October 2018|
Google is always surprising and the latest turn of events is no exception. In an announcement about security problems and improvements, we learn that Google+ is closing. Most might agree that this is not surprising, although it is disappointing. Moreover, the reasons given are strange.
The blog post in question is by "Safety and Security" and has the title:
"Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+"
"Sunsetting" sounds almost nice, doesn't it. Google+ goes off into the twilight for a well earned rest. A nice way to hide the more obvious headline:
Google+ a complete failure now being closed.
Well so much for PR, but this isn't really a successful hiding of embarrassing news. The blog post goes on to outline a security initiative, project Strobe, that:
"...looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened. "
From which we are supposed to infer that Google+ was a flop because we didn't trust Google? Do we trust Facebook any more?
It goes on:
"We’re announcing the first four findings and actions from this review today.
Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.
Action 1: We are shutting down Google+ for consumers."
Well I never, they've discovered that security for a social network is difficult and as a result they have decided that its too hard and so the only solution is to close Google+. I suppose Googler's are only human and this is a tough software security challenge perhaps giving up is the only thing to do.
What seems to have prompted this self-flagellation is the discovery of a stupid mistake:
"...we discovered a bug in one of the Google+ People APIs:
If I understand that right it is a big blunder, but hardly evidence of a monumental struggle with really hard-to-fix security problems. The post then goes on to explain that nothing bad happened - probably.
"We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."
However, it is very strange that this wasn't disclosed sooner:
"We discovered and immediately patched this bug in March 2018."
and it is only being presented to us now. The time was used to check the API log data to infer that:
"...the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API."
There then follows a set of announcements about changes to security, which all sound reasonable, obvious even, but which have little bearing on the Google+ incident.
"Finding 2: People want fine-grained controls over the data they share with apps.
Action 2: We are launching more granular Google Account permissions that will show in individual dialog boxes.
Finding 3: When users grant apps access to their Gmail, they do so with certain use cases in mind.
Action 3: We are limiting the types of use cases that are permitted.
Finding 4: When users grant SMS, Contacts and Phone permissions to Android apps, they do so with certain use cases in mind.
Action 4: We are limiting apps’ ability to receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API."
The worrying words in these Actions, from the programmer's point of view are "use cases". Another way of saying this is that Google are going to ban or make impossible certain types of app which they classify as dangerous. As far as Gmail apps go:
"Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments."
Going to the developer blog reveals some additional clarification:
"As an example, consolidating data from a user’s email for their direct benefit, such as expense tracking, is a permitted use case. Consolidating the expense data for market research that benefits a third party is not permitted."
I'm sure that the idea of using personal data for purposes such as market research or targeting adverts never occurred to Google before...
What all of this seems to come down to is that apps are going to be more closely vetted rather than any particular security innovation or change.
So, returning to the headline news - the fate of Google+ ... as others have already written Google+ was technically a lot better than Facebook and still is. Of course, it was bound to fail simply because Facebook already had the numbers and no amount of strongarm tactics was likely to get enough users for Google+ to "takeoff". As a result Google has a loss maker on its hands and needed to find a good time to close it down. However, the news isn't all gloom as it seems that the enterprise version of Google+ will live on and you have 10 months and counting to move over to the paid for version.
"Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days. "
And I'm sure we will be looking forward to that.
So to be clear, Google isn't happy about running a consumer-oriented social network where most of the data isn't sensitive in the monetary sense, but it can run a secure enterprise version where the data has real, and not just notional, value.
Isn't this like saying, I can't run a secure bank vault for toy money, but you can pay to put your gold bars inside if you want to.
This is not a good retrospective justification of what Google has long known it must do - close Google+.
I mourn Google+ because, along with a few other techies who didn't much like Facebook's lowest communality approach, I was a user. I also am sorry for the wasted hours that programmers have spent creating the apps for Google+, some of which are cited as the cause of the problem despite not knowing about Google's flawed API.
So please not only +1 this news item, share it as widely as possibly and let's give Google the message that while it's network was niche it does have influence and we are not happy at Google's treatment of its consumers and its developers.
or email your comment to: email@example.com
|Last Updated ( Tuesday, 09 October 2018 )|