Google Didn't Reveal Security Bug For Months, 'Wall Street Journal' Reports
DAVID GREENE, HOST:
Google is shutting down its consumer version of Google Plus, its social network that some saw as its answer to Facebook. This comes after a flaw was discovered that might have exposed personal information of hundreds of thousands of customers. According to The Wall Street Journal, that flaw was discovered in March, but the company decided not to disclose it. With us in our studio in Washington, D.C., is one of the reporters who broke the story Doug MacMillan.
Thanks for being here.
DOUG MACMILLAN: Hi. Good morning.
GREENE: So can you start by telling us about this flaw that you and your colleagues at The Wall Street Journal discovered? I mean, what information could have gotten out here?
MACMILLAN: Yeah, so over a two year - two to three year period from 2015 until earlier this year, people who entered their profile information into Google Plus - information like their gender, birthdate, full name, email address - all of that data could have been available to outside developers if - basically if your friend had signed up to some Google Plus app, those developers potentially could have gotten access to this data. The number - the potentially affected number of users is small. It's only about potentially a half a million users, which in the world of potential data breaches that is not a huge number.
GREENE: Not that many.
MACMILLAN: But the real questions that our reporting focused on are kind of what Google did when it found out this - you know, the security patch flaw existed.
GREENE: Or didn't do, right? I mean, they didn't go public and let people know that their privacy might have been at risk. Why?
MACMILLAN: Yeah, so sort of the story that they're telling - which is they took a look at what happened. They investigated these apps to some extent. They found that there was no suspicious activity. And they decided that there was no evidence of misuse of data. So they had no obligation to tell users. But our reporting shows that there was another factor at play which was they were worried about the repercussions of coming forward with this information. You know, earlier this year, right at the time they discovered this, the Facebook-Cambridge Analytica data breach had just happened. There was a lot of regulator scrutiny of Facebook and tech companies and how they're handling data. And internally they were worried about being pulled into this conversation in a bigger way.
GREENE: Well, have they responded to your reporting - and I guess also have they said anything about how they might prevent this from happening another time?
MACMILLAN: Yeah. So they took a pretty drastic step, which is they announced - you said earlier they announced they're closing the consumer side of Google Plus, which is a pretty big step. They're also taking a number of steps to kind of rein in some data privacy potential problems. They make a lot of data available to outside developers on android phones. For things like Gmail, there are a lot of different apps that you can use to - and those developers can also get your data. So they're taking some steps to shut down some of those channels. In the short term, that could actually hurt some of their relationships with developers. But they're saying that in the long term maybe this could prevent a situation like this from happening again.
GREENE: Based on your reporting, should people feel safe using Google if they care about privacy?
MACMILLAN: I think that there are some real questions that users have to ask themselves about trust. In this situation, there was a pretty serious decision being made about how to handle, you know, a situation involving sensitive personal data, and there was no transparency into that decision. You know, these people in a room in Mountain View decided how to handle a sensitive issue around user data. So can users - you know, can Google keep the trust of its users going forward? I think that they're going to have a lot of work to do to get that trust back.
GREENE: Doug MacMillan covers Google for The Wall Street Journal. He joined colleagues in writing this story. He was working with fellow reporter Robert McMillan.
Thanks so much for joining us this morning. I appreciate it.
MACMILLAN: Thanks very much for having me.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
Correction Oct. 16, 2018
A previous headline incorrectly characterized the security bug as a security breach.