The Wall Street Journal has revealed that Google+ inadvertently exposed personal data to app developers, and did not disclose the oversight to their users. The security flaw was discovered by Google in March 2018, but it was not reported at the time due to concerns about regulatory oversight.
"Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal."
Google+ was launched in 2011 as a competitor to social media sites such as Facebook, but it never really took off. In an attempt to boost membership numbers, Google made Google+ almost mandatory for people who wanted to sign up to other Google services, and in doing so they achieved around 540 million users. However, engagement was still low, and it was never a popular social media option among users.
The revelation seems to have been the impetus Google needed to put the final nail in the coffin of Google+. According to the company, "the consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds", so it's really no surprise that they have decided to move on.
The security flaw was discovered in one of the Google+ People APIs. It meant that when users allowed apps to access their profile (and the public data of their friends), the apps had access to data even if it was set to private. The vulnerability was limited to the user's name, email address, occupation, gender and age.
Google first discovered and patched the flaw in March 2018 as part of 'Project Strobe', in which the company reviewed third-party developer access to Google account and Android device data. Profiles of up to 500,000 Google+ accounts were potentially affected. According to a statement, they "found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused", and consequently Google took the decision not to inform users.
Google+ for consumers will be wound down over 10 months, a process which is expected to complete before the end of August 2019. It will still be available for enterprise customers (ie corporate social networks powered by Google+)
In addition to the closure of Google+, the company announced new restrictions for the type of apps that can access consumer gmail data. Going forward only apps that directly enhance email functionality will be grated access. Similarly new restrictions will be implemented regarding which apps are authorised to access phone and text message data, meaning that only the app you pick as your default app for making calls / texts can request access.
How can I delete my Google+ profile?
In the meantime, if you want to delete your Google+ profile before August 2019 then log in to your Google+ account (you can do this while logged in to Gmail by clicking on the squares at the top-right of the screen) then go to the Settings option on the left-hand menu. Scroll to the bottom of the page to see the Account section, in which you should see the option to 'Delete your Google+ profile'.