While thefinal nailsare driven into the coffin of Google+, Google, Inc. and parent company Alphabet, Inc. must now contend with a proposed class action lawsuit centered on a data breach the suit alleges exposed the information of up to 500,000 platform users between sometime in 2015 and March 2018. Despite the multi-year window in which Google+ users’ information was supposedly left out in the open, Google only disclosed the vulnerability on October 8—at the same time it announced that the failed social network will be shut down for good.
Considered by many as one of Google’s biggest failures, Google+ was set up to be an “answer and rival” to Facebook, the suit begins. According to the lawsuit, Google+ users’ information was exposed for so long due to a software glitch that allowed third-party app developers access to private profile data. Below is an illustration included in the complaint that depicts how such a glitch could expose Google+ users’ data:
It should have never gotten this far, the suit argues, as Google has always represented to users that it will only share personal information outside the company with explicit consent. Even worse, according to the case, is that Google “made a calculated decision” to say nothing about the years-old security vulnerability for months, as the glitch was supposedly uncovered back in March 2018.
All told, the lawsuit says, the number of Google+ users who Google claims had their information compromised may be much higher than the company has stated publicly. From the complaint:
“[The defendants] have advised that at least 438 third party applications may have used this API and been allowed unauthorized access to Google+ users’ data for nearly 3 years.
Because the API logs are designed to keep historical data for only 2 weeks, [the defendants] are unable to tell exactly how many users may have had their information compromised during this 3 year period.
Although [the defendants] have reported that only up to 500,000 users were affected, the reality is that this number is what was determined only for the two week period prior to the discovery of the security vulnerability in March 2018. Thus, given that the data leak occurred for nearly 3 years, the number of compromised users is expected to be much higher.”
Of Google’s alleged business decision to keep a lid on the data breach for months, the lawsuit charges the company remained quiet not because of potential repercussions from users, but as a means to sidestep any “regulatory interest,” which has remained at a fever pitch in the wake of theFacebook/Cambridge Analytica scandal.
“In every turn, [Google and Alphabet] put their own business interests ahead of the privacy interests of Google+ users causing harm to [the plaintiffs] and Class members,” the suit reads.
The lawsuit looks to cover a proposed class of all consumers in the United States who registered for Google+ accounts and whose information was “accessed, compromised or obtained” from Google by third-party applications without authorization. The case further asks to cover a proposed class of California residents who fit the same criteria.