Google has agreed to pay $7.5 million to settle the allegations detailed on this page. Notice of the settlement agreementbetween the plaintiffs and Google was submitted to the court on January 6, 2020.
The proposed deal, which awaits a judge’s preliminary approval, looks to cover everyone in the United States who had a Google+ account for any period of time between January 1, 2015 and April 2, 2019 and had their non-public information exposed as a result of the software bugs announced by Google on October 8 and December 10, 2018. A hearing for preliminary settlement approval is tentatively scheduled for May 21, 2020.
The document outlining the proposed settlement can be foundhere.
While thefinal nailsare driven into the coffin of Google+, Google, Inc. and parent company Alphabet, Inc. must now contend with a proposed class action lawsuit centered on a data breach the suit alleges exposed the information of up to 500,000 platform users between sometime in 2015 and March 2018. Despite the multi-year window in which Google+ users’ information was supposedly left out in the open, Google only disclosed the vulnerability on October 8—at the same time it announced that the failed social network will be shut down for good.
Considered by many as one of Google’s biggest failures, Google+ was set up to be an “answer and rival” to Facebook, the suit begins. According to the lawsuit, Google+ users’ information was exposed for so long due to a software glitch that allowed third-party app developers access to private profile data. Below is an illustration included in the complaint that depicts how such a glitch could expose Google+ users’ data:
It should have never gotten this far, the suit argues, as Google has always represented to users that it will only share personal information outside the company with explicit consent. Even worse, according to the case, is that Google “made a calculated decision” to say nothing about the years-old security vulnerability for months, as the glitch was supposedly uncovered back in March 2018.
All told, the lawsuit says, the number of Google+ users who Google claims had their information compromised may be much higher than the company has stated publicly. From the complaint:
“[The defendants] have advised that at least 438 third party applications may have used this API and been allowed unauthorized access to Google+ users’ data for nearly 3 years.
Because the API logs are designed to keep historical data for only 2 weeks, [the defendants] are unable to tell exactly how many users may have had their information compromised during this 3 year period.
Although [the defendants] have reported that only up to 500,000 users were affected, the reality is that this number is what was determined only for the two week period prior to the discovery of the security vulnerability in March 2018. Thus, given that the data leak occurred for nearly 3 years, the number of compromised users is expected to be much higher.”
Of Google’s alleged business decision to keep a lid on the data breach for months, the lawsuit charges the company remained quiet not because of potential repercussions from users, but as a means to sidestep any “regulatory interest,” which has remained at a fever pitch in the wake of theFacebook/Cambridge Analytica scandal.
“In every turn, [Google and Alphabet] put their own business interests ahead of the privacy interests of Google+ users causing harm to [the plaintiffs] and Class members,” the suit reads.
The lawsuit looks to cover a proposed class of all consumers in the United States who registered for Google+ accounts and whose information was “accessed, compromised or obtained” from Google by third-party applications without authorization. The case further asks to cover a proposed class of California residents who fit the same criteria.