
Google hid major Google+ security flaw that exposed users’ personal information - cristiandan
https://www.theverge.com/2018/10/8/17951914/google-plus-data-breach-exposed-user-profile-information-privacy-not-disclosed
======
tjoff
What annoys me is that I never wanted google+.

Google et al constantly try to force you into their systems, for a while you
_had_ to have a google+ account to be able to use hangouts. So when I had to
use hangouts I felt it necessary to create a dummy-account that I only used
for hangouts (and tried my best to ensure my google+-profile was as locked
down as possible). Thanks for that one!

I'm _terrified_ every time there is a new android update (or new device) that
I will accidentally missclick something and bam, all your photos are now
synced to google photos. If not instantly some genius will simplify the
experience and make all your photos public since that's what everyone should
want anyway.

Do I have a youtube account? I don't know(!). I've tried my best to avoid it.

~~~
dvfjsdhgfv
I you use Android, you should always use a separate (dummy) Google account for
it. It is equally important to use non-Google apps for Google services such as
Gmail and YouTube, otherwise they'll link your accounts anyway.

~~~
tjoff
I've got a separate google account for pretty much each google service I use.
Which isn't much, the only one of value is my android-account that manage my
app-store purchases.

Unfortunately, yes, it is trivial for google to link the accounts together.
But I truly doubt they would do that, and they can not be certain that just
because they are used on the same device that they have the same owner.

But the trick is to not store anything sensitive on any of them. If google
started require a phone number linked to the accounts I'd quickly investigate
the option of generating dummy (but not one-time use) numbers. And if that
fails I'd just stop using those services.

~~~
cmroanirgo
> If google started require a phone number linked to the accounts

Google now requires a phone number when creating a new google account - I
wanted to make a new one yesterday... and decided not to make one after all.

~~~
dvfjsdhgfv
I use throw-away prepaid SIM cards for dummy Gmail accounts where the number
recycling is not a problem.

------
throwaway5752
How is this confusing? An internal review found a potential exploit. They
investigated and found it hadn't been exploited. They fixed it. They just
publicly announced it.

I have zero affiliation with Google, but none of this is remotely sinister.

~~~
excalibur
> Every year, we send millions of notifications to users about privacy and
> security bugs and issues. Whenever user data may have been affected, we go
> beyond our legal requirements and apply several criteria focused on our
> users in determining whether to provide notice.

> Our Privacy & Data Protection Office reviewed this issue, looking at the
> type of data involved, whether we could accurately identify the users to
> inform, whether there was any evidence of misuse, and whether there were any
> actions a developer or user could take in response. None of these thresholds
> were met in this instance.

They didn't announce it, they followed their internal policies which told them
NOT to announce it. This is what people are upset about.

> The WSJ reports that the company chose not to report it because of fear of
> “immediate regulatory interest” that would lump Google in with Facebook,
> according to one source’s description of the incident.

If this source is to be believed, the decision not to announce was less
policy-driven than they are claiming. It sounds more like they were
intentionally keeping the issue (and potential breach) secret, which naturally
bit them in the ass when word eventually got out.

~~~
throwaway5752
_" They didn't announce it, they followed their internal policies which told
them NOT to announce it. This is what people are upset about."_

You are reading - at this very second - a duplicate of a post linking to
[https://blog.google/technology/safety-security/project-
strob...](https://blog.google/technology/safety-security/project-strobe/)
talking about this very security flaw. The announced it. Perhaps you think it
should have been sooner?

 _" Whenever user data may have been affected, we go beyond our legal
requirements"_

Cool. So they usually do more than they're legally obligated to. This time
they didn't, and various people/commentators are fetching their fainting
salts.

Regardless of whatever anonymous sources at the WSJ say, I really don't care
about why they did it. They followed their legal obligations and - even more
important to me - I have no ethical or professional issues with the way they
managed the incident.

~~~
excalibur
> The announced it. Perhaps you think it should have been sooner?

Yes, they did. After it was investigated by the WSJ, 6+ months after the fact.
I'm not a real stickler about disclosure timelines beyond "wait for the patch
please", but "only after it leaks several months later" still rubs me the
wrong way.

> They followed their legal obligations and - even more important to me - I
> have no ethical or professional issues with the way they managed the
> incident.

Ethical standards vary widely. Personally, in the category of "Things Google
has done that raise ethical concerns", I don't think this incident is
significant enough to bother mentioning. But I do think it sits in a bit of a
moral gray area.

------
the_duke
Another dupe?

~~~
excalibur
Anybody have tabs on the original non-dupe thread? It doesn't appear to be
anywhere near the front page, despite the fact that this is arguably the day's
biggest tech story, and the news is around 2 hours old.

~~~
p49k
The PR piece by Google (currently at spot #1) is apparently what these stories
are being "duped" to.

~~~
394549
> The PR piece by Google (currently at spot #1) is apparently what these
> stories are being "duped" to.

I feel a PR piece shouldn't be the only post if there's subtext like "a
security/privacy flaw" that affected millions.

Also the comment thread for the Google PR post seem to be mainly about how
little Google+ was used and various issues around its launch.

Here's the link if anyone's interested:
[https://news.ycombinator.com/item?id=18169243](https://news.ycombinator.com/item?id=18169243)

~~~
cwkoss
Yeah, I think that official PR pieces shouldn't block articles which
critically discuss a company's actions as "dupes".

