
Google Exposed User Data, Feared Repercussions of Disclosing to Public - tysone
https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194
======
neurotech1
non-paywall version: [http://archive.is/rpuA1](http://archive.is/rpuA1)

~~~
JumpCrisscross
Does anyone else get rubbed the wrong way by this sort of irreverent
infringement? Even if you have zero concern for journalists’ copyrights, it
puts this forum at risk.

~~~
Senderman
Fair use exemption makes specific reference to "purposes such as criticism,
comment, news reporting" \- those are just the first three listed, and all
three apply to a HN post.

~~~
abalone
This is a gross misrepresentation of fair use doctrine. Fair use requires a
"transformation" of the work. It does not permit reproducing a work in its
entirety without permission just so you can have a discussion about it.

------
Bhilai
>We made Google+ with privacy in mind and therefore keep this API’s log data
for only two weeks. That means we cannot confirm which users were impacted by
this bug.

Wait, so they only keep two weeks worth of logs and within these logs they did
not find anyone abusing this flaw. How can they be certain for any time period
from two week prior ?

~~~
skbly7
The company which consider every single bit of data as "gold" decided not to
keep their API's access log > 2 weeks? wow!

~~~
nil_pointer
I too find Google only keeping 2 weeks of logs unbelievable.

~~~
vkou
The regulatory costs of GDPR mean that for every piece of log data, you want
to think about whether or not you really want to keep it.

If you don't have a good business case for keeping it, you're often better off
erring on the side of deletion.

~~~
p49k
Both the breach and the fix happened months before GDPR went into effect,
though.

~~~
dannyw
Generally you want to build systems in compliance of future regulations before
they kick in. GDPR at big companies is a multi year effort.

------
euske
Nowadays I tend to trust a company that had a security vulnerability or data
breach once and handled it gracefully, rather than a company that says they
had no security breach. Making a mistake is only human; Your true test is what
you do _after_ you found it.

~~~
spatz
So is this an example of a company handling it gracefully? They couldn't tell
what the impact was but kept it a secret for 6 months.

~~~
mikob
Pretty sure he is saying the opposite.

------
ucaetano
Company finds a security vulnerability caused by a bug. Logs show that it has
never been used by anyone. It patches the vulnerability.

[Honest question] Should the company announce it publicly?

PS: Keeping in mind that this is part of the Murdoch vs. Google war going on
for about 10 years:

[https://www.npr.org/sections/money/2009/11/murdoch_vs_google...](https://www.npr.org/sections/money/2009/11/murdoch_vs_google.html)

[https://www.thedrum.com/news/2017/03/28/timing-everything-
ru...](https://www.thedrum.com/news/2017/03/28/timing-everything-rupert-
murdoch-s-google-rebellion-returns-news-corp-eyes-more-ad)

[https://www.theverge.com/2018/1/22/16920254/news-corp-
rupert...](https://www.theverge.com/2018/1/22/16920254/news-corp-rupert-
murdoch-carriage-fee-facebook-google-journalism-media)

[Edit: added the "Honest Question" tag]

Edit 2: Related post by Google:

[https://blog.google/technology/safety-security/project-
strob...](https://blog.google/technology/safety-security/project-strobe/)

~~~
tptacek
I don't know if it should or it shouldn't, but it _absolutely is not the norm_
for companies to announce those vulnerabilities publicly. Every year, most
moderate-and-up-sized tech companies (really, a pretty big swathe of the
Fortune 500 _outside_ tech, as well) contract multiple penetration tests, and
those tests turn up thousands upon thousands of sev:hi vulnerabilities, none
of which are ever announced.

An obligation to announce findings would create a moral hazard as well, since
the incentives would suddenly tilt sharply towards not looking for security
vulnerabilities.

~~~
creaghpatr
It's the norm in healthcare (HIPAA), disclosure is required for breaches that
affect 500+ persons, and even <500 person breaches have to be reported
annually to HHS and to the individual at the time of discovery.

[https://www.cms.gov/Outreach-and-Education/Medicare-
Learning...](https://www.cms.gov/Outreach-and-Education/Medicare-Learning-
Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf)

edit: less-than sign wrong way

~~~
reificator
> _It 's the norm in healthcare (HIPAA), disclosure is required for breaches
> that affect 500+ persons, and even <500 person breaches have to be reported
> annually to HHS and to the individual at the time of discovery._

> _[https://www.cms.gov/Outreach-and-Education/Medicare-
> Learning...](https://www.cms.gov/Outreach-and-Education/Medicare-
> Learning...*)

> _edit: less-than sign wrong way*

Breaches, not vulnerabilities. The discussion is not whether or not breaches
should be disclosed[0], but whether newly discovered and believed-to-be-
unexploited vulnerabilities should be disclosed.

[0]: They should of course, after a reasonable period in which to patch the
vulnerability used.

~~~
chii
> believed-to-be-unexploited vulnerabilities

you cannot prove the negative (realistically). If you have a vulnerability,
you must treat it as though it has been exploited.

~~~
craigds
Sometimes you can, if you have comprehensive logs that cover it.

edit: Within reason, anyway. Obviously if your vulnerability includes write
access to logs or something then you're poked.

~~~
yebyen
I think in this particular case, their policy statement in the sister article
from Google blog indicates they couldn't really say that in this case.

> We made Google+ with privacy in mind and therefore keep this API’s log data
> for only two weeks. That means we cannot confirm which users were impacted
> by this bug. However, we ran a detailed analysis over the two weeks prior to
> patching the bug, and from that analysis, the Profiles of up to 500,000
> Google+ accounts were potentially affected. Our analysis showed that up to
> 438 applications may have used this API.

^ the above statement, but couched with this:

> We found no evidence that any developer was aware of this bug, or abusing
> the API, and we found no evidence that any Profile data was misused.

------
phyller
This is the data that could potentially have been exposed for each person [1].
In their release about shutting down Google+ they made it seem like a lot
less.

[1]
[https://developers.google.com/+/web/api/rest/latest/people](https://developers.google.com/+/web/api/rest/latest/people)

~~~
Bartweiss
Thanks for this. I hadn't been able to track down a clear statement of what
was exposed, which is an awfully important question in a case like this. It's
frustrating that "someone on HN dug up the API" is the most reliable way to
get information like this, and speaks ill of how this was handled even _after_
it was disclosed.

------
kerng
Companies internally find and fix security bugs all the time and dont talk
about it if no known breach occured. Is there a requirement to do this? Maybe
there should be a requirement to document that due diligence occurred to
understand if it was exploited?

~~~
stochastic_monk
I would think it should be required to report. Just because you don’t know if
a vulnerability was exploited does not mean it was not.

~~~
kerng
I assume cloud providers have hundreds of security issues that are found
internally over the course of a year. Requiring reporting would certainly be a
step forward and testing in production for software would maybe be seen as
what it is, an engineering anomaly and failure to perform due diligence.

~~~
stochastic_monk
That’s fair. I suppose I would aim for a distinction between minor and major
flaws. What would be a reasonable threshold?

------
growt
So the joke is finally true? Google+ hacked, data of all 20 users exposed.

~~~
user111233
Maybe 20 actual users but google+ is filled with accounts from google users
and automatically posted with content from other sites like comments on
youtube.

------
royce
Now that Google+ is going away, can we have the +string operator back in
Google Search, to force inclusion of a single string (instead of having to use
double quotes)?

~~~
cstrat
is that why that was changed???

~~~
royce
Yep, that was exactly why (or at least, very strong circumstantial evidence):

[https://productforums.google.com/d/msg/websearch/H4XbbwWmtAY...](https://productforums.google.com/d/msg/websearch/H4XbbwWmtAY/Rj8lcMhcHUMJ)

I don't think it was ever officially announced/admitted anywhere, though. But
it was exactly around the time that Google+ was rolled out.

------
dang
Related discussion here:
[https://news.ycombinator.com/item?id=18169243](https://news.ycombinator.com/item?id=18169243).

Normally we'd treat these as dupes of each other (and initially we did that),
but there seem to be two stories here: one about the data breach and one about
Google+. So I guess we'll leave both of them up.

~~~
lubujackson
It's a fancy bit of PR-fu right here from Google, like releasing a jobs report
right after a big hurricane hits so people don't notice it. A data breach is
one thing, but the cover-up should put the nail in coffin of Google's image as
benevolent good guys. They are basically Comcast now.

~~~
pinewurst
No, I get surprisingly decent service from Comcast plus I'm obviously their
customer not their product. How about "more weaselly than Facebook"?

~~~
SamWhited
> I'm obviously their customer not their product

This is the same comcast we're talking about right? The one that's spent
millions lobbying for the right to monitor what their customers do online and
sell it to advertisers?

~~~
pinewurst
It's a rigged game for sure. Would Comcast and the other ISPs be fighting so
hard for these rights if they didn't have Google and Facebook as models of
success using them?

~~~
SamWhited
Probably not; but regardless of "why", you're definitely also one of their
products :)

------
amirmasoudabdol
A few years ago, I had an Google account. My account got disabled because I’ve
tried to buy an app from Android Store. Besides the fact that I never managed
to get my account back something funny happened __a few years __after.

I had teo Blogger blogs connected to the account and my Twitter was connected
to my Blogger as well. I’ve lost those blogs too, and I couldn’t get them
back. At some point, I’ve realized some suspicious tweets in my timeline and
realized that they are from my blogs! So, Google freed my blogs but didn’t
removed its connected accounts. Whoever got the account probably didn’t have
any idea that these _addresses_ are connected to a Twitter account as well!
But the share to Twitter was on, and whatever she/he was positing were ending
up in my twitter account!

Point being, Google is leaking from strange places! Add Google+ to your
Blogger and you’ll risk much more I guess!

------
bogomipz
I think the these three passages really sum up where Google's moral compass is
these days:

>"A memo reviewed by the Journal prepared by Google’s legal and policy staff
and shared with senior executives warned that disclosing the incident would
likely trigger “immediate regulatory interest” and invite comparisons to
Facebook’s leak of user information to data firm Cambridge Analytica."

>"The document shows Google officials felt that disclosure could have serious
ramifications. Revealing the incident would likely result “in us coming into
the spotlight alongside or even instead of Facebook despite having stayed
under the radar throughout the Cambridge Analytica scandal,” the memo said. It
“almost guarantees Sundar will testify before Congress.”"

>"Internal lawyers advised that Google wasn’t legally required to disclose the
incident to the public, the people said. Because the company didn’t know what
developers may have what data, the group also didn’t believe notifying users
would give any actionable benefit to the end users, the people said."

These statements and tactics seem to be taken from the same playbook that Big
Pharma, Big Tobacco or any other soulless Mega Corp uses. As long as it it's
legal they don't care if it's right. Did their arrogance prevent them from
entertaining the idea that disclosure would have provided users with the
"actionable benefit" of considering whether or not they wanted to delete their
Google accounts?

------
hetspookjee
Huh why did this post get removed from the front page? It's less than 1 hour
old, had acquired a lot of points + comments in the meantime. Yet I can't find
it in the first 100 pages as of now.

~~~
dang
It was buried as a dupe of
[https://news.ycombinator.com/item?id=18169243](https://news.ycombinator.com/item?id=18169243).
We're just trying to figure out which URL is the best one for this story. It's
a bit harder than usual. In the meantime, I've restored the current thread.

------
honr
So, I couldn't understand what "exposed" means in that article. Was any user's
data obtained by someone not authorized to do so, or merely access to the data
was possible?

~~~
cxseven
Just possible. Similarly, the recent FB hack didn't actually penetrate 50
million accounts -- that was just an upper bound estimate based how many
accounts were "exposed to the risk" of being compromised, probably because
they were noted as being touched by the buggy "view as" function.

~~~
cxseven
Update: It looks like on October 2nd, Facebook clarified that 50 million users
_actually_ had their login credentials stolen, and an additional 40 million
were unconfirmed but known to have been touched by the buggy "view as"
feature:

[https://newsroom.fb.com/news/2018/10/facebook-login-
update/](https://newsroom.fb.com/news/2018/10/facebook-login-update/)

------
minimaxir
The buried lede is that Google is shutting down Google+. (EDIT: for consumers:
Google is keeping it as an enterprise product)

~~~
throwawaymath
Technically it's shutting down all _consumer_ functionality for Google+.

~~~
scarmig
And from this day forth, Google+ will sit along with Google Reader as part of
the pantheon of betrayals that HN commenters will bring up every single time
Google announces a new product.

~~~
cronz
I doubt anybody cares about Google+, honestly. In fact I'm happy to see it
die, after all the pain it's caused me (YouTube integration)

------
Bucephalus355
Yes they should have announced it no matter what the logs said.

Depending on the logs is the worst idea ever in terms of breach determination.
I don’t know how many times we’ve had 40 IoCs, but just because there isn’t a
log file (often because no one splurged for the SIEM and the syslog collector
broke beyond repair months ago) management acts like they’ve won the legal
liability / cyber security lottery.

Obviously it’s not as black and white as that, but the burden of proof should
be on the companies to show that no malicious use happened right after they go
public with a breach.

Going public with this kind of information, even if nothing happened, could
have driven much better behavior across the United States if not the world by
setting the example. But Google chose the path of self-protection and short-
term gain.

~~~
amanaplanacanal
Wait, was this a vulnerability or a breach? Because if every vulnerability is
now a breach, there are millions more than we know about.

Microsoft sends out monthly security patches. Each fix is in there is fixing a
vulnerability. Every Windows server has multiple vulnerabilities fixed every
month. Is every company that uses Windows now required to determine if any of
those vulnerabilities were actually used? This seems like a bottomless hole.

------
SquareWheel
A lot of the time I feel Google gets a bad rep on HN as the comments are so
often filled with hyperbole. In this case however Google did a very poor job
of disclosing this leak in their sunsetting Google+ announcement post. I would
have much preferred an incident report explaining what really happened, even
if they couldn't find any examples of abuse.

~~~
throwaway829
Conveniently for them, they only kept 2 weeks of logs (this is a 3 year old
bug). I might implement that at my company. Take two weeks to patch and test
the security hole, then review my two weeks of logs for any evidence of a
breach. Then tell customers we haven't found any evidence of illicit access.

~~~
richsherwood
Not only that but does anyone actually believe they only kept two weeks of
logs? I find it very suspect that the company known for amassing data only
keeps some data for two weeks. How convienent for them.

------
chris_mc
Just this weekend, I setup a domain name, setup email, and setup apps and
accounts to replace Google with open-source software and servers I control,
generally (I use some 3rd party services that I feel I can trust, like
Fastmail and Namecheap). I then turned off and deleted all of my data from
Google that I could without deleting my Google account (I need to forward this
long-standing email to my new email and I don't want to lose my Google Music
ratings and playlists right now).

It wasn't hard, just about 5 hours of work and then a few hours to set
everything up as I like it. I pay ~$5 per month for email/calendar/contacts
through Fastmail, ~$10 per year for 2 domains (each), and ~$5 for an Android
app to sync my CardDAV/CalDAV accounts with my Android phone. I have almost
completely deleted/disabled Google apps on Android, although I'm not ready to
run LineageOS quite yet. I even use an OSM-based maps app, which doesn't work
as well as Google Maps, but it is sufficient; navigation sucks compared to
Google Maps, but that's the price you pay for doing this sort of thing.

I'm not super-paranoid about government surveillance and I didn't care about
Google tailoring ads to me like most folks here, but after all of the data
breaches and such, I decided that controlling my own data is worthwhile just
to make me feel better. Now, I am able to do most of the stuff I could do
before, maybe 70-80% as good as with Google for some things (like maps), but I
have peace of mind.

~~~
envy2
Every time I read comments like this, I shake my head. Despite recent
breaches, I still trust the big players--Google, FB, Microsoft, etc.--with my
data from a security perspective far more than I'd trust myself to be able to
manage security properly on my own servers or trust a smaller shop.

Security is _hard_. There are many, many more compromises of small firms and
self-maintained servers than of these big players, it's just that they don't
get major media coverage in 99% of cases.

~~~
shurcooL
I would explain it with sampling bias.

Take 100 people, and suppose 1 of them decides to stop using Gmail, replacing
it with a custom setup. 99 decide to stick with Gmail. The 1 person who spent
hours on a custom setup is more likely to leave a comment sharing their
experience, tips and tricks, etc. The 99 won't have something noteworthy to
post about.

End result is you see disproportionally more comments from people who do
something drastic and unusual compared to ones who don't.

~~~
DoreenMichele
Yes, the very vocal minority is absolutely a thing and tends to create an
inaccurate impression.

------
ucaetano
Relevant post:

[https://blog.google/technology/safety-security/project-
strob...](https://blog.google/technology/safety-security/project-strobe/)

------
menacingly
The cynic in me wonders how long the two week log policy has been in place

------
itissid
Person 1: Google exposed the private data of hundreds of thousands of users of
the Google+ social network. Person 2: What is Google+?

------
lgats
[https://www.fullwsj.com/articles/google-exposed-user-data-
fe...](https://www.fullwsj.com/articles/google-exposed-user-data-feared-
repercussions-of-disclosing-to-public-1539017194)

------
dekhn
Now that G+ for consumers is going away, can we have Reader back?

------
ydnaclementine
as not-exciting some of the 'business requirements' I've been developing at
work have been, just remember you could have been working on google+ for the
last 8 years

------
Waterluvian
So was Google+ basically just kind of dragging along as a zombie and this PR
nightmare caused it to suddenly not be worth even keeping it around?

------
throw2016
Google's Project Zero is always taking others to task for security yet not a
peep from them on this. Their front page today is focused on bugs in Safari,
Linux and Windows. Perhaps they should focus on their own products.

Its complete hypocrisy to affect commitment and then slink away when it comes
to your own products. That raises questions about conflict of interest and
credibility.

~~~
SamWhited
The Project Zero team is specifically supposed to find Zero Days in other
products to make everyone more safe. Google has other security teams for
finding bugs in their own products. This isn't Project Zero's fault, nor does
it really have anything to do with them. Project Zero is one of the decent
teams at google trying to do good by everyone; they can't find every single
bug, and if they changed their mission to just focus on Google products we
might not have found all sorts of big bugs (eg. heartbleed) for a lot longer.
Probably best to leave them alone and let them get on with their business.

------
dirtylowprofile
I’m surprised Google’s own Project Zero did not caught this one.

~~~
SamWhited
When your purview is as wide as theirs, you can't catch every single
vulnerability; I'm sure there are plenty of things in openssl, linux, etc.
that they (or anyone else) haven't caught yet too :)

~~~
dirtylowprofile
Yes but is it damn right that they should start in their own backyards.

------
glenrivard
Wow the Wall St. Journal and Murdoch really does not like Google.

This article makes this sound like this is something that it appears to not
be.

Did this all start when Google fired Damore? Or does it date further back?

~~~
gman83
Goes way back:

[http://allthingsd.com/20091124/whats-really-behind-the-
rupe-...](http://allthingsd.com/20091124/whats-really-behind-the-rupe-a-dope-
with-google-and-microsoft-here-are-five-possibilities/)

~~~
puzzle
No mention of the Google-Murdoch spate is complete without a link to this
classic: [https://europe.googleblog.com/2014/09/dear-
rupert_25.html](https://europe.googleblog.com/2014/09/dear-rupert_25.html)

------
IBM
GDPR proving to be great once again. The case for a US equivalent gets
stronger. And more importantly, all these fuck ups will ensure that whatever
bill gets drafted isn't just what the Facebook/Google lobbyists find
acceptable.

~~~
wglb
What data was breached? If the answer is none, there is no GDPR action to be
taken.

~~~
IBM
I don't know, but Google doesn't either:

>Because the company kept a limited set of activity logs, it was unable to
determine which users were affected and what types of data may potentially
have been improperly collected, the two people briefed on the matter said. The
bug existed since 2015, and it is unclear whether a larger number of users may
have been affected over that time.

~~~
jtbayly
Then, to be clear, is your position that companies should be punished (fined)
if there has ever been the _possibility_ that user data was compromised? It's
_possible_ that a time-traveling quantum-powered encryption-breaking mind-
reader from the future has seen your personal data. Should we fine everybody
who knows anything about you?

Reckless endangerment deals with the possibility of something bad happening,
but notice that word "reckless."

~~~
IBM
I didn't say GDPR would apply in this situation, and the WSJ story suggests it
wouldn't because of when it was discovered. All I said was that GDPR was great
(obviously we'd only see the benefits from it after it had gone into effect),
and this latest scoop bodes well for the political movement to enact
equivalent legislation in the US.

------
monochromatic
Non-paywall link?

~~~
jey
[https://outline.com/https://www.wsj.com/articles/google-
expo...](https://outline.com/https://www.wsj.com/articles/google-exposed-user-
data-feared-repercussions-of-disclosing-to-public-1539017194)

EDIT: fixed link. thanks timvisee

~~~
timvisee
You liked the wrong article. Fixed:
[http://outline.com/mNDfrH](http://outline.com/mNDfrH)

------
godelmachine
See no evil, yeah?

------
spiderfarmer
What would the EU fine for Google be now GDPR is enforced? 2.2 billion
dollars?

~~~
wglb
GDPR enforcement would come into effect only if there was a breach and it was
not handled.

From what is in the story and from what we know, there has been no breach.

As 'tptacek has noted, it is very unusual to announce a security bug without a
resultant breach.

~~~
TimothyBJacobs
What in the story indicates that there was no breach. The story says that they
didn't keep a large enough set of activity logs to determine whether data was
improperly accessed, not that there was no breach.

> Because the company kept a limited set of activity logs, it was unable to
> determine which users were affected and what types of data may potentially
> have been improperly collected, the two people briefed on the matter said.

