(This version of the October 8 story corrects to “consulting and accounting firm” from “legal firm” in paragraph 8)
By Arjun Panchadar, Munsif Vengattil and Paresh Dave
(Reuters) - Alphabet Inc’s Google will shut down the consumer version of its failed social network Google+ and tighten its data sharing policies after announcing on Monday that private profile data of at least 500,000 users may have been exposed to hundreds of external developers.
The issue was discovered and patched in March as part of a review of how Google shares data with other applications, Google said in a blog post. No developer exploited the vulnerability or misused data, the review found.
Shares of its parent company Alphabet closed down 1 percent at $1155.92 following the latest in a run of privacy issues to hit big U.S. tech companies.
The Wall Street Journal reported earlier that Google opted not to disclose the security issue due to fears of regulatory scrutiny, citing unnamed sources and a memo prepared by Google’s legal and policy staff for senior executives.
Google feared disclosure would invite comparison to Facebook Inc’s leak of user information to data firm Cambridge Analytica, the Journal reported, adding that Chief Executive Sundar Pichai had been briefed on the issue. Google declined to comment beyond its blog post.
Google said on Monday none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves.
Security and privacy experts and financial analysts questioned the decision.
“Users have the right to be notified if their information could have been compromised,” said Jacob Lehmann, managing director at consulting and accounting firm Friedman CyZen. “This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal.”
Google+ launched in 2011 as the advertising giant grew more concerned about competition from Facebook, which could pinpoint ads to users based on data they had shared about their friends, likes and online activity.
Google+ copied Facebook with status updates and news feeds and let people organize their groups of friends into what it calls “circles.”
But Google+ and the company’s other experiments with social media struggled to win over users because of complicated features and privacy mishaps.
Facebook introduced a feature that allowed users to connect their accounts with their profiles on dating, music and other apps.
Google followed suit, letting outside developers access some Google+ data with users’ permission. The bug disclosed on Monday, introduced in a software update, exposed private data including name, email address, occupation, gender and age, Google said. It could not definitely say how many users were affected because it said it keeps only two weeks of such records.
Google+ will remain an internal networking option for organizations that buy Google’s G Suite, a bundle of apps for creating documents, spreadsheets and presentations.
Google’s plan to withdraw the free version of Google+, scheduled for August, could help strengthen its case to U.S. policymakers and regulators that it is different from Facebook, which has faced political heat over allegations that data belonging to 87 million of its users was improperly shared with political consultancy Cambridge Analytica.
Google refused to send Pichai to a Senate Intelligence Committee hearing on Sept. 5, where Facebook’s chief operating officer and Twitter Inc’s chief executive testified. An empty chair was left for Google after the committee rejected Google’s top lawyer as a witness.
Several policies Google introduced on Monday are designed to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organizing Gmail messages.
Play Store apps will no longer be allowed to access text message and call logs unless they are the default calling or texting app on a user’s device or have an exception from Google.
Gmail add-ons available to consumers starting next year will be barred from selling user data and be subject to a third-party security assessment that will cost them about $15,000 to $75,000, Google said.
Such moves could strengthen Google by making it harder for competing services to grow off its data, said Chris Messina, a designer who worked on Google+ before leaving in 2013. “In 2011, you wanted casual, scrappy developers creating apps, and now it is going to require a professional class that is serious. The walls are going up.”
Reporting by Arjun Panchadar and Munsif Vengattil in Bengaluru, Paresh Dave in San Francisco; Additional reporting by Vibhuti Sharma in Bengaluru; Editing by Patrick Graham, Saumyadeb Chakrabarty and Bill Rigby