RIP, Google+: long ailing and finished off by a security bug

There was a time when you could get the smartest people at Google to do the stupidest things you could imagine by getting Yahoo to do them first; thankfully that era ended — only to be replaced by an era in which every stupid thing Facebook did became a bucket-list item for Google management.

The peak of this was when Google set out to create a social network and tasked every googler with making it a success. The company decided to call this network Google+, and decided that the longstanding, widely used plus-sign (which historically was used in search queries to mean "must have" as in +cory +doctorow) would be unilaterally repurposed for use in its social network.

Googlers' bonuses were tied to their ability to integrate Google+ into every product Google offered, creating an ever-tightening noose around Google users who had no interest in using G+.

To make matters worse, Google decided to ape Facebook's privacy-invading, nonsensical "real names" policy, insisting that every user use their legal name and putting Google in the unenviable position of deciding (for example) when a trans person could stop using their deadname, or when an indigenous person's name was "real" enough for use, or when people fleeing domestic violence could use an alias.

By the time Google+ rolled out, there was already nascent discontent with Facebook. Google+ offered all the downsides of Facebook, but with fewer of the people you wanted to connect with.

Years later, G+ is a sad also-ran. What's more, the company just discovered an extremely grave bug in the system – — that would have allowed for serious privacy violations. Though the company says it has fixed the bug, it's taken the opportunity to simply shut down G+ for "consumers" (the service will persist for enterprise users, who apparently use it).

In the product's obituary, Google wrote that Google+ "has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps."

One bright spot in all this: the defect in Google+ was discovered through "Project Strobe," a serious privacy and security audit of every Google product.

Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.


The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.


This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+ [Ben Smith/Google Blog]