Third-Party Vendor Risk Management and Privacy Back in Spotlight with Google+

Businesses must be assessing the privacy risks of their third-party vendor partners and API developers in light of the potential for personal information leaks in this area. Third-party vendor risk management has historically been a key part of cybersecurity efforts but has become increasingly important against privacy breaches as well since the role of third-parties in leaks has come to the forefront this year.

The latest example is a big one:

Google announced it is shutting down social network Google+ today after disclosure of a privacy breach potentially impacting the personal information of hundreds of thousands of users. The potential for access without user permission to personal information was available to approximately 438 applications through the third-party API. Although the exact number of people that may have had their personal information accessed was unknown, Google estimated it might have been around 500,000. The data available included optional Google+ Profile fields including name, email address, occupation, gender and age.

The Wall Street Journal reported today that Google discovered the potential for unauthorized access to personal information months ago and chose not to disclose this fact to its users because it would invite regulation by Congress. However, in a blog post today about the issue, Google said: “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”

Given the heightened focus on data privacy in Congress over the last six or seven months, this revelation could result in another round of public hearings on technology and privacy similar to the Congressional hearings held with Facebook CEO Mark Zuckerberg following Cambridge Analytica, although it is unclear whether Google would agree to answer questions. Google previously declined to send a member of the leadership team to the Senate Intelligence Committee hearing on election meddling in September, although CEO Sundar Pichai has already agreed to testify before the House Judiciary Committee in November on political bias in Internet search results. There will almost certainly be questions about Google+ at the November hearings.

Disclosure of the privacy breach comes at a time where Congress is crafting a federal privacy law to regulate data privacy practices at businesses. Last week, representatives of six businesses, including Google, asked Congress to preempt state regulation of privacy like the California Consumer Privacy Act.

It is not the first incident involving privacy issues created by an API accessible to third-party developers this year at a major technology company. Facebook has already had two. The first involved Cambridge Analytica, which resulted in substantial negative publicity as well as a massive decrease in shareholder value. The second involved special access by phone manufacturers to a third-party API which provided personal information about users despite privacy settings, in order to allowe them to create a better integrated Facebook experience on their phones / apps. This API access continued after Facebook declared, following Cambridge Analytica, that it had shut down API access to personal information several years ago.

The access to personal information in Google+ was discovered as part of an audit called Project Strobe, which was an internal effort to review third-party developer access to Google account and Android device data. It is believed that a bug in one of the Google+ People APIs interacted with subsequent code change to provide access to the non-public information. Google’s blog post revealed that they only kept the API’s log data for two weeks so it was not possible to confirm which users were impacted, although up to 500,000 profiles were implicated in the two weeks before Google patched the bug.

Google Privacy Changes

At the same time as the Google Plus, Google announced important changes to some of its data privacy practices:

App Permissions: Apps are going to have to request permissions one at a time. Consumers will be able to accept or reject the permissions individually. Call log and SMS permissions available to apps will be limited, and contact interaction data will no longer be available through the Android Contacts API.

Gmail Access: Apps that may seek permission to access consumer Gmail data will be limited to those providing email functionality. They will have to agree to security assessments and new rules for Gmail data. Access to Gmail data has been an area of controversy this year and Google defended its practices in response to a request for information from Congress.

Google also said that it plans to roll out additional controls and update policies for their APIs in the coming months.

Third Party Vendor Risk Management at Other Organizations

Businesses that are sharing the personal information of their users and customers with third-parties need to be assessing the privacy risks of those disclosures and monitoring the third-parties. In order to assist with this process, Clarip offers its Data Risk Intelligence scan to help identify vendors who have access to information. If your organization is looking for help with data privacy management, call Clarip at 1-888-252-5653.

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Federal Privacy Laws
– Pending Congress Bills

Privacy News
– Clarip Blog