First, a postscript to last week’s newsletter
on Bloomberg’s chip cover story: the original article used no named sources. Zero. This probably has long-term impacts on trust in journalism, but I won’t tease them out right now.
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
First: Google+ still existed! I’m shocked too.
That fear of regulatory scrutiny, incidentally, is not unfounded — Google discovered the bug in “March 2018”; the Cambridge Analytica scandal broke on March 17, 2018.
Okay, before talking a bit about the breach itself and why it doesn’t really matter: despite everything else going on in 2018, I’d like words to still mean things. This article appeared in Tuesday’s WSJ under the headline “Google Hid Data Breach for Months”. As a point of information, it doesn’t seem like this was a breach.
Data being exposed essentially means that people who weren’t authorized to view the data (people who aren’t Googlers) could access the data. That they could access data doesn’t mean that they did. A breach means that, for sure, this data was accessed.
There’s an important difference here. Two weeks before the announcement of the new iPhones last month, 9to5Mac published a story featuring production images had leaked
early. They got the images from a URL on Apple’s website that had gone live, but not been publicized. A bit silly on Apple’s part, but: those images are the data being exposed, and 9to5Mac finding those images is the breach. If they’d never found the images, the exposure wouldn’t have mattered.
Google says that they have no evidence that the data was misused, and I haven’t read anything that contradicts that.
Here’s Ben Thompson
[paywall, sorry] on why the difference is important:
It follows, then, that not only does an “exposure” not mean a “breach”, but also the vast majority of exposures never lead to breaches. To that end, it is completely unreasonable to expect that any company report every single potential exposure: there would be a lot of them, it would be impossible to police, and perhaps worst of all, it would introduce significant moral hazard — companies would be motivated to not invest in security because that investment would only lead to bad press (again, for disclosing an “exposure”, not a “breach”).
Anyway, back to the data exposure itself, which led to ominous rumblings from politicians on both sides of the Atlantic. Casey Newton for The Interface
On the other hand, I’m skeptical that we’re going to see DC regulate tech companies any time soon. Republicans are pro-business (and pro-competition), and if Democrats do well in the midterm elections next month, they’ll be too busy undoing bits of Trump’s agenda to turn their attention to anything else of substance.
For its part, Google went ahead and announced a slew of new products on Tuesday, and by all accounts did not seem to be too fazed by the news. Even after the news broke, Google’s stock only dropped 0.7 percent, which is not very much at all (in percentage terms — in money terms, it’s $6 billion of market value).
This episode is mostly scary to me because it reminds me that software is hard and that any database in existence for long enough will eventually leak. I’m mostly blasé about the Google+ news, but can you imagine if the personal info of Gmail users had been exposed?
To paraphrase Matt Levine
, may you be an absolutely enormous company but have your security failings take place in tiny backwaters.
Bonus round, thought bubble: Google+ was a hilarious failure, but the fact that they sucked so hard at social has largely insulated them from the current shitstorm that Twitter and Facebook find themselves in.
As always, I welcome your feedback, and I’d love to hear your suggestions for what you’d like to see covered in this newsletter. I’m @tommycollison
on Twitter, or you can email firstname.lastname@example.org
. Please get in touch! 📩📬