How to Handle the Google+ Data Security Bug
A software vulnerability affected 500,000 accounts. Here's what you can do now—and how to stay safer in the future.
Despite assurances from Google that data from up to a half-million Google+ accounts was not actually stolen last spring, Consumer Reports still recommends following procedures for downloading your data and closing down your personal account.
On Monday The Wall Street Journal reported the software bug and Google’s decision to keep it from users. The search giant announced that it would close down the consumer version of Google+, the company’s less-than-successful social media platform that was introduced amid much fanfare in 2011, while keeping the platform open to business users.
But privacy advocates say many people may not remember that they even have an account. They say it’s a good idea to double-check.
“Google pushed people pretty hard to create Google+ accounts for a while, so you may have created one without even realizing it,” says Justin Brookman, director of privacy and technology policy for Consumers Union, the advocacy division of Consumer Reports. “In the early days of social media, people tended to post things online without thinking of the potential consequences.”
Google said in a blog post signed by Ben Smith, engineering vice president, that the company had discovered and fixed a software vulnerability in March 2018 but decided there was no need to notify consumers.
Google said it didn’t find evidence that data was taken. Even so, the Google+ bug opened the door to inappropriate data collection by developers of third-party apps.
Let’s say you had a Google+ account with strong privacy settings turned on but you were friends with someone with less stringent settings. If that person used Google+ to sign in to another app, the developer of that app could have seen all the data in your profile, as well as the friend’s.
How to Download Your Google+ Data
The Google blog post said that Google+ was never broadly adopted and that recently 90 percent of Google+ sessions have been lasting less than 5 seconds.
Nevertheless, the company is moving slowly to shutter its social network.
"To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August,” the blog post said. Meanwhile, Google promises to get users information on how to download their data from Google+ and potentially migrate it to another social service.
Or you can do that now.
You may not remember whether you have a Google+ account, but if you use Gmail, there’s a good chance you do. To find out for sure, open Gmail on a desktop or laptop and click on the profile icon at the upper-right corner of the window.
If you have a Google+ account, there should be a link to it right below your user name and email address. (You can click on it to see your posts from whenever you last visited.)
Next, go to Google Takeout to download any data you have on Google+. Click on the link and you’ll find options for which data you want to download from all of Google. It’s a total of 48 options—and the list is reminder of how deeply Google is integrated into daily life and how much data it collects.
For this task, you need to click on seven of the options to create an archive of your Google+ data for downloading:
• Google+ Circles
• Google+ Communities
• Google+ Stream
• Hangouts on Air
With some of these you need to decide on a format for the data. For example, in Google+ Circles—which are lists of your contacts—the option is V-Card, a format often used for business cards that’s also called VCF. But you can also choose HTML or CSV (“comma separated values,” a simple text format often used for data in spreadsheets). If you’re not sure what you want, the default is fine.
Click on the Next button at the bottom of the list and you’ll be asked to decide how the data gets compressed—these can be big files, and Google needs to package them up tightly to send them to you. You can store the archive as a .zip or .tgz file; if it’s very large, it will be split into multiple files.
The data can be uploaded to the cloud with options such as Add to Drive and Add to Dropbox, or Google will email you a link for downloading the archive to your computer. (The link stays active for a week.)
Once you’ve decided, click Create Archive.
Google warns that the process may take time, but when we tried it, we had an email with a link to our admittedly small archive within moments.
How to Delete Your Google+ Account
Now that you have your data out of Google+, you may as well delete your account.
Go back your Google+ home page and select Settings, which is on the left-hand side of the window. Next, scroll to the bottom to find the option Delete Your Google+ Profile.
When you click on this link, you may be asked to sign in again, and then some more information will pop up to make sure you really, truly want to delete your data—it’s all but impossible to do this accidentally.
The disclaimers will also clarify that deleting your Google+ account won’t delete your Search, Gmail, or Google accounts, or any of your photos or contacts.
Deleting the account is permanent, so if you have data that you’d like to download, follow the steps above and do that first. Indeed, before you can delete your account you must click a required check box acknowledging that you understand that you won’t be able to restore it.
The warning says: “Yes, I understand that deleting the Google+ Profile for [Your Name] can’t be undone and the data I delete can’t be restored.”
Click to acknowledge that, then click Delete, and you’re done.
Delete Your Other Ghost Accounts
For many users, Google+ was a ghost account that hadn’t been accessed in months or even years.
These consumers were getting no benefit out of the platform, but it was still exposing their data to commercial use by Google, and potential loss in case of a data breach.
That brings up other platforms that have run their course, either for the public in general or for specific consumers.
Social media hangouts, such as Bebo, Digg, Foursquare, and Myspace, along with efficiency and financial apps, such as Evernote and Mint, may have access to lots of your personal data, and some can collect data on a continuing basis.
That might be an acceptable transaction if you like and use the platforms, but if you don’t, it’s a very one-sided deal. It’s also a dangerous one for as long as the account is still open and active.
“Information from dormant profiles could potentially be used for identity theft or could be profoundly embarrassing, potentially jeopardizing relationships or your job,” says CU’s Brookman. "It’s worth taking a few minutes to see what old accounts you might have—not just Google+, but older sites like Myspace, too.”
Part of the problem is remembering where you have accounts. Two sites, JustDeleteMe and Account Killer, may be able to help. They both have large databases of sites and apps that you can browse. When you see a site that sparks your memory, you can follow a link to the page that lets you delete your account.