In short: Consumers and the industry as a whole are still confusing data security with privacy, according to Eric Schrock, Chief Technology Officer of data management and virtualization company Delphix. In an interview with AndroidHeadlines, the industry veteran reflected on the recent Google+ privacy debacle and criticized Alphabet's subsidiary for subpar practices that potentially compromised hundreds of thousands of users, while also maintaining that episode and similar incidents are a consequence of a larger issue and can't be solely attributed to bugs, an inevitable occurrence in software development.
On the subject of privacy and security, Mr. Schrock suggested the general confusion of the two terms may be related to them both being relatively new additions to the public discourse, though they're still significantly different. "Security is a question of access," the CTO said, adding how some related mechanisms include two-factor authentication, encryption, threat analysis solutions, and anything else that prevents unauthorized parties from accessing data they're not supposed to. Mr. Schrock described privacy as "a far more nuanced, complex" topic that often comes down to the question of how sensitive the data any particular entity is handling is, and how significant would the implications of it leaking possibly be.
While undoubtedly related, trying to improve privacy by enhancing security or vice versa may not be the best course of action, especially for major Internet juggernauts, the executive opinionated. "Data is extremely critical to so much innovation in the world," Mr. Schrock said, adding that simply locking it down can be detrimental to many fields in the long term. However, as apps become more data-intensive and intelligent, with their knowledge base requirements growing frequently and rapidly, the tech industry as a whole needs to start implementing privacy-friendly mechanisms into their products from the get-go, he said. To that end, Google's Project Strobe which unveiled the aforementioned Google+ vulnerability was a worthwhile endeavor, the CTO believes. "Google essentially said 'hey, let's understand the nuance of data compliance,' which is a really hard problem," Mr. Schrock said, asserting that the company still should have thought about such issues years ago.
Background: Google initially responded to criticism about its lack of transparency regarding data management practices by providing consumers with more control over their profiles, allowing them to find out what the company knows about them, which third parties are accessing that data and via which apps, and allowing them to manually delete such information. However, a major lack of transparency is precisely what marked the latest Google+ episode that saw the company discover a vulnerability in its People API set this March which exposed data of roughly 500,000 users. Hundreds of app developers were able to exploit it but as to the question of whether any of them did so – Google has no idea. Granted, its official probe into the matter found no evidence of the vulnerability being abused but what Google disclosed in an extremely coy manner is that the vulnerability was live since 2015 and it only keeps two-week logs of People APIs usage activity. In other words, its evidence pool was limited to less than one percent of the timeframe during which the vulnerability existed.
The company's official statement was that the policy of keeping surprisingly short logs is a purely privacy-driven decision, a notion Mr. Schrock said he's "not buying." "It's clear those logs haven't been designed with security auditing in mind," the executive said. Google also decided against disclosing the vulnerability for over half a year, having only acknowledged it after the Wall Street Journal reported about it earlier this month. It immediately injected a variety of other announcements into the news cycle, including its decision to kill off the consumer version of Google+. Coupled with the fact that the disclosure was made less than 24 hours prior to the announcement of the firm's new hardware such as the Pixel 3 smartphones, the news of the privacy gaffe went under the radar relative to how it would have been treated at any other point in the year, particularly if the announcement was made at the time of the vulnerability's discovery – which was in the midst of Facebook's Cambridge Analytica scandal.
Some U.S. Senators are now demanding information about the cover-up, whereas Google's first response to the situation was to wind down Google+ over the next ten months, lock down some Android API permissions, and generally limit third-party access to data across its platforms. As Mr. Schrock explained it, that's a band-aid solution that will hurt innovation and won't address the real issue – the fact that Google's services haven't been built with privacy in mind from the ground up. Similar criticism was aimed at Facebook earlier this year when the social media juggernaut's first response to the Cambridge Analytica episode was to limit third-party access to user data without changing how the underlying network works. Some industry watchers recently speculated the Google+ discontinuation may actually be just a prelude to a new social media platform Google intends to build which would address many of those concerns directly, though the company gave no indication of that being the case.
Impact: The confusion about data security and digital privacy is likely to continue in the near future until the two terms become a more frequently encountered feature of the public discourse. In the meantime, some states such as California have already enacted their own digital information management laws and the idea of a federal legislative effort regulating the manner in which tech giants handle consumer data is now gaining bipartisan momentum, hence being likely to continue doing so regardless of the outcome of this year's mid-terms taking place in early November.
Whether Google manages to navigate this latest debacle unscathed remains to be seen, though that scenario is looking less realistic by the day, especially as it currently isn't near the top of the government's list of favorite domestic companies due to a variety of issues, including the controversial Project Dragonfly that even attracted criticism from Vice President Mike Pence earlier this month. Whatever happens, Google+ will soon be no more but it's still unclear whether the episode will improve the transparency of the company's vulnerability reporting, as the new gaffe clearly illustrated Google is still lacking in that department.