Google has been a critical part of our daily lives since 1998. While the broader company reorganized as Alphabet in 2015, Google retained the bulk of its identity.
Google collects quite a bit of customer data. The good news is that it’s fairly protective of that data – even though they’ve had some notable breaches over the years, as we’ll detail. The bad is is that in some ways, Google collects customer data indiscriminately. We’ll talk data breaches first, before getting into some of the privacy violations critics have accused Google of.
Google Data Breach Timeline
September 2014 – Nearly 5 Million Gmail Passwords Leaked Online
While it wasn’t immediately clear how the information was obtained, in September 2014, almost 5 million Gmail addresses and passwords were published online. While Google claimed that their systems weren’t compromised, and the company took relatively swift action, requiring password resets for impacted accounts, it was a major event overall.
It is possible that the leaked information was actually a collection of email credentials from different incidents not directly involving Google. Some of the compromised data seemed to be incredibly outdated, while other credentials appeared current.
October 2018 – Google+ Data Leak Impacts 500k Users, Leads to Service Shutdown
While Google+ seemed to be in its death throws well before the incident, as it never gained traction as a serious social media platform, what finally prompted the shutdown of the service wasn’t a lack of interest; it was a major data leak.
There was a significant flaw in certain programming interfaces that app developers were able to use, exposing the data of approximately 500,000 users. Certain private user information, including names, birth dates, phone numbers, and more, were accessible to developers for years, as the issue was present back in 2015 and not remedied until March 2018.
The company was actually aware of the issue before reports of the problem began appearing in the media but chose not to disclose details about it. Between the leak and low usage, Google decided to start sunsetting consumer access to Google+, essentially phasing it out over about ten months.
September 2019 –YouTube Creators Targeted in Coordinated Hack Attack
In September 2019, cybercriminals set their sights on some of the most prominent YouTube creators around, coordinating a large-scale attack to gain access to accounts. The hacks seemed to focus on famous creators, though it wasn’t relegated to a single niche. Along with automotive channels, some dedicated to gaming, music, technology, and entertainment were also hit.
This attack appears to have been a spear-phishing campaign that targeted influencers directly. With 23 million creators at the time, YouTube was likely a ripe target. While YouTube wasn’t directly responsible, many of the attacks were successful, showcasing how potentially vulnerable creators can be in the end.
August 2020 – Unsecured Database Exposes 235 Million YouTube and Other Social Media Profiles
Comparitech, a security research firm, discover 235 million social media profiles – including from YouTube, Instagram, and TikTok – in an unsecured database. While the data leak wasn’t related to Google or any of the other platform’s parent companies, the scale of the incident is undeniably massive.
There was a slew of personal data within the unsecured database, spread across three datasets. At least 4 million YouTube profiles were in the mix. Depending on the entry, the user’s name, email, phone number, profile photo, profile name, and account descriptions may have been visible, along with engagement metrics, audience demographics, and more.
Google Privacy Violations
Alongside the data breaches listed above, Google has frequently been accused of violating users’ privacy. Below are some of the notable accusations and fines leveled against Google.
August 2018 – Google Tracking Location Data on 2 Billion Users, Sometimes Without Permission
While Google stated that pausing a user’s “location history” would prevent the creation of location-oriented records, that wasn’t exactly true. Even when users adjusted their privacy preferences to turn off location tracking, that data was still being stored in the “web and app activity” section.
Turning off the location history only stopped Google from storing specific kinds movement data on the user’s timeline. However, it didn’t prevent location data collection when users took advantage of weather apps, conducted online searches (including those that weren’t location-specific or location-dependent), and a variety of other tasks. For that, users had to turn off “web and app activity” tracking, even though that privacy section said nothing about location data.
While not a breach, many considered it a significant privacy violation. In the end, up to 2 billion users may have been impacted.
September 2019 – Google Received $170 Million Fine for Child Data Privacy Breaches
After accusations that Google failed to follow certain child privacy laws regarding the collection of data on children, the tech giant agreed to pay a $170 million fine. The massive child privacy case focused on failing to obtain consent from parents before collecting data on children under 13 years of age.
The main issue involved data collected by viewers using YouTube Kids, a section of YouTube dedicated to child-friendly programming. There were also accusations that the collected data was shared with third parties.
April 2020 – Google Faces $5 Billion Lawsuit for Tracking “Private” Browsing
In a lawsuit, Google was accused of collecting internet browsing activity on users who were making use of “private” browsing modes, also called “incognito” browsing.
While Google states that it informs users that some data may be collected when using these alternative browsing options, the lawsuit alleges that Google didn’t appropriately inform users about the tracking tools that could still harvest their activity data. Additionally, the lawsuit also brings up issues of stored data involving incognito mode activities.
The proposed class for the lawsuit could including millions of users, essentially covering anyone who used the incognito mode since June 1, 2016.
July 2020 – Google Accused of Misleading Millions of Users About Privacy
While not technically a breach, Google was accused by an Australian watchdog of misleading millions of Australian users about the use and collection of their private data. The watchdog alleges that starting in 2016, Google began combining Google account user information with activity from non-Google sites that relied on Google technologies for the purpose of displaying ads.
Since the information was combined without direct consent from users, the watchdog labeled the move a privacy violation. However, Google disagreed, stating that they did acquire explicit consent.