Google misdirected a number of private videos that users of its Google Photos app intended to back up to Google Takeout, sending them instead to strangers’ archives, 9to5 Google reported Monday.
The company emailed affected users to inform them that a technical issue caused the error, which incorrectly transferred videos for several days before it was fixed.
Google recommended that affected users back up their content again and delete their previous backup. They were advised to contact Google Support for further assistance.
Google Photos passed the 1 billion user mark last summer.
Although it said just 0.01 percent of users were affected, Google did not indicate whether that percentage applied to Google Photos or Google Takeout users.
“Google did fix the issue quickly,” acknowledged Erich Kron, security awareness advocate at KnowBe4.
“However, the notification process to those impacted was less than satisfactory and left out a lot of details, leaving those possibly impacted unsure of what the exposure risks were for them,” he told TechNewsWorld. “When dealing with an issue that impacts privacy in the way that improperly sending files as sensitive as photos and videos is, the communication needs to be very clear and informative.”
Google’s notification “reads like they really don’t care about what happened to the users, and that could backfire badly with organizations like the European Commission,” noted Rob Enderle, principal analyst at the Enderle Group.
The issue “highlights the challenge with protecting and managing personal photos and videos,” said Josh Bohls, founder of Inkscreen.
People use their mobile devices to scan business documents, and they use a broad range of photos, video and audio for everyday tasks that drive business processes, he told TechNewsWorld.
“If you work for a law firm, healthcare provider, insurance company, or in another regulated industry and take photos or record videos as part of your job, your company should strongly consider a solution to protect and manage this content — especially if you use Google Photos,” Bohls said.”
Fear and Anger
The problem “shouldn’t happen at all, and it once again points to Google as a firm that can’t be trusted with your data,” Enderle told TechNewsWorld.
“If the video content was sensitive and private, then you could have a violation of the GDPR or California’s CCPA, remarked Mike Jude, research director at IDC. “That sort of thing could trigger fines and remedial action.”
Google’s failure to disclose who wrongly received videos could lead to more trouble for the company, Enderle pointed out. “Users should have a right to that information, and they likely could sue Google to get it. Then, depending on what’s in the video, sue them for damages.”
Any indemnification clause in the user agreement might not protect Google because the issue was due to negligence, he said. “I wouldn’t be surprised if we saw a class action suit come out of this.”
While the victims can file suit, or file a complaint under applicable privacy laws, it could backfire on them, IDC’s Jude told TechNewsWorld.
“In the case of provocative material, the temptation would be to pay the ransom rather than face public disclosure,” he said.
By the Numbers
“It is possible that thousands were impacted,” Jude remarked. “It wouldn’t pay for Google to announce something like this unless it had a pretty wide reach.”
The issue “could be quite serious for those affected,” said Paul Bischoff, privacy advocate at Comparitech.
However, the scale of the problem depends on who really was affected, he told TechNewsWorld.
Google pinned that number at 0.01 percent, but “do they mean 0.01 percent of Takeout users or of Photo users?” Bischoff asked. “The former would be a much smaller number.”
Further, the leaked videos went to other users, not malicious actors, he noted, and “it was not intentional on Google’s part. For me, those two facts make this less of a big deal.”
If Google had let an attacker hack its systems or had been hiding a nefarious practice, its privacy or security standards would be called into question, Bischoff said, but “bugs happen, and I think people are more forgiving for that sort of thing.”
What Google Can or Should Do
Google “should do whatever it takes to secure the mis-sent videos,” Enderle recommended.
“It probably won’t be enough, but if they wait for regulatory action, the result could be very expensive,” he warned.
“Ethically, Google should help them,” said IDC’s Jude. “Would they? Probably not, unless there’s some explicit guarantee that the data stored with Google is secure.”
Google could offer identity theft protection for the victims, “but there’s not much it can do until the damage is done,” Comparitech’s Bischoff noted.
If it can find out exactly which videos and photos were sent incorrectly, Google “should absolutely inform the owners of what was compromised,” Bischoff recommended. It might step in as a mediator to protect both parties’ privacy in case any victims wanted to communicate with those who received their videos by mistake.
Google “is a free service, more or less, that provides access in exchange for looking over your shoulder as you use the service,” Jude remarked. “It is not a public commons, and there really should be no expectation of privacy.”
Users should opt for a paid storage service, suggested Enderle, while Jude said storing videos and photos locally might be a better option.
“I saw a 2-TB SSD the other day for (US)$69,” he said. “Back when I was in college, I saw an article in the magazine ‘Datamation’ that said the total computer storage of the planet was about 1 TB.”
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.