Google is pulling the plug on their social network, Google+. Users still have the better part of a year to say their goodbyes, but if the fledgling social network was a ghost town before, news of its imminent shutdown isn’t likely to liven the place up. A quick check of the site as of this writing reveals many users are already posting their farewell messages, and while there’s some rallying behind petitions to keep the lights on, the majority realize that once Google has fallen out of love with a project there’s little chance of a reprieve.

To say that this is a surprise would be disingenuous. We’d wager a lot of you already thought it was gone, honestly. It’s no secret that Google’s attempt at a “Facebook Killer” was anything but, and while there was a group of dedicated users to be sure, it never attained anywhere near the success of its competition.

According to a blog post from Google, the network’s anemic user base isn’t the only reason they’ve decided to wind down the service. A previously undisclosed security vulnerability also hastened its demise, a revelation which will particularly sting those who joined for the privacy-first design Google touted. While this fairly transparent postmortem allows us to answer what ended Google’s grand experiment in social networking, there’s still one questions left unanswered. Where are the soon to be orphaned Google+ users supposed to go?

Project Strobe

As explained in the blog post, the decision to shutter Google+ ultimately stems from the results of an internal effort called Project Strobe. Started in early 2018, it was a complete review of third-party developer access to not only personal data in the form of individual Google user accounts, but Android device data. Google claims they decided to make Google+ an early focus of Project Strobe due to user feedback, but the more skeptical observer might wonder if it was more likely a guise under which the service could be retired while still retaining some dignity.

We now know that in March, Project Strobe found a bug in the Google+ “People” API. It allowed app on the platform access to information about their friends on Google+, even if that information was not marked as publicly visible. Basically, if you could see your friends’ name/job/etc., then so could yours apps even though you never gave those apps permission to access that information. While the bug didn’t allow app to read messages or obtain phone numbers, it did expose profile data such as names, email addresses, occupations, genders, and ages of the users.

This kind of information might seem innocuous at first glance, but it can be a treasure trove for social engineering attacks. Being able to learn so much about your social media contacts, especially email addresses and occupations, could help an attacker craft convincing phishing schemes. The vulnerability presented in the form of a classic “Trojan Horse”: an attacker would only need to get the target to authorize their application under the pretense of it being a game or other interesting piece of software, and in return they get to siphon off information about their friends, family, and co-workers.

Google stresses that they uncovered no evidence that this bug was ever discovered, let alone exploited. Accordingly they made the decision not to reveal its existence to the public, as the issue was immediately resolved. Withholding information on security vulnerabilities until after the fix has been implemented is nothing new. But going more than half a year before revealing this information immediately sparked some controversy.

Citing the “challenges” of maintaining Google+ in a way that meets consumers’ expectations of privacy and functionality, Google has decided to simply shut the whole thing down.

Look Who’s Talking

Google’s announcement doesn’t specifically state how many people are actually using Google+, only saying that it’s “low”. Figuring out how many people are on the service has always been tricky, as the number of user accounts is inflated by the fact that it’s tied to the monstrously popular Gmail. But they did let slip one soul-crushing factoid: 90% of Google+ user sessions last less than five seconds. Ouch.

However, it seems the corporate world has had much better luck with Google+ than consumers. Google has found that businesses have been using it as a secure internal social network of sorts, and they are looking to capitalize on that going forward. It’s worth noting this is the same way Google handled the transition of Hangouts from being merely the defacto chat application on Android to being a business product meant to compete with Slack.

Finding a New Home

It’s a shame to see Google+ shut down, as it did have a few solid ideas on how to improve the social media paradigm like “circles” for tight control of who could see your posts and the ability to export data and cleanly delete your account. Unfortunately some downright boneheaded PR decisions, such as trying to shoehorn it into the YouTube comment system, led to ridicule and a general negative sentiment. Not what you want when going into battle against entrenched juggernauts like Facebook and Twitter. But even with its faults and rudderless advertising there are still many users who made Google+ their home, and a number of active (albeit niche) communities — 3D printing and photography specifically come to mind — which are now in danger of collapsing.

Crucially, the people who were active on Google+ were almost exclusively doing so in an effort to avoid Facebook to begin with, so that’s simply not a viable option. These users value privacy and granular control over their data, so they are far more likely to gravitate towards open services like Mastodon or Diaspora. If there’s a silver lining here, it could be the attention these decidedly more hacker-friendly platforms are about to receive once a sizable number of privacy and security minded individuals start looking for a new place to call home.