Google Photos incorrectly exported private videos to other users
Google Photos is one of Google’s most popular services. It was originally launched as Google+ Photos and bundled with Google+. While Google+ died in 2018, Google Photos was separated from the social network in 2015 and it has thrived ever since. The service lets users upload and store high-resolution photos to the cloud with 15GB free storage provided as a base. These photos can then be accessed through any device. Image backup to the cloud, therefore, has become an ubiquitous concept. It still has its drawbacks, however. One of these is the existence of technical bugs that leads to data leaks. Google has now revealed that a technical bug of this kind affected Photos users in November, where a user’s private videos were incorrectly exported to random users’ archives.
— Jon Oberheide (@jonoberheide) February 4, 2020
The source of the bug was in Google Takeout, a feature that lets users download their data from Google apps either for locally backing it up or for using it with another service. Google has started sending emails to Takeout users about the “technical issue” that took place from November 21-25, 2019. During that time frame, users who requested backups from Google Photos could have had their videos on the service “incorrectly exported to unrelated users’ archives”. This was specific to videos, not photos. These videos might be visible to random users that were also downloading their data through Google Takeout. Select users could have had “one or more videos in [their] Google Photos account” affected by this issue. A secondary issue is that the users’ archives downloaded from Takeout were incomplete and missing some of their videos, while containing videos from unrelated strangers.
Google is now recommending users to delete their previous exports and request a new one. It told 9to5Google that less than 0.01% of Photos users attempting Takeouts were affected. No other product is said to be affected. Google has now identified and resolved this issue, and apologized to users in the email it sent. It has also conducted “an in-depth analysis to help prevent this from ever happening again”.
This technical issue was definitely not a nice one, as it infringed users’ privacy and highlighted the drawbacks of uploading user data to the cloud. Google’s responsibility was to own up to the issue, and it can be argued that by making an admission two months after the technical issue, the company hasn’t lived up to its ideals. Such an incident, however, is sadly not an exception.