Editor’s note: Today is Safer Internet Day, but we’ll be talking about it all week with a collection of posts from teams from across Google.

When you’re online, you shouldn’t need to worry about the security of your information. That’s why we work to build security into our products, so the information in your Google account is automatically protected. We also share our best practices and security tools with other organizations, to help make the internet safer for everyone.

Even still, there are some simple things that you can do to make your information even more secure. Recent U.S. data from a survey we conducted with Harris Poll confirms that many people may not be familiar with these basics. 

This Safer Internet Day, take a moment to strengthen your online security by following these five tips:

1. Set up a recovery phone number or email address, and keep it updated.

The majority of people surveyed said they have either a secondary email address (87 percent) or mobile device (73 percent) set for account recovery and security purposes—and that’s great.

For many web services, your Google Account included, having a recovery method can help alert you if there’s suspicious activity on your account or if you need to block someone from using your account without permission. And of course, adding recovery information to your account can help you get back in more quickly if you ever lose access or can't sign in.

To set up recovery information, visit your Google Account’s Security section and scroll down to “Ways we can verify it's you.”

2. Use unique passwords for your accounts.

65 percent of respondents in our poll said they reuse the same password for multiple accounts, which can increase your security risk. It’s like using the same key to lock your home, car and office—if someone gains access to one, all of them could be compromised.  

Create a unique password for each account to eliminate this risk. Make sure that each password is hard to guess and better yet, at least eight characters long. It can be hard to keep track of many different passwords—60 percent of people report having too many passwords to remember. To help, consider using a password manager (like the one built into your Chrome browser) to help you create, safeguard and keep track of all your passwords. If that is too difficult, you can even write your passwords down on a piece of paper (but keep it in a safe place!), since hijackers are most likely to be online, rather than physically near you.

3. Keep your software up to date.

To help protect your online activity, make sure you’re always running the latest version of software on all your devices. The Harris Poll results show that, while 79 percent of respondents said they understood the importance of updating their software, one third of people said they still don’t regularly update their applications, or aren’t sure if they do or not.

If you’re using the below operating systems, here’s where you can look to learn how to check & update the software on your devices:

• Windows support
  
• Mac
  
• Android
  
• iOS

Some software, like Chrome, will automatically update so you never need to worry about doing it yourself. For other services that send notifications when it’s time to update, don’t click “remind me later”— take the time to install the update right away.

4. Go a step further by setting up two-factor authentication.

Setting up two-factor authentication (2FA)—also known as 2-Step Verification—significantly decreases the chance of someone gaining unauthorized access to your account. For the majority of people, Google’s automatic and risk-based sign-in protections are more than enough, but everyone should know that 2FA is an extra option. However, one in three survey respondents (31 percent) said they do not use 2FA, or don’t know if they are using it or not.

2FA requires you to take a second step each time you sign in to your account on top of your username and password. Examples of second verification steps include: an SMS text message, a six-digit code generated by an app, a prompt that you receive on a trusted device or the use of a physical security key.

Set up two-factor authentication for your Google Account by visiting g.co/2sv and clicking “Get Started.”

5. Take the Google Security Checkup.

The Security Checkup gives you personalized and actionable security recommendations that help you strengthen the security of your Google Account, and it only takes two minutes to complete.

Taking the Security Checkup doesn’t just help make you safer while using Google. The Checkup also includes personalized tips to keep you safer across the web, like helping you set up a screen lock on your mobile phone and advising you to remove risky third-party sites and apps that have access to your account.

Find more online security tips like these by visiting our Safety Center; you can also visit your Google Account’s Security section to find all the settings and tools mentioned in this post. Check out this infographic for more insights from our Online Security Survey.

In October, weannounced that we’d be sunsetting the consumer version of Google+ and its APIs because of the significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.

We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.

With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.

Details about the bug and our investigation

Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

• We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
  
• With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
  
• In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
  
• The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
  

• No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. Our investigation is ongoing as to any potential impact to other Google+ APIs.

Next steps for Consumer Google+

We will sunset all Google+ APIs in the next 90 days.  Developers can expect to hear more from us on this topic in the coming days, and can stay informed by continuing to check the Google+ developer page.

We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019.  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

A note for our enterprise customers

We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.

G Suite administrators are always in control of their users’ apps. This ensures that G Suite users can give access only to apps that have been vetted and are trusted by their organization. In addition, we want to reiterate that we will continue to invest in Google+ for enterprise. More details were announced in October.

We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.

We can all agree that content that exploits or endangers children is abhorrent and unacceptable. Google has a zero tolerance approach to child sexual abuse material (CSAM) and we are committed to stopping any attempt to use our platforms to spread this kind of abuse.

So this week our experts and engineers are taking part in an industry “hackathon” where technology companies and NGOs are coming together to collaborate and create new ways to tackle child sexual abuse online. This hackathon marks the latest milestone in our effort to fight this issue through technology, teams and partnerships over two decades.

In 2006, we joined the Technology Coalition, partnering with other technology companies on technical solutions to tackle the proliferation of images of child exploitation. Since then, we’ve developed and shared new technologies to help organizations globally root out and stop child abuse material being shared.

In 2008, we began using “hashes,” or unique digital fingerprints, to identify, remove and report copies of known images automatically, without humans having to review them again. In addition to receiving hashes from organizations like the Internet Watch Foundationand the National Center for Missing and Exploited Children, we also add hashes of newly discovered content to a shared industry database so that other organizations can collaborate on detecting and removing these images.

In 2013, we made changes to the Google Search algorithm to further prevent images, videos and links to child abuse material from appearing in our search results. We’ve implemented this change around the world in 40 languages. We’ve launched deterrence campaigns, including a partnership with the Lucy Faithfull Foundation in the UK, to show warning messages in response to search terms associated with child sexual abuse terms. As a result of these efforts, we’ve seen a thirteen-fold reduction in the number of child sexual abuse image-related queries in Google Search.

In 2015, we expanded our work on hashes by introducing first-of-its-kind fingerprinting and matching technology for videos on YouTube, to scan and identify uploaded videos that contain known child sexual abuse material. This technology, CSAI Match, is unique in its resistance to manipulation and obfuscation of content, and it dramatically increases the number of violative videos that can be detected compared to previous methods. As with many of the new technologies we develop to tackle this kind of harm, we shared this technology with industry free of charge.  

This work has been effective in stopping the spread of known CSAM content online over the years. In 2018, we announced new AI technology which steps up the fight against abusers by identifying potential new CSAM content for the first time. Our new image classifierassists human reviewers sorting through images by prioritizing the most likely CSAM content for review. It already enables us to find and report almost 100 percent more CSAM than was possible using hash matching alone, and helps reviewers to find CSAM content seven times faster.

Since we made the new technology available for free via our Content Safety API in September, more than 200 organizations have requested to access it to support their work to protect children. Identifying and removing new images more quickly—often before they have even been viewed—means children who are being sexually abused today are more likely to be identified and protected from further abuse. It also reduces the toll on reviewers by requiring fewer people to be exposed to CSAM content.

Because this kind of abuse can manifest through text as well as images, we recently made substantial changes to tackle predatory behavior in YouTube comments using a classifier, which surfaces for review inappropriate sexual or predatory comments on videos featuring minors. This has led to a significant reduction in violative comments this year.

Underpinning all of this work is a deep collaboration with partners. As well as the Technology Coalition, we’re members of the Internet Watch Foundation and the WePROTECT Global Alliance, and we report any CSAM content we find to the National Center for Missing and Exploited Children who in turn report to law enforcement.

Technology, and the methods used by those who seek to exploit it, are constantly evolving and there will always be more to do to tackle this heinous crime. We are crystal clear about our responsibility to ensure our products and services offer safe experiences, and we are fully committed to protecting children from sexual exploitation.

Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.

Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.

At the beginning of this year, we started an effort called Project Strobe—a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.  

We’re announcing the first four findings and actions from this review today.

Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.

Action 1: We are shutting down Google+ for consumers.

Over the years we’ve received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+.  

This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.

Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

• Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

• The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.  

• This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

• We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.

• We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.

• We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.

Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.  

Finding 2: People want fine-grained controls over the data they share with apps.

Action 2: We are launching more granular Google Account permissions that will show in individual dialog boxes.

When an app prompts you for access to your Google account data, we always require that you see what data it has asked for, and you must grant it explicit permission.

Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box.  For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other. Developers can read more on the Google Developer Blog.

This is what the process looks like today when an app requests access to any data in your consumer Google account (you've always been able to choose whether to grant that permission request):

This is what it will look like:

Finding 3: When users grant apps access to their Gmail, they do so with certain use cases in mind.   

Action 3: We are limiting the types of use cases that are permitted.

We are updating our User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access your consumer Gmail data. Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments. Developers can read more details on the Gmail Developer Blog. (As always, G Suite administrators are in control of their users’ apps.)

You can always review and control which apps have access to your Google account data (including Gmail) within our Security Checkup tool.

Finding 4: When users grant SMS, Contacts and Phone permissions to Android apps, they do so with certain use cases in mind.   

Action 4: We are limiting apps’ ability to receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API.

Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.  Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.) Developers can find more details in the Google Play Developer Policy Center and in the Help Center.

Additionally, as part of the Android Contacts permission, we had provided basic interaction data  so, for example, a messaging app could show you your most recent contacts. We will remove access to contact interaction data from the Android Contacts API within the next few months.

In the coming months, we’ll roll out additional controls and updating policies across more of our APIs. As we do so, we’ll work with our developer partners to give them appropriate time to adjust and update their apps and services.

Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that.