Indeed. A Google engineer stated on Twitter [0] that the shutdown of the service happened because apparently YOLO is only supposed to be accessible to whitelisted partners.
They also state in the same Twitter thread that they were aware of the issue before the blog post was written. IANAL but even if the shutdown was intentional (as opposed to being the example of terrible damage control it looks like), willfully leaving a bug in production that allows a set of whitelisted partners to deanonymize their visitors without their consent seems like something that shouldn't fly in countries with data protection laws?
Exactly. If it was about "just whitelisted partners" he discovered it was actually "everybody." It's not different than discovering that instead of the password just an empty string is enough.
Maybe someone should tip off Google project Zero about this? Let's see if they mean it that they will hold themselves to the same standard.