In short: Three top Republican legislators wrote to Google on Thursday, demanding the company explains its decision to cover up a major blunder that exposed data of up to 500,000 Google+ users. Republican Senators Roger Wicker (MS), John Thune (SD), and Jerry Moran (KS) asked for detailed documentation that led to the cover-up after the vulnerability was discovered in March, including a memo recommending non-disclosure which was cited by the original report of the ordeal published by the Wall Street Journal earlier this week.
In a letter addressing Google Chief Executive Officer Sundar Pichai, the Senators expressed a "great concern" for the matter at hand, inquiring why the firm only admitted to the blunder after the incident was discovered by the media. The legislators also suggested the incident violated the firm's 2011 Proposed Consent Agreement with the Federal Trade Commission which required it to disclose the Google+ vulnerability to an independent assessor examining its privacy program as part of that deal. Questions were also raised about whether Google covered up other vulnerabilities in the past and is possibly still doing so.
Finally, the Republican Senators took aim at Google's business model in their Thursday letter, asking whether the firm believes users of its free services should be given the same level of protection and risk notification as those who pay for its solutions as part of G Suite packages designed for enterprises. The lawmakers want to hear the tech giant's response no later than 5 PM EST on October 30 and are "especially disappointed" they weren't briefed on the matter by Google Chief Privacy Officer Keith Enright who attended a Senate committee hearing on digital privacy just two weeks ago.
Background: The original report on the bug that exposed data of hundreds of thousands of users claimed Google was fearful of the general public's reaction to the slip-up, especially given how the bug was discovered amid the peak of Facebook's Cambridge Analytica scandal. While Alphabet's subsidiary hasn't commented on the matter one way or another, data security experts agree that was likely the case. "They knew they'll create an outcry," according to Eric Schrock, Chief Technology Officer of virtualization and data security company Delphix. In a statement provided to AndroidHeadlines, Mr. Shrock said Google likely wanted to wait until it's ready to time the disclosure so as to publicize it alongside some positive news. "They wanted to say 'yes, we made a mistake, but look at all this other cool stuff,'" he believes.
That's precisely what the company ended up doing; besides the acknowledgment of the vulnerability, its Monday communication included an announcement that Google+ itself was being killed off within ten months, which was accompanied by an unprecedented disclosure of some of its key performance metrics, such as the fact that over 90-percent of all Google+ sessions were shorter than five seconds. Additionally, Google announced it's revamping Android developer policies simultaneously with the vulnerability admission, revealing it's limiting third-party access to data such as call logs and SMS history. Finally, the disclosure came less than 24 hours before the company's annual hardware event which saw launches of a number of new products such as the Pixel 3 Android flagships and the Pixel Slate Chrome OS tablet, further shifting the conversation about Google away from the Google+ debacle. The timing did a lot to keep the disclosure in the public spotlight for as little as possible.
Google said it found no evidence of the vulnerability being abused, though it also admitted its potential evidence pool is surprisingly limited – the company only keeps logs for the People API set — which contained the bug in question — for two weeks, whereas affected users possibly had their data exposed since 2015 until this spring. The vulnerability allowed developers to pull Google+ profile data that has been marked as private by all users who shared their public info through the People APIs. Potentially compromised data includes names, email addresses, occupations, and other tidbits people were able to input into static fields of Google+ profiles, then choose to share or not share them with some of their circles.
Impact: Initial reports suggest Google didn't disclose the vulnerability to an independent assessor and may end up being hit with a multi-million-dollar fine for violating its 2011 agreement with the FTC. Google has yet to indicate whether it intends to respond to the Senators' letter, though that seems like a probable scenario despite the fact that the communication lacks legal elements that could compel it to do so.
The incident is currently being investigated by regulators in both the United States and the European Union, with the latter already having a straightforward path toward litigation – the General Data Protection Regulation. The law that went into effect in late May could see Google fined up to four percentage points of its annual revenue, which would amount to a ten-figure sum, though if the European Commission ever chooses to prosecute the matter, it's likely to settle for much less.
Despite minimizing the impact of the disclosure as far as public criticism is concerned, the Mountain View, California-based Internet juggernaut still drew the attention of some established advocacy groups, regulators, and legislators. "Google cannot be trusted," Consumer Watchdog wrote in its latest release, calling for more U.S. states to follow California's example and enact strict laws similar to GDPR that would hold companies responsible for doing a poor job at protecting user data, in addition to allowing wronged consumers to take such corporate entities to court.
Google has recently been attracting a lot of negative publicity: the political right in the U.S. is accusing it of being biased toward liberal worldviews, legislators and human rights advocates are blasting it for its insistence on launching a censored version of Google Search for China, and Capitol Hill is taken aback by the fact that the firm opted not to renew its contract for Project Maven, a controversial initiative started by Pentagon that saw it collaborate with the Defense Department on weaponizing artificial intelligence. Combined with the new Google+ debacle and the fact that Google will also be held responsible for any foreign election meddling abusing its platforms in the run-up to next month's mid-terms, the company has a rough period ahead of it.