Senate Letter Criticizes Google for Failure to Disclose Data Vulnerability

Top lawmakers sent a stinging letter to Google on Thursday over its handling of a data vulnerability that affected hundreds of thousands of users of its Google+ social media service.

Source: WSJ - John D. McKinnon | Published on October 11, 2018

Google to purge billions of files

Senate Commerce Committee Chairman John Thune (R., S.D.), in a letter delivered on Thursday, joined two subcommittee chairmen in saying they found it “troubling” that Google failed to disclose the vulnerability after it was discovered.

“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the lawmakers wrote.

The letter said its authors were “especially disappointed” that Google’s chief privacy officer testified before the Commerce Committee just a few weeks ago “and did not take the opportunity to provide information regarding this very relevant issue to the committee.”

The Wall Street Journal reported earlier this week that Google exposed the private data of hundreds of thousands of users of its Google+ social network. The company, a unit of Alphabet Inc., chose not disclose the issue earlier this year, in part because of worries that news of the incident would bring on regulatory scrutiny and reputational damage, according to interviews and documents.

The letter—signed by Sens. Jerry Moran (R., Kan.) and Roger Wicker (R., Miss.), in addition to Mr. Thune—added: “Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services.” The letter requests written answers to a series of questions including whether Google disclosed the matter to federal regulators and whether it has had any similar incidents that it hasn’t yet disclosed.

The letter illustrates how Google’s troubles on Capitol Hill are mounting in the wake of the Google+ revelations. At a Senate hearing on privacy issues Wednesday, Sen. Thune said it is increasingly clear from the Google+ incident, as well as from Facebook Inc.’s earlier Cambridge Analytica scandal, that industry self-regulation is no longer sufficient to protect users’ privacy, and that a “national standard for privacy rules of the road” will be needed.

The Federal Trade Commission is probing an incident in which data of up to 50 million Facebook users was transferred to Cambridge Analytica, a data firm that worked for President Trump during the 2016 campaign.

Google didn’t immediately respond to a request for comment on Thursday.

As part of its response to the Google+ incident, Google on Monday announced a broad set of data-privacy measures that include permanently shutting down all consumer functionality of Google+. The company also said it is curtailing the access it gives outside developers to user data from smartphones that run on its Android operating system and its Gmail service.

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said at the time.

At Wednesday’s hearing, Democrats joined Republicans in their criticism of Google, including the news that it had effectively sought to keep its problems quiet to avoid the same scrutiny Facebook received.

Sen. Richard Blumenthal (D., Conn.) said he would send a letter to the Federal Trade Commission urging an investigation of the Google+ incident. “I think this kind of deliberate concealment is absolutely intolerable,” he said.

Congressional legislation could beef up data-privacy protections for consumers, while handing much of the work of writing detailed rules to a strengthened FTC. The FTC currently lacks much rule-making authority when it comes to online data privacy and has limited ability to impose fines for violations. Congress also could push companies to do more to prevent data breaches.