Weighing implications of Google+ breach
Push to hold companies more accountable could hit firm
Google’s revelation that it knew about a privacy flaw in Google+ in March but did not disclose it publicly — along with an announcement that it will finally kill off the laggard social network — until this week could mean trouble on many fronts for the company.
Google decided not to immediately announce the glitch that exposed Google+ users’ private information to hundreds of third-party developers for fear that it would draw comparisons to the Facebook-Cambridge Analytica privacy scandal, according to the Wall Street Journal, which saw internal memos. That news, which involved political data consulting firm Cambridge Analytica accessing the information of Facebook users without their explicit permission, was unfolding at roughly the same time.
A Google memo said that revealing the privacy flaw would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to the Journal.
Google fixed the bug in March, it said in a blog post Monday that included details of the information that was exposed, such as names, email addresses, birthdates, gender, profile photos, occupation and relationship status. The company also said it found no evidence that any of the data was misused, and that because of the way it stored information, it could not determine which users were affected. Because of that, the company told the Journal, it decided not to disclose the “incident” at the time.
There might not be any good time to disclose privacy flaws — or what seems
like a coverup. But for Google, it comes at a particularly sensitive time.
“Congress is champing at the bit to get Google on privacy,” said Eric Goldman, director of the Santa Clara University School of Law’s High Tech Law Institute, on Tuesday.
There are legislative pushes to hold tech giants more accountable over their privacy practices. For example, California passed a privacy law in June, which some critics say could harm innovation. They — including industry groups that count Google among their members — are advocating for federal rules.
Also, Google CEO Sundar Pichai recently agreed to testify before Congress after being criticized for not appearing with Twitter CEO Jack Dorsey and Facebook Chief Operating Officer Sheryl Sandberg on Capitol
Hill last month. Pichai was already probably going to face sharp questioning because lawmakers slammed Google’s failure to send him at that time. This revelation is likely to turn up the heat. While there has been no publicly announced date for his appearance, it is expected to be in the coming weeks.
In addition, Google continues to be bound by a 2011 consent decree with the Federal Trade Commission, as part of a settlement over its bungled rollout of Buzz, the company’s social networking predecessor to Google+. In 2010, Buzz publicly displayed the contact lists of its users. As a result, Google is required to submit to 20 years of privacy audits. The Hill is reporting that an audit that covered April 2016 to April of this year cleared Google’s privacy practices.
“The last time it breached the agreement, the internet giant was fined $22.5 million,” said John Simpson, privacy and technology project director of Los Angeles-based Consumer
Watchdog, on Tuesday, referring to a settlement Google agreed to pay in 2012 over its misrepresentation to Safari browser users that it would not use cookies to track them. “The FTC must act again and impose a fine that truly impacts Google and its parent Alphabet Inc. The earlier fine was pocket change to Google.”
An FTC spokeswoman did not return a request for comment Tuesday.
While there is a possibility the FTC and other regulatory agencies will take action over the disclosure and the coverup, Goldman pointed out that Google has said it has fixed the issue, and has outlined other steps it is taking to limit developers’ access to other user information.
“This will be impossible for regulators to ignore,” Goldman said. But he added that with the company killing off Google+, “it kind of makes further consequences seem a little empty.”