U.S. Senators Demand Internal Memo Related to Google+ Incident
14.10.2018 securityweek BigBrothers
A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March.
Affecting a Google+ API, the vulnerability provided applications with access to data they were not supposed to access, and up to 500,000 user accounts might have been impacted. The API was apparently exposing user data since 2015.
Google claims it has no evidence of developers being aware of the bug or of account data being misused. However, the Internet giant decided to shut down the Google+ platform, citing low user interest and difficulties in making it successful.
Amid privacy concerns rising from the Facebook-Cambridge Analytica scandal that erupted in March, the search company’s decision to cover up the flaw’s discovery doesn’t bode well with the privacy-conscious. The disclosure also cast a dark shadow over the launch of Google’s new phone, the Pixel 3.
Privacy concerns is what three U.S. senators underline in a letter (PDF) sent to Google chief executive officer Sundar Pichai.
They also question the Internet giant’s decision against a timely disclosure of the data exposure, as well as its willingness to inform the public when it becomes aware of any misuse of the impacted data.
The letter also mentions a Wall Street Journal article that refers to an internal memo at Google that details factors that determined the company to cover up the issue, such as fears that it would catch the attention of regulators and even draw comparisons to the Facebook privacy scandal.
“Data privacy is an issue of great concern for many Americans who use online services. Particularly in the wake of Cambridge Analytica controversy, customers’ trust in the companies that operate those services to keep their data secure has been shaken,” the letter reads.
“It is for this reason that the reported contents of Google’s internal memo are so troubling. At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter continues.
What’s more, the senators mention the fact that, although Pichai testified in front of the Senate Commerce Committee on the issue of privacy only a couple of weeks ago, he did not mention the Google+ issue at the time.
“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” the letter continues.
The senators request Pichai to provide written response to questions regarding when and how Google discovered the Google+ issue, on why it chose not to disclose it, whether it did inform federal agencies of the discovery, and if there are any other incidents it chose not to disclose, among others.
On top of that, the senators, who urge Google to provide a copy of the internal memo cited in the Wall Street Journal, ask the search company whether users of free Google services “should be afforded the same level of notification and mitigation efforts as paid G Suite subscribers” (Google is apparently committed to inform G Suite users immediately of any incidents involving their data).