Company didn’t disclose leak for months to avoid a public relations headache and potential regulatory enforcement
This March, as Facebook was coming under global scrutiny over the harvesting of personal data for Cambridge Analytica, Google discovered a skeleton in its own closet: a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.
If that sounds familiar, it’s because it’s almost exactly the scenario that got Mark Zuckerberg dragged in front of the US Congress. The parallel was not lost on Google, and the company chose not to disclose the data leak, the Wall Street Journal revealed Monday, in order to avoid the public relations headache and potential regulatory enforcement.
Disclosure will likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”, Google policy and legal officials wrote in a memo obtained by the Journal. It “almost guarantees Sundar will testify before Congress”. The disclosure would also invite “immediate regulatory interest”, the memo said.
Shortly after the story was published, Google announced that it will shut down consumer access to Google+ and improve privacy protections for third-party applications.
In a blog post about the shutdown, Google disclosed the data leak, which it said potentially affected up to 500,000 accounts. Up to 438 different third-party applications may have had access to private information due to the bug, but Google apparently has no way of knowing whether they did because it only maintains logs of API use for two weeks.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” Ben Smith, the vice-president of engineering, wrote in the blogpost.
Smith defended the decision not to disclose the leak, writing: “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
The Facebook breach makes it clear: data must be regulated
None of the thresholds for public disclosure were met, Smith said.
There is no federal law that obliges Google to disclose data leaks, but there are laws at a state level. In California, where Google is headquartered, companies are only required to disclose a data leak if it includes both an individual’s name and their Social Security number, ID card or driver’s license number, license plate, medical information or health insurance information.
Google also announced a series of reforms to its privacy policies designed to give users more control on the amount of data they share with third-party app developers.
Users will now be able to have more “fine grained” control over the various aspects of their Google accounts that they grant to third-parties (ie calendar entries v Gmail), and Google will further limit third-parties’ access to email, SMS, contacts and phone logs.
David Carroll is a US professor who sued Cambridge Analytica earlier this year to find out what data the company had stored about him. He said that given the legal issues Facebook faces over its Cambridge Analytica cover-up, it’s not surprising Google tried to keep the leak out of the public eye.
“Google is right to be concerned and the shutdown of Google+ shows how disposable things really are in the face of accountability,” he said.
For others, the leak was further evidence that the large technology platforms need more regulatory oversight.
“Monopolistic internet platforms like Google and Facebook are probably ‘too big to secure’ and are certainly ‘too big to trust’ blindly,” said Jeff Hauser, from the Centre for Economic and Policy Research.
He argued that the US Federal Trade Commission should move toward “breaking these platforms up”.
“In the interim, since we cannot trust that we know much or even most of what ought to concern the public, the FTC should install public-minded privacy monitors into the firms as an element of accountability.”