U.S. Senators Catherine Cortez Masto (D-Nev.) and Amy Klobuchar (D-Minn.) have written a letter to Google CEO Sundar Pichai expressing their “serious concerns” about reports that Google waited six months before notifying the public of a data breach that exposed the private information of nearly 500,000 users participating in the Google+ social media network.
The Senators also questioned the effect a longstanding consent order with the Federal Trade Commission will have on the company following the intrusion.
“Despite Google’s assertions that “none of the thresholds were met” to require notifications of such a breach, internal memos reviewed by the Wall Street Journal I ndicate Google’s leadership was aware of the seriousness of this issue and made a conscious, overt decision to keep this data exposure a secret,” said the senators. “At a time when Americans’ trust in large, online companies is at an all-time low, we are deeply dismayed that more care was not taken to inform consumers about threats to their personal information.”
On Oct. 8, Google announced that it had uncovered a security flaw that enabled outside developers to access Google+ user data including names, e-mail addresses, occupation, age, and gender through application programming interfaces (APIs) that normally require a user’s explicit permission. Google has not uncovered evidence that developers took advantage of this vulnerability or that profile data was misused.
In March, following breaches at Facebook and Cambridge Analytica, Klobuchar was among the senators who wrote to the FTC, urging it to conduct a thorough investigation and to examine whether Facebook’s actions were in violation of its 2011 consent decree. Google has already been found in violation of an FTC consent decree and “its actions in this instance raise serious questions about whether another violation may have taken place,” the letter to Pichai says.
“Time and time again we have seen that tech companies and social media platforms are unwilling or unable to self-regulate in a way that protects consumers,” the correspondence adds. “As we have heard in testimony from privacy advocates and members of industry alike, it is time for Congress to act. As Congress considers enacting a federal privacy law, platforms like Google must do more to restore trust with consumers regarding the security of their data and how it is being used.”
The letter poses a series of questions and information requests to the Google CEO:
Is Google confident that no data was misused during this vulnerability, and how will this be verified?
Does Google believe its leadership acted appropriately in withholding this information from the public?
Does Google plan to reevaluate its internal thresholds for determining when disclosures should be made in cases when consumers’ personal information has been mishandled?
“We recognize that Google has taken some steps to improve its privacy practices, but more must be done,” the senators added. “We hope you will cooperate with Congress in improving privacy protections for the American people.”