Las Vegas, Nev. – U.S. Senator Catherine Cortez Masto (D-Nev.) joined Senator Amy Klobuchar (D-Minn.) in sending a letter to Google’s CEO, Sundar Pichai, expressing serious concerns about reports that Google waited six months before notifying the public of a data breach that exposed the private information of nearly 500,000 users participating in the Google+ social media network.
“Despite Google’s assertions that “none of the thresholds were met” to require notifications of such a breach, internal memos reviewed by the Wall Street Journal indicate Google’s leadership was aware of the seriousness of this issue and made a conscious, overt decision to keep this data exposure a secret,” said the senators. “At a time when Americans’ trust in large, online companies is at an all-time low, we are deeply dismayed that more care was not taken to inform consumers about threats to their personal information.
“Time and time again we have seen that tech companies and social media platforms are unwilling or unable to self-regulate in a way that protects consumers. As we have heard in testimony from privacy advocates and members of industry alike, it is time for Congress to act,” the senators continued. “As Congress considers enacting a federal privacy law, platforms like Google must do more to restore trust with consumers regarding the security of their data and how it is being used.”
PDF of the letter is available HERE and below:
Dear Mr. Pichai,
We write to express serious concern about reports that Google exposed the private information of nearly 500,000 users participating in the Google+ social media network, and that this information was not disclosed to the American people for approximately six months.
On October 8, Google announced that it had uncovered a security flaw that enabled outside developers to access Google+ user data including names, email addresses, occupation, age, and gender through application programming interfaces (APIs) that normally require a user’s explicit permission. While Google has not uncovered evidence that developers took advantage of this vulnerability or that profile data was misused, it has failed to protect consumers’ data and kept consumers in the dark about serious security risks.
Despite Google’s assertions that “none of the thresholds were met” to require notifications of such a breach, internal memos reviewed by the Wall Street Journal indicate Google’s leadership was aware of the seriousness of this issue and made a conscious, overt decision to keep this data exposure a secret. At a time when Americans’ trust in large, online companies is at an all-time low, we are deeply dismayed that more care was not taken to inform consumers about threats to their personal information.
In March, following breaches at Facebook and Cambridge Analytica, Senators Klobuchar and Harris wrote a letter to the Federal Trade Commission (FTC) urging it to conduct a thorough investigation and to examine whether Facebook’s actions were in violation of its 2011 consent decree. Google has already been found in violation of an FTC consent decree and its actions in this instance raise serious questions about whether another violation may have taken place.
Time and time again we have seen that tech companies and social media platforms are unwilling or unable to self-regulate in a way that protects consumers. As we have heard in testimony from privacy advocates and members of industry alike, it is time for Congress to act. As Congress considers enacting a federal privacy law, platforms like Google must do more to restore trust with consumers regarding the security of their data and how it is being used.
Given our concerns, we respectfully ask that you answer the following questions:
1. Is Google confident that no data was misused during this vulnerability and how will this be verified?
2. Does Google believe its leadership acted appropriately in withholding this information from the public?
3. Does Google plan to reevaluate its internal thresholds for determining when disclosures should be made in cases when consumers’ personal information has been mishandled?
Google’s services are used by used by millions of Americans to share, communicate, and connect. This has fundamentally changed the way we engage with one another. In the process of this innovation, Google has directly profited off of the vast amount of data collected on American citizens. These same American citizens deserve to have their privacy protected and to know that the data Google collects is safe and secure.
We recognize that Google has taken some steps to improve its privacy practices, but more must be done. We hope you will cooperate with Congress in improving privacy protections for the American people.
###