Three Republican senators have sent a letter to Google today demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do.
The existence of this internal memo came to light on Monday in a Wall Street Journal article that forced Google to go public with details about a Google+ API bug that could have been used to harvest data on Google users.
The API bug was discovered in March, and according to the Wall Street Journal report, it existed in the Google+ source code since at least 2015.
According to the report, the internal memo, signed by Google’s legal and policy staff, advised Google top execs not to disclose the existence of the API bug fearing “immediate regulatory interest.”
Google’s legal staff also feared that the bug would bring Google “into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” and would “almost [guarantee] Sundar will testify before Congress,” akin to Facebook’s CEO.
“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the three senators wrote in their letter today.
“It is for this reason that the reported contents of Google’s internal memo are so troubling.”
Now, the three senators, who are also members of various Senate committees, want a copy of that internal memo by October 30, along with answers to seven questions in regards to what, why, and how Google handled the Google+ API data leak.
Senators want to know the exact timeline of Google discovered the API leak, why Google didn’t disclose the issue at the time, if it notified the FTC prior to public disclosure, and if Google is hiding other breaches.
“We are especially disappointed given that Google’s chief privacy officer testified before the Senate Commerce Committee on the issue of privacy on September 26, 2018–just two weeks ago–and did not take the opportunity to provide information regarding this very relevant issue to the Committee,” they added.
The memo, its content, and the subsequent cover-up look even more damaging because a day before the September 26 Senate hearing, Google proposed a data privacy framework to US legislators arguing that companies should be transparent about the types of personal information collected and comply with appropriate limits to data collection. Google positioned its proposal as a GDPR-style legislation for the US, even if it was sitting on an undisclosed security breach at the time.
The three senators who signed today’s letter are John Thune [R-SD], Chairman of the Senate’s Committee on Commerce, Science, and Transportation; Roger Wicker [R-MS], Chairman of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet; and Jerry Moran [R-KS], Chairman of the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security.