Google did not disclose security bug because it feared regulation, says report

Oct. 9, 2018

Google did not initially disclose a Google+ security bug when it first discovered it this spring because it feared regulatory scrutiny and reputational damage, according to a Wall Street Journal report citing documents and people briefed on the incident.

Google wrote in its own blog post on the incident that it determines when to notify users about privacy and security bugs based on the type of data involved, whether it can accurately identify who to inform, whether there is evidence of misuse, and whether there is any action that a user can take in response, and that based on that criteria it didn’t immediately alert users of the Google+ bug.

However, a memo prepared by Google’s legal and policy staff and seen by the Journal shows that leadership was also concerned about causing a potential privacy scandal. The memo allegedly warned senior executives that news of the bug would cause “immediate regulatory interest” and draw comparisons to Facebook’s Cambridge Analytica data scandal.

It’s been a rocky summer for big tech: In the past year, Google, Facebook, Twitter, and other technology companies have all testified before various House and Senate committees about their data and privacy practices, the risk of election meddling, and their possible conservative bias, among other topics. President Donald Trump has made critical comments about both Google and the other tech platforms, but the administration has not yet proposed any sort of actual regulation. Google has gotten in trouble overseas though: The European Union slapped the company with a $5 billion fine for antritrust abuse of its mobile operating system, Android.

With this bug, the possibly exposed data included the names, email addresses, birth dates, profile photos, and gender of up to 500,000 Google+ accounts, though not any information related to personal communication or phone numbers. Google says that 438 apps may have used the application programming interface, or API, that made the private data available, but that it found no evidence that any developers misused the information.

The company plans to shut down all consumer functionality of Google+ over the next ten months, although it will maintain the enterprise version used by its G Suite business customers. Since the social network first launched in 2011, it failed to gain popular appeal and was broken up into separate products in 2015. The blog post states that the consumer version currently has low usage and engagement and that 90% of user sessions last less than five seconds.

Google discovered the bug during a comprehensive review of third-party developer access to all Google account and Android device data. In its blog post revealing the bug, Google also said that it’s going to make it easier for users to see and control exactly what data they share with apps.

CNBC has the full article

Sponsored Recommendations

ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...

State of the Market: Transforming Healthcare; Strategies for Building a Resilient and Adaptive Workforce

The U.S. healthcare system is facing critical challenges, including workforce shortages, high turnover, and regulatory pressures. This guide highlights the vital role of technology...