Following a report alleging that Google kept secret a data breach potentially impacting hundreds of thousands of Google+ users, the company is offering only a meager defence of why it kept silent for so long.
The Wall Street Journal reports that Google opted not to publicly disclose the exposure—both out of concern of how Congress might react and because of what harm it might’ve caused to Google’s own reputation. The Journal’s article, which cited multiple sources briefed about the incident as well as a leaked c-suite memo prepared by Google’s lawyers, preceded an announcement that Google+ would be shuttered for good 10 months from now.
Google itself disclosed Monday that a “bug” had left users of the failed social network exposed. But the company was apparently unable to say whether or not the leaked data had been misused at any point—only that it found “no evidence” misuse occurred. It’s also unclear whether Google’s decision to announce the Google+ shutdown was prompted by the Journal article. The company declined to respond to questions beyond providing Gizmodo a brief statement.
Up to 438 different applications may have had access to the personal data, which included users’ full names, email addresses, birth dates, gender, profile pics, where they lived, and occupations, among various other details. The bug is said to have been active since 2015. It remains unclear precisely how many users, if any, were affected.
Google said in an email that its privacy staff ultimately failed to meet “thresholds” necessary for public disclosure. For example, it was unable to “accurately identify” which users should be notified. (Google did not respond when asked to clarify why this was the case.) Google was also unable to ascertain whether the data had been misused at any point.
Furthermore, the company said, it wasn’t clear what actions, if any, might be taken by developers mistakenly given access to the data.
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” the company said, adding: “None of these thresholds were met in this instance.”
Google added that it goes beyond legal requirements when it believes user data may be affected by a security incident.
The memo reviewed by the Journal reportedly focused on the ramifications Google would like face if the incident were to go public at a time when Facebook was being scrutinised by a hostile Congress over the Cambridge Analytica scandal. It further noted that Google CEO Sundar Pichai would likely be forced to testify on Capitol Hill if knowledge of the exposure was public.
Citing someone familiar with Google’s thinking, the Journal reported that the legal memo “wasn’t a factor in the decision” not to go public, but instead “reflected internal disagreements over how to handle the matter.”
Sundar was widely criticised in September for declining an invitation to testify before the Senate Intelligence Committee. The CEO has agreed to appear before a House committee later this year to answer questions on a broad range of matters, including the largely unfounded allegations that Google “censors” conservative voices.
During a Senate Commerce Committee hearing late last month, Google’s chief privacy officer, Keith Enright, acknowledged that the company had “made mistakes in the past, from which we have learned, and improved our robust privacy program.” The committee’s chair, Sen. John Thune, did not immediately respond to a request for comment.
We’ll update if Google responds to our inquiries.