Senate Republicans demand Google hand over memo advising it to hide data vulnerability

Senate Republicans demand Google hand over memo advising it to hide data vulnerability
© Getty Images

A trio of top Senate Republicans is demanding that Google hand over an internal memo that reportedly advised the company not to disclose a vulnerability that exposed hundreds of thousands of Google Plus users because it would draw attention from regulators.

The Wall Street Journal reported the existence of the memo on Monday shortly before Google revealed the software bug that exposed the private information of up to 500,000 users of its social media platform to third-party developers.

The memo from Google’s legal and policy staff advised the company’s leadership that going public about the vulnerability would invite “immediate regulatory interest” at a time when fellow tech giant Facebook is facing a firestorm over its Cambridge Analytica scandal.

On Thursday, Senate Commerce Committee Chairman John ThuneJohn Randolph ThuneTelehealth is calling — will Congress pick up? GOP grows tired of being blindsided by Trump Hillicon Valley: Assange faces US charges after arrest | Trump says WikiLeaks 'not my thing' | Uber officially files to go public | Bezos challenges retail rivals on wages | Kremlin tightens its control over internet MORE (R-S.D.) sent a letter to Google demanding answers.

“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter reads. “We are especially disappointed given that Google’s chief privacy officer testified before the Senate Commerce Committee on the issue of privacy on September 26, 2018—just two weeks ago—and did not take the opportunity to provide information regarding this very relevant issue to the Committee.”

The letter was also signed by two Republicans chairman of subcommittees with oversight of technology companies, Sens. Jerry MoranGerald (Jerry) MoranLive coverage: Barr faces Senate panel as he prepares release of Mueller report Hillicon Valley — Presented by CTIA and America's wireless industry — House panel approves bill restoring net neutrality | FTC asks for more help to police tech | Senate panel advances bill targeting illegal robocalls Senate panel advances bill penalizing illegal robocalls MORE (Kan.) and Roger WickerRoger Frederick WickerWe can accelerate a cure for Alzheimer's Senate panel opens investigation of FAA safety inspectors FAA faces questions about Boeing at two hearings MORE (Miss.).

A spokeswoman for Google did not immediately respond when asked for comment by The Hill.

The company has said that it didn’t immediately disclose the incident because it couldn’t determine the extent of the exposure. It has also announced that it will shut down Google Plus.

Lawmakers have been lashing out at Google since the vulnerability and the delayed disclosure were revealed this week. The internet search giant is required by a 2011 settlement with the Federal Trade Commission (FTC) to submit to independent audits of its privacy program every two years.

The Hill reported this week that the latest privacy audit by the accounting firm Ernst and Young cleared Google’s privacy practices. Though it’s heavily redacted, the document appears to make no mention of the incident.

In his letter, Thune asked if Google had disclosed the vulnerability to Ernst and Young and, if it hadn’t, to explain the decision to withhold the information.

“As the Senate Commerce Committee works toward legislation that establishes a nationwide privacy framework to protect consumer data, improving transparency will be an essential pillar of the effort to restore Americans’ faith in the services they use,” the letter reads. “It is for this reason that the reported contents of Google’s internal memo are so troubling.”