by April Glaser, slate.com
Its decision not to disclose a vulnerability may have violated a Federal Trade Commission consent decree—and the consequences could be expensive.
When Google executives decided in March not to alert the public that the company had found a bug within its moribund social media platform, Google Plus, that had exposed the personal data of 500,000 users, they likely felt they were sparing themselves a public firestorm. According to an internal memo obtained by the Wall Street Journal, advisers within Google noted that going public with news of the data exposure, which the company patched quickly, would mean “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.” Going public “almost guarantees Sundar will testify before Congress,” the memo reportedly read. The strategy worked for a while. Google largely laid low for the past six months while Facebook became the subject of multiple federal investigations for its porous privacy practices, with its CEO Mark Zuckerberg weathering two days of intense questioning from Congress.
In a blog post Monday, likely responding to the Journal’s scoop about the vulnerability, Google wrote that the bug allowed developers to potentially access data that wasn’t marked as public by users who didn’t consent for their information being shared. While there aren’t clear, broad federal laws about what to do in the event of personal details improperly being exposed by a platform, Google has its very own set of federal guidelines that it’s supposed to follow. The Federal Trade Commission, the agency that deals with consumer-protection issues, slapped the search giant with a consent decree in 2011 after it found that Google had mishandled user data on an earlier social media project called Buzz. What’s unclear is whether Google violated this decree—and could therefore face some expensive consequences.
“The 2011 Google order prohibits misrepresentations, specifically referencing misrepresentations about the efficacy of privacy controls,” said Justin Brookman, the director of consumer privacy and technology policy at Consumers Union, who previously served as the policy director of the FTC’s Office of Technology Research and Investigation. “The order also says if you’re going to share data with third parties in a new way from what users were told, you need opt-in consent.”
Since, with this bug, Google did expose personal data beyond what the company had permission from users to share, it could be interpreted as a violation of the FTC order, which could lead to fines, according to Ashkan Soltani, who previously worked as the chief technologist at the Federal Trade Commission. “With Google’s consent decree it’s not supposed to matter if there’s any harm. It’s supposed to be based purely on deception,” said Soltani, who added that fines issued for violating the consent decree would cover the number of days Google engaged in the deceptive practice. “So if they patched it after two days, then the violation would be for two days,” Soltani said. Google could be fined up to $16,000 per day per individual violation. With 500,000 users affected over two days, that could add up to about $16 billion, though it’s unlikely the FTC would charge the fine in full. “If Google hadn’t obtained consent from the users of Google Plus to share their information with the software developers, then, if the reports are correct, Google could well have problems with the FTC,” said David Vladeck, a professor at Georgetown Law School and the former director of the FTC’s Bureau of Consumer Protection. “Even if the problem was an unanticipated bug, what is Google’s defense for concealing that bug for six months?” Vladeck asked.
The FTC told me it doesn’t comment on specific incidents. (Google did not respond to my request for comment.) But agency Chairman Joe Simons said in a statement that “when we see a significant breach that puts consumers’ private data at risk, you can be assured that we will be looking into it. We are committed to holding companies accountable if their practices violate the law.” Details will matter here. And a lot depends on what Google told Google Plus users in its terms of service at the time they signed up for the service, according to Brookman. Another factor that might suggest restraint by the FTC is the number of users affected: 500,000 is a lot fewer users than, say, the approximately 50 million to 90 million Facebook users affected by the Cambridge Analytica scandal, as Soltani points out. “For an agency with limited resources it’s unclear whether they would actually pursue something like this unless Congress or others made an issue of it,” Soltani said.
But as of Wednesday, both Republican and Democratic lawmakers made it clear that Google’s privacy slip is part of the same privacy debate they’re having over Facebook. In a Senate Commerce Committee hearing on Wednesday, Sen. John Thune, a Republican from South Dakota and the chair of the committee, said, “In the wake of Facebook’s Cambridge Analytica scandal and other similar incidents, including a vulnerability in Google Plus accounts reported just this past week, it is increasingly clear that industry self-regulation in this area is not sufficient.” Thune stated that a more national privacy standard for such companies was needed. Sen. Richard Blumenthal, a Democrat from Connecticut, announced he would be ask the FTC to investigate Google. And Sen. Mark Warner, a Democrat from Virginia, wrote in a Twitter thread on Monday that he found Google’s decision to not disclose to be outrageous and lamented that Google was invited to testify to Congress last month but declined to send a top executive, leading the committee to place an empty chair in the hearing room. “It’s clear that Congress needs to step in,” Warner wrote.
Google CEO Sundar Pichai did finally agree at the end of September to testify to Congress. His company now has until Oct. 30 to respond to senators’ questions, while Pichai is scheduled to testify in front of the House Judiciary Committee sometime after the November midterm elections, though an exact date has not been set. One way or another, Google’s decision to keep the Google Plus bug to itself is not going away.