Hexbyte Hacker News Computers
US Senator Richard Blumenthal pens a letter urging the FTC “to immediately open an investigation into Google’s exposure of private information from Google+ users and this alleged concealment in its handling of consumer data.”
On Monday Google announced it was shutting down the consumer-facing part of Google+ after nearly 500,000 “users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed,” according to TechCrunch.
Yesterday Senator Blumenthal pleaded that the FTC “should conduct a vigorous review whether the Google+ incident constitutes a breach of the company’s consent decree or other commitments, and more broadly whether Google has engaged in deceptive acts and practices with respect to privacy.
“If the FTC finds problematic conduct, we encourage you to act decisively to end this pattern of behavior through substantial financial penalties and strong legal remedies.”
While security problems are not uncommon, Google’s concealment of this issue is troubling.
The US senator echoed the word’s of Buzzfeed tech reporter Ryan Mac, who tweeted this week, “The story here isn’t really the potential data breach (which may affected hundreds of thousands) or that Google is shutting down Google+. It’s that Google’s execs knowingly avoided disclosing an issue because they knew it’d invite gov scrutiny & bad PR.”
The story here isn’t really the potential data breach (which may affected hundreds of thousands) or that Google is shutting down Google+.
It’s that Google’s execs knowingly avoided disclosing an issue because they knew it’d invite gov scrutiny & bad PR. https://t.co/ZILkPrZxqC
— Ryan Mac (@RMac18) October 8, 2018
A Google spokesperson said of the alleged coverup that “its data protection team had decided that there was no need to inform consumers since it didn’t appear that any ‘misuse’ had occurred and no discernible pool of users had been affected,” according to AdWeek.
These denials clash with the fact that Google has insufficient records to determine whether a breach occurred
Senator Blumenthal fired back in his letter, saying, “The awareness and approval by Google management to not disclose represents a culture of concealment and opacity set from the top of the company.”
Google claims that it “found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
However, “These denials clash with the fact that Google has insufficient records to determine whether a breach occurred. According to its statement, the company only kept logs for two weeks. Google can only account for whether the vulnerability had been exploited in the weeks preceding its discovery. As such, we may never know the full extent of the damage caused by the failure to provide adequate controls and protection to users,” wrote Blumenthal.
It is time for the FTC to thoroughly reassess Google’s privacy practices and put into place rules that finally protect consumers
According to an AP investigation into how Google operates, “Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.”
The US senator echoed these words as well, saying, “Most consumers do not understand the level, granularity, and reach of Google’s data collection, a fact exacerbated by any possible breaches of trust. Researchers, civil society, and members of Congress have raised an expansive set of privacy concerns to the FTC, including its location monitoring; acquisition of sales data; tracking of non-Google users across the web; and scanning of emails. These allegations raise new issues relevant to the consent decree that should be in the scope of the FTC’s review.”
“This failure to adequately disclose the Google+ vulnerability calls into question Google’s compliance with the consent decree’s requirements to respect privacy settings and protect private information,” the senator went on.
“It is time for the FTC to thoroughly reassess Google’s privacy practices and put into place rules that finally protect consumers.”