Google erred by not disclosing to users of Google+, the long struggling social network, that their personal data was left exposed to third-party developers, say legal and security experts.
And now, Google could face serious consequences for not being more forthcoming, the experts said.
On Monday, The Wall Street Journal reported that a software glitch l ed to the sharing of personal-profile information belonging to 500,000 Google+ users with third-party developers. In addition, The Journal wrote that Google managers chose not to disclose the security lapse to the public for fear that it might draw the attention of regulators.
Not revealing what happened much earlier was a mistake, according to Joseph Moreno, a former federal prosecutor who now oversees cybersecurity cases at the law firm of Cadwalader, Wickersham & Taft.
“You get out in front of these things,” Moreno said. The worst thing is to downplay it or stall or pretend that it didn’t happen. Now, you run the risk of walking into the type of government oversight that you said you were afraid of.”
Moreno and other legal and security experts who spoke to Business Insider said the situation at Google+ could give US lawmakers one more reason to adopt the kind of increased oversight that the European Union implemented this year. It’s safe to say that nobody in tech wants more government regulation.
Google responded to The Journal’s story by downplaying the impacts of the security lapse. Managers could find no sign that anyone did anything nefarious with the exposed information, which in itself was little more than names, email addresses and occupations.
One fact not brought up in the blog post but might have worked in Google’s favor is that Google+ had only limped along for years and never seriously challenged Facebook.
The service, launched in 2011, was once compared to a digital ghost town. All this would seem to suggest that there wasn’t much at stake.
But one of the problems with Google’s explanation is the internal memo that The Journal’s reporters said they reviewed. According to them, Google’s lawyers and policy experts warned managers that if they disclosed the security lapse at Google+, it would potentially harm the company’s reputation and invite “immediate regulatory interest.”
If the security lapse resulted in so little harm, as Google says now, how come the company’s own lawyers feared the lapse might be made public?
Whatever happened, it is this kind of tendency to withhold information that has led regulators in the US and Europe to distrust big US tech companies, says Cory Cowgill, chief technology officer at Fusion Risk Management, which sells enterprise risk-management software.
“When this kind of thing happens,” said Cowgill, “it validates the people who say, ‘We need more transparency and more regulation.'”
Margrethe Vestager, the Danish politician as well as the European Commissioner for Competition, could be among the people who feel validated. In May, the European Union implemented the General Data Protection Regulation (GDPR),a new and stricter set of regulations designed to protect data and privacy.
It’s hard to know how the EU might respond to the Journal story, says Cowgill. He said that for starters, GDPR went into effect in May and Google fixed the software bug two months before that. He also said GDPR requires site owners to disclose a security breach within 72 hours to users who are impacted. In this case, there’s no proof that Google+ suffered a breach.
But Cowgill says a lack of transparency goes to the heart of what GDPR and the EU are trying to snuff out.
“What happened at Google+,” said Cowgill, “goes straight to the heart of the trust issue.”