Never have so many people cared so much about a social media platform that mattered so little. Last week, news broke that Google+, the Hindenberg of Facebook competitors, performed a relatively routine patch of a user privacy issue back in March. The story, which by all rights should have faded away quickly, instead has mushroomed into a major headache for Google. The big fuss doesn’t make much sense, until you consider Google’s recent history of questionable PR decisions.
At a September hearing over Russian interference in the 2016 presidential election, the Senate Intelligence Committee gave Google the “empty chair” treatment. Twitter’s CEO and Facebook COO showed up for questioning about social media sites’ susceptibility to foreign influence, but Google’s big shots stayed home. The committee responded by shaming the company with an empty witness chair ostentatiously marked “Google.”
A D.C. communications pro called Google’s decision not to show up “bizzare.” In words that have turned prophetic, Adam Goldberg of Trident DMG told Bloomberg: “If you’re not at the table, you’re on the menu, and Congress looks hungry.”
Little more than a month later, Google served itself up, piping hot, with the Google+ story. As the Wall Street Journal just reported, back in March Google discovered that Google+ “permitted developers to retrieve the data of some users who never intended to share it publicly.” The private information of half a million users could have been accessed by outside developers through this vulnerability. Google repaired the data security flaw but did not disclose it.
That all sounds bad, and it is, but it’s no Cambridge Analytica. In fact, it’s unclear whether Google acted outside the bounds of the law. New legislation that imposes duties on companies to report breaches–like the GDPR and the new California statute–may not come into play, given that Google can’t say whether any user data was actually taken. (Also, the GDPR wasn’t effective in March; California’s law doesn’t become effective until 2020.) And while many predict the SEC will be sniffing around, it is at worst questionable as to whether Google’s actions violate the agency’s 2018 guidance on reporting cybersecurity breaches. That guidance specifically states that “We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems” that would make them more vulnerable.
Cybersecurity experts are saying that the kind of fix that Google performed is a yawner–something that happens “thousands of times a year.” Going further, they say that requiring companies to report a flaw like the one in Google+, when Google can’t identify any individuals affected, would be counterproductive. It would give companies an incentive not to find security problems with their software.
The full context, then, is pretty favorable to Google–but government isn’t necessarily interested in the full context. The Judiciary Committee is still stung by Google’s refusal to send founder Larry Page or CEO Sundar Pichai to the September hearing. On Friday, Senator Grassley sent a harsh letter asking about the data exposure and taking the opportunity to lash out at the company again for its absence in September.
Worse, the Wall Street Journal report included damning details about why Google decided not to report the Google+ flaw. A memo from Google legal and policy personnel worried that disclosing the incident would result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.” It went on to say that disclosure “almost guarantees Sundar will testify before Congress.”
Between then and now, the CEO has agreed to testify before the House Judiciary Committee in November. You can bet that its members are hungry, and sharpening their knives for the feast.