At a congressional privacy hearing Wednesday, Sen. Richard Blumenthal (D-CT) called for an investigation into the data exposure that resulted in the shutdown of the Google+ social media network. Hours later, a group of senators, including Blumenthal, sent a letter to the Federal Trade Commission calling for the agency to take action.
In March of this year, Google discovered a bug in a Google+ API that exposed and had the potential to leak the private information of its users, as reported by The Wall Street Journal, although the exposure was kept secret for months afterward. After the news of the vulnerability surfaced, Google announced that it would begin shutting down Google+’s consumer offering over the next 10 months.
Google never disclosed this exposure to its users for fear of poor press, a decision that came under fire by senators during today’s hearing. No personal data was leaked as a result of the exposure, so it did not trigger any current breach disclosure laws. However, Google’s attempt to hide the exposure from its users was something that senators were concerned about. “I think this kind of deliberate concealment is absolutely intolerable,” Blumenthal said.
In the letter, the lawmakers point out that Google has already been put on notice by the FTC twice, once in 2011 following the launch of its first social network, Google Buzz. Google agreed to a settlement that included a consent decree, prohibiting the company from “misrepresenting the privacy of personal information.”
The senators claimed that Google’s inaction following the discovery of the Google+ vulnerability could put the company in violation of that consent decree and that the velocity at which the company has grown may be cause enough for another investigation. “Google now bears little resemblance to the company it was at the time of the consent decree, necessitating a renewed investigation into its privacy practices across its range of products and activities,” the lawmakers wrote.
Google’s data exposure was not the focus of Wednesday’s hearing, but several senators on both sides of the aisle invoked the incident as an example of why federal privacy legislation is necessary. The chairman of the committee Sen. John Thune (R-SD) said in his opening statement that following Monday’s Google+ reporting, “it is increasingly clear that industry self-regulation in this area is not sufficient.”
“This incident further highlights the need for a closer look at how we might structure data breach notification in federal legislation,” Sen. Maggie Hassan (D-NH) said, “as it is really concerning to meet that an incident affecting this many people didn’t have to be disclosed publicly.”
In September, Google CEO Sundar Pichai drew heavy criticism from lawmakers for missing a Senate Intelligence hearing on social media manipulation, leaving an empty chair for Google alongside Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg. Pichai is scheduled to appear before the Judiciary Committee in November.
“If the FTC finds problematic conduct, we encourage you to act decisively to end this pattern of behavior through substantial financial penalties and strong legal remedies,” the senators wrote.
Update 5:37PM ET: The story was updated to include a description of the lawmakers’ letter, and additional information about their claims.