Advertisement

Slow disclosure of Google+ flaw draws attention of senators

Republican senators have written to Google CEO Sundar Pichai demanding to know why the company was reportedly slow to disclose a software flaw in its Google+ social network.
Google password
(Thomas Hawk / <a href="https://www.flickr.com/photos/thomashawk/24296985138">Flickr</a>)

Republican senators have written to Google CEO Sundar Pichai demanding to know why the company was reportedly slow to disclose a software flaw in its Google+ social network partly out of fear of drawing attention from regulators.

“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” states the Oct. 11 letter from Sens. John Thune, S.D.,  Jerry Moran, Kan., and Roger Wicker, Miss. Thune chairs the Commerce, Science, and Transportation Committee.

The software flaw, which Google announced Monday, exposed profile data such as email addresses and age, through an API. The incident affected up to 500,000 accounts, according to Google, which shut down consumer use of Google+ in response.

Although the tech giant said it discovered and patched the bug in March, according to an internal company memo cited by the Wall Street Journal, Google officials worried that disclosing the incident would bring “immediate regulatory interest.”

Advertisement

The senators said they were “especially disappointed” that Google’s chief privacy officer, Keith Enright, did not mention the issue when testifying before the committee two weeks ago. The committee has taken a keen interest in software and hardware vulnerability disclosure, with Thune scolding Intel for not testifying before the panel on the Spectre and Meltdown chip flaws.

Thune, Moran, and Wicker want more details on how and when Google became aware of the bug in Google+ and what the company did in response. The lawmakers also asked Pichai if the company disclosed the software flaw to any federal agencies, including the Federal Trade Commission. “Are there similar incidents which have not been publicly disclosed?” the senators wrote.

Another of their questions is whether users of free Google users should get the same level of support following data privacy and security incidents as subscribers to the company’s paid “G Suite” tools.

The senators want a response from Google by Oct. 30, including a copy of the aforementioned internal memo.

You can read the full letter below.

Advertisement
Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts