Chuck Grassley

United States Senator from Iowa

Instagram

Flickr

Twitter

Facebook

Grassley: Google Must Explain Why It Failed to Disclose Data Vulnerability to Congress, Public

Oct 12, 2018

WASHINGTON – Senate Judiciary Committee Chairman Chuck Grassley of Iowa called on Google to explain what steps it is taking to protect the personal information of its platform users following revelations that glitches exposing personal information on the social platform Google+ went unaddressed for three years.

In a letter to Google CEO Sundar Pichai, Grassley noted that, according to news reports, Google was aware of the glitch in March. Around that same time, Grassley invited representatives from Google and Twitter to join Facebook CEO Mark Zuckerberg at an April 10 hearing on consumer data privacy on social media platforms. Google declined to participate, claiming that it didn’t have the same data privacy issues as Facebook. Google later provided information on how users and third party developers can control and access data.

“Despite your contention that Google did not have the same data protection failures as Facebook, it appears from recent reports that Google+ had an almost identical feature to Facebook, which allowed third party developers to access information from users as well as private information of those users’ connections. Moreover, it appears that you were aware of this issue at the time I invited you to participate in the hearing and sent you the letter regarding Google’s policies,” Grassley wrote. 

In the letter, Grassley requested details on actions Google has taken to ensure that user data was not improperly used by or transferred to third parties. In addition, Grassley asked why it took so long for Google to identify the glitch and why the company chose not to disclose it to users or Congress.

Full text of Grassley’s letter to Google follows:

 

Sundar Pichai

Chief Executive Officer

Google Inc.

1600 Amphitheatre Parkway

Mountain View, CA 94043

 

Dear Mr. Pichai:

I write with regard to recent troubling reports that Google exposed the private data of approximately 500,000 Google+ users and then failed to disclose the glitch, despite knowing about it since March. According to the Wall Street Journal:

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.[1]

In March of this year, data privacy and social media was in the spotlight thanks to events surrounding Facebook and Cambridge Analytica.  I convened a hearing with the CEO of Facebook on April 10, 2018, and according to his testimony, a feature in Facebook’s application programming interface, or API, allowed third party developers to pull information not just from users of an application, but also that user’s friends, even if the friend had made their information private. This feature allowed Cambridge Analytica and other applications to potentially pull data from millions of users for purposes beyond the terms of the underlying application.

At the time, I invited you and the CEO of Twitter to participate in the hearing to discuss the future of data privacy in the social media industry. I thought it was important to get input from the leading technology companies on how to develop “rules of the road” that encourage tailored approaches to privacy that satisfy consumer expectations while maintaining incentives for innovation. Your office, however, declined to come before Congress and the American people, asserting that the problems surrounding Facebook and Cambridge Analytica did not involve Google.   

Given your and Google’s unwillingness to participate, I sent you a letter seeking information on Google’s current data privacy policies, specifically as they relate to Google’s third party developer APIs. Your responses to my questions highlighted Google’s application verification process, the continuous monitoring of applications through machine learning, and the use of manual audits, all to ensure robust protection of user data.

Despite your contention that Google did not have the same data protection failures as Facebook, it appears from recent reports that Google+ had an almost identical feature to Facebook, which allowed third party developers to access information from users as well as private information of those users’ connections. Moreover, it appears that you were aware of this issue at the time I invited you to participate in the hearing and sent you the letter regarding Google’s policies. 

It is the Committee’s duty to conduct oversight of the laws and policies governing the collection, protection, use, and dissemination of commercial information.  In that light, it is important that the Committee fully understand how Google manages and monitors user privacy for the significant amounts of data that it collects. Accordingly, please provide a response in writing by no later than October 26, 2018, to the following questions:

  1. What specific actions has Google taken to ensure that user data was not improperly used or transferred by a third party developer during the three years this glitch existed?
  2. Has Google performed audits of third party developers as a result of the glitch? If not, why not? Is Google planning on performing additional audits?
  3. Is it possible today, for Google determine what information has been collected by third party developers during the three years this glitch existed?
  4. Is it possible today, for Google to determine whether any information collected by third party developers were improperly transferred?
  5. Based on Google’s active monitoring, why did it take three years to find the glitch?
  6. Why was this glitch not disclosed to users in March when Google became aware of it?
  7. Why was this glitch not disclosed to Congress in March when Google became aware of it?

Thank you in advance for your prompt attention to these matters. 

 

[1] Douglas MacMillan and Robert McMillan, Google Exposed User Data, Feared Repercussions of Disclosing to Public, Wall Street Journal (October 8, 2018), available at https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194.

-30-