Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

U.S. Senators Demand Internal Memo Related to Google+ Incident

A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March. 

A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March. 

Affecting a Google+ API, the vulnerability provided applications with access to data they were not supposed to access, and up to 500,000 user accounts might have been impacted. The API was apparently exposing user data since 2015. 

Google claims it has no evidence of developers being aware of the bug or of account data being misused. However, the Internet giant decided to shut down the Google+ platform, citing low user interest and difficulties in making it successful. 

Amid privacy concerns rising from the Facebook-Cambridge Analytica scandal that erupted in March, the search company’s decision to cover up the flaw’s discovery doesn’t bode well with the privacy-conscious. The disclosure also cast a dark shadow over the launch of Google’s new phone, the Pixel 3. 

Privacy concerns is what three U.S. senators underline in a letter (PDF) sent to Google chief executive officer Sundar Pichai. 

They also question the Internet giant’s decision against a timely disclosure of the data exposure, as well as its willingness to inform the public when it becomes aware of any misuse of the impacted data.

The letter also mentions a Wall Street Journal article that refers to an internal memo at Google that details factors that determined the company to cover up the issue, such as fears that it would catch the attention of regulators and even draw comparisons to the Facebook privacy scandal.

“Data privacy is an issue of great concern for many Americans who use online services. Particularly in the wake of Cambridge Analytica controversy, customers’ trust in the companies that operate those services to keep their data secure has been shaken,” the letter reads. 

“It is for this reason that the reported contents of Google’s internal memo are so troubling. At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter continues. 

What’s more, the senators mention the fact that, although Pichai testified in front of the Senate Commerce Committee on the issue of privacy only a couple of weeks ago, he did not mention the Google+ issue at the time. 

“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” the letter continues. 

The senators request Pichai to provide written response to questions regarding when and how Google discovered the Google+ issue, on why it chose not to disclose it, whether it did inform federal agencies of the discovery, and if there are any other incidents it chose not to disclose, among others. 

On top of that, the senators, who urge Google to provide a copy of the internal memo cited in the Wall Street Journal, ask the search company whether users of free Google services “should be afforded the same level of notification and mitigation efforts as paid G Suite subscribers” (Google is apparently committed to inform G Suite users immediately of any incidents involving their data).

Related: Google Tightens Rules Around App Permissions

Related: Google Launch Event Overshadowed by Privacy Firestorm

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...