Senate Republicans demand Google hand over memo advising it to hide data vulnerability

A trio of top Senate Republicans is demanding that Google hand over an internal memo that reportedly advised the company not to disclose a vulnerability that exposed hundreds of thousands of Google Plus users because it would draw attention from regulators.

The Wall Street Journal reported the existence of the memo on Monday shortly before Google revealed the software bug that exposed the private information of up to 500,000 users of its social media platform to third-party developers.

The memo from Google’s legal and policy staff advised the company’s leadership that going public about the vulnerability would invite “immediate regulatory interest” at a time when fellow tech giant Facebook is facing a firestorm over its Cambridge Analytica scandal.

{mosads}On Thursday, Senate Commerce Committee Chairman John Thune (R-S.D.) sent a letter to Google demanding answers.

“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” the letter reads. “We are especially disappointed given that Google’s chief privacy officer testified before the Senate Commerce Committee on the issue of privacy on September 26, 2018—just two weeks ago—and did not take the opportunity to provide information regarding this very relevant issue to the Committee.”

The letter was also signed by two Republicans chairman of subcommittees with oversight of technology companies, Sens. Jerry Moran (Kan.) and Roger Wicker (Miss.).

A spokeswoman for Google did not immediately respond when asked for comment by The Hill.

The company has said that it didn’t immediately disclose the incident because it couldn’t determine the extent of the exposure. It has also announced that it will shut down Google Plus.

Lawmakers have been lashing out at Google since the vulnerability and the delayed disclosure were revealed this week. The internet search giant is required by a 2011 settlement with the Federal Trade Commission (FTC) to submit to independent audits of its privacy program every two years.

The Hill reported this week that the latest privacy audit by the accounting firm Ernst and Young cleared Google’s privacy practices. Though it’s heavily redacted, the document appears to make no mention of the incident.

In his letter, Thune asked if Google had disclosed the vulnerability to Ernst and Young and, if it hadn’t, to explain the decision to withhold the information.

“As the Senate Commerce Committee works toward legislation that establishes a nationwide privacy framework to protect consumer data, improving transparency will be an essential pillar of the effort to restore Americans’ faith in the services they use,” the letter reads. “It is for this reason that the reported contents of Google’s internal memo are so troubling.”