California-based tech giant tried to conceal a data leak for fear of PR fallout and stricter regulations.
This March, while Facebook founder Mark Zuckerberg was being grilled by the US Congress over personal data harvested by Cambridge Analytica, Google discovered their very own leak: a ‘bug’ in the API of Google+ (the company’s own reviled attempt at a social network) had allowed third-party developers to access the data of users and their friends.
This bug was strikingly similar to the slipup that saw Mark Zuckerberg dragged in front of the US Congress, and Google were very eager to avoid such high-profile scrutiny. So, what did Google do when confronted with a massive data leak (which potentially affected 500,000 accounts, according to Google’s own figures)?
They tried to brush it under the rug, instructing employees not to disclose the leak in an internal memo.
Obviously, that didn’t work, but why was Google so eager to avoid the spotlight? Because disclosing the data leak would end “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”, Google policy and legal officials wrote in a memo.
Furthermore, Google officials feared that it “almost guarantees Sundar [Pichai, CEO of Google] will testify before Congress” which would result in unwanted scrutiny. This would be a nightmare for the tech giant, as was the Cambridge Analytica scandal for Facebook, especially since a growing number of media outlets, journalists and politicians assert that Google has overt political bias and is restricting the free and fair flow of information online.
Shortly after this leak was reported by the Wall Street Journal, Google announced a shutdown of Google+ (at least for consumers) and greater privacy protections for third-party apps. So, months after the leak – which affected as many as 500,000 accounts according to Google’s figures – they just shut it down.
Many people considered this little more than damage control or a too-little-too-late solution, and Google has done little to ameliorate the situation, as they have no way of knowing which apps accessed user’s private data, as the API logs were deleted. In a blog post about this shutdown, Ben Smith (the vice-president of engineering) claimed that “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” seemingly to absolve Google of responsibility.
Google officials then went on to claim that they had no obligation to disclose this leak to their customers, or users, referring to State law in California, which only requires companies to disclose data leaks if it includes an individual’s name and their Social Security number, ID card or driver’s license number, license plate, medical information or health insurance information.
However, the announcement (which came month’s after the event) was of no comfort to users, as Google couldn’t say what was leaked or to whom. Google then went on to announce a series of changes to its privacy policies, increasing user awareness and control over their data.
After this scandal, many users still feel aggrieved over the leak. They criticise Google’s lack of transparency, accountability and the fact that Google only implemented policy changes after being confronted over the leak.
After all this, one question remains: What consequences, if any, will Google face for leaking the data of hundreds of thousands of users?
In the wake of GDPR, heightened tensions and greater legal scrutiny, this leak has the potential to cripple the company with lawsuits, fines and restrictions, so it’s no wonder why Google tried to cover it up. No, the wonder is in what comes out of this leak, and how Google will deal with it. As Google is based in California, we Brits can only watch on as they are dealt with under US Law.
Regardless of what comes next, most people are in favour of transparency and accountability from large tech companies, so legal action on this leak is widely supported. Some people theorise that this case may snowball into a thorough investigation of Google, as many of their recent actions threaten freedom of information world-wide, notably their co-operation with the authoritarian Chinese regime.
As Google continuously chooses profit and power over morals and freedom – going so far as to remove their former corporate code of conduct “don’t be evil” – and working with the Chinese government to create a censored search engine, we should be worried.
We should be worried that a multi-billion-dollar, global tech company is restricting our access to facts and news, cherry-picking what we can see. We should be worried that they are selling (or leaking) our personal data off to third parties. We should be worried that they are resisting any inspections or investigations, burying information that is in the public interest. We should be worried that they are publicly shaming, smearing and firing employees (like James Damore) that speak out about the censorious work politics.
But it’s hard to get worried without understanding of the situation, and it appears Google will continue to stand in the way of free and impartial access to information as long as they’re allowed to operate without safe-guards. I for one, hope that this case results in Google having to face the music for their problematic approach to privacy, and security.