Commerce Committee Leaders Seek Google+ Memo on Vulnerability

October 11, 2018

WASHINGTON U.S. Sens. John Thune (R-S.D.), chairman of the Committee on Commerce, Science, and Transportation, Roger Wicker (R-Miss.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet, and Jerry Moran (R-Kan.) chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security today, in a letter to Google CEO Sundar Pichai, requested a copy of an internal memo and answers about a security vulnerability placing private user information at risk. The memo, according to press reports, advocated against public disclosure of the vulnerability on grounds that it would attract the potential attention of regulators and Congress.

Excerpt from the letter to Google:

“As the Senate Commerce Committee works toward legislation that establishes a nationwide privacy framework to protect consumer data, improving transparency will be an essential pillar of the effort to restore Americans’ faith in the services they use. It is for this reason that the reported contents of Google’s internal memo are so troubling.”

The letter requests the following information from Google:

  1. Please describe in detail when and how Google became aware of this vulnerability and what actions Google took to remedy it.
  2. An October 8, 2018, Google blog post stated that the company found no evidence of misuse of profile data as a result of this Google+ vulnerability.  If Google discovers any such evidence in the future, will you commit to promptly informing this Committee, required law enforcement and regulatory agencies, and affected users?
  3. Why did Google choose not to disclose the vulnerability, including to the Committee or to the public, until many months after it was discovered?
  4. Did Google disclose the vulnerability to any federal agencies, including the Federal Trade Commission (FTC), prior to public disclosure?
  5. Did Google disclose the vulnerability to its Independent Assessor tasked with examining Google’s Privacy Program as part of the Agreement Containing Consent Order File No. 1023136 between Google and the FTC?  If not, why not?
  6. Are there similar incidents which have not been publicly disclosed?
  7. Do you believe all users of free Google services who provide data to the company should be afforded the same level of notification and mitigation efforts as paid G Suite subscribers in the event of an incident involving their data?
  8. Please provide a copy of Google’s internal memo cited in the Wall Street Journal article. 

The lawmakers’ letter requests that Google provide the requested information by October 30.

Click here for a copy of the letter.

 

###