Google has responded to a bug in its Google+ service by ending the service and adding several privacy changes.
However, one report said that when the tech giant first realized in March that account information of 500,000 users was potentially compromised, it wanted to keep mum for fear of government action.
Google put a brave face on the developments Monday when it announced the issue in a blog post.
Private information such as a user’s name, email address, occupation, gender and age could have been vulnerable, Google admitted.
“We ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API,” the post said, adding that Google found no evidence any private information was misused.
The blog post implied this was just part of the routine battle for privacy that is part of the online world.
“Every year, we send millions of notifications to users about privacy and security bugs and issues,” the blog post said. “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
But while Google was patting itself on the back, The Wall Street Journal reported that the company wanted to keep the breach quiet to avoid the incident leading to government action in response.
The breach was discovered in March, and spanned three years. The Journal reported that its reporters were shown a memo from Google’s legal and policy staff warning against disclosing what had happened because it would trigger “immediate regulatory interest.”
Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said.
Disclosure “almost guarantees Sundar will testify before Congress,” referring to Google CEO Sundar Pichai.
The Journal reported that a Google spokesperson explained the decision not to disclose the breach initially.
Google considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” the spokesperson said. “None of these thresholds were met here.”
However, The Washington Post reported that based on the type of personal information that was available, “Some of that qualifies as legally protected personally identifiable information, and its exposure could trigger scrutiny from federal and state regulators.”
The lack of disclosure could still be trouble for Google, said Al Saikali, a lawyer with Shook, Hardy & Bacon LLP, who said class action lawsuits could be possible.
“The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate,” he said.
Google said that its Google+ social service failed to attract consumers, noting that 90 percent of Google+ user sessions last fewer than 5 seconds. Google+ will fade away after 10 months, the company said.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.