[ad_1]
Google has hidden for more than six months the discovery of a bug jeopardizing the personal data of hundreds of thousands of Google+ users, announced Monday the company, which could trigger a new cycle of regulatory control and politics.
The decision not to immediately report the software bug – as part of a process including the meeting of General Manager Sundar Pichai – was evoked in an internal document that expressed concerns about the company's reputation and the possibility of increased control on the part of regulators, said a familiar person with internal deliberations at Google. This person, who requested anonymity to describe sensitive topics, said the document was not part of Google's official decision-making process.
Google discovered and fixed the software bug in March, according to an article published Monday on his Google blog. But postponing the event until October October could revive long-standing complaints from federal officials and states that tech giants such as Google are reckless about the privacy of users and do not manifest themselves sufficiently when security breaches or other security incidents occur.
Google had discovered the security bug of Google+ the same month that Facebook, its rival, in Silicon Valley, was under scrutiny for allowing people affiliated with policy consultancy Cambridge Analytica to collect data on 87 million dollars. # 39; s users. This incident led the general manager of Facebook to request information. Mark Zuckerberg testifies at Capitol Hill. He did it in April.
On Monday, in his blog, Google announced that it would largely stop Google+, its failed social media offering, by limiting it to businesses and other business customers. The company also announced new restrictions on information, such as call logs and contact lists, that external developers can gather on Android, the Google operating system used by most smartphones of the world. And this will put new limits on shared data about users of its popular email service, Gmail.
The article did not directly refer to the internal document expressing concerns about Google's reputation, the existence of which was first reported by The Wall Street Journal. He also first reported that Pichai had knowledge of the incident and the decision not to make immediate announcement.
This revelation is likely to reinforce the stakes of his upcoming appearance before the Congress, as technology companies wipe out conservative voices online. The date of this hearing has not yet been set.
Google+ security bug reports have re-opened long-standing complaints about how Google handles personal data. The privacy advocate, Jeff Chester, of the Center for Digital Democracy, called the delay in revealing the software bug "a digital concealment" and said: "Google has demonstrated that we could not rely on him to protect privacy ".
The incident in Google+ is different in many ways from the Facebook scandal with Cambridge Analytica, which sparked federal investigations by several agencies. An internal Google project, called Project Strobe, discovered a bug that allowed external software developers to potentially gain access to personally-identifiable information about users, including their names, email addresses, ages, occupations, and status. the relationship.
However, the company stated that other information, such as phone numbers and social media postings, was not threatened and that it had no evidence to indicate that data had been improperly collected by third parties. A two-week review of data in March, the company said, revealed that up to 500,000 people may have put their information at risk for developers of 438 software applications.
"This review crystallized what we had known for a long time: namely that our engineering teams have devoted a lot of effort and dedication to building Google+ over the years, but that it's not Has not been widely adopted by consumers or developers' applications, "said the company's blog. "The consumer version of Google+ has low usage and engagement: 90% of Google+ user sessions last less than five seconds."
In the blog post, Google stated that it did not immediately announce problems with Google+ because it did not know which users were affected, whether the data had been misused and what affected users could do. to protect himself. The decision was made by a standing committee of the company, the Privacy and Data Protection Office, before being reviewed by the company's executives.
Other disclosures regarding poor data management have drawn the attention of the Securities and Exchange Commission, which is pushing more and more companies to disclose data security incidents and has reopened its cybersecurity unit. This year, the SEC fined $ 35 million to the company formerly known as Yahoo for failing to inform investors about a massive cyber-violation for two years – the first time that Regulator punished a corporation for such conduct.
"This is the kind of disclosure situation that the SEC will absolutely investigate," said John Reed Stark, who has spent nearly 20 years in the SEC Enforcement Division and now heads a law firm. cybersecurity consulting. "The SEC's law enforcement staff is probably exploring Google's public statements and other statements to review all relevant statements."
Even if a third party did not exploit the security breach identified by Google, the SEC would probably want to know if investors are properly informed of the risks and the incident, Stark said.
The potential for new investigations exceeds the SEC. The Federal Trade Commission has repeatedly investigated privacy incidents at Google and other large technology companies. In 2011, Google signed a consent decree with the FTC to resolve allegations that a previous social media platform, Google Buzz, was mishandling user data.
As part of this settlement, the Company has agreed to complete 20 years of confidentiality audit and not to misrepresent its privacy policies. Google subsequently accepted a record US $ 22.5 million fine in 2012 following the FTC, after claims that it would have changed Apple's Safari browser's privacy settings to track users.
David Vladeck, former director of the FTC's Consumer Protection Bureau and now law professor in Georgetown, said the new incident on Google+ was "clearly a problem for Google".
"If Google had not obtained the consent of Google+ users to share their information with software developers, it could well be that Google is having problems with the FTC," Vladeck said. "Even if the problem was an unanticipated bug, what is Google's defense that has hidden it for six months, especially if users could have taken steps to limit … sharing their data?"
There is also a risk of increased pressure in Congress. The Democrats pledged to strengthen the regulation of the technology industry when they took over the House in mid-term. Last week, Silicon Valley representative Silicon Valley representative Ro Rohanna presented a list of privacy principles that he called the "Internet Rights Charter," including: the right to be informed of the field of use of the data.
"This kind of events is the reason why we need an Internet Rights Charter," Khanna said in a statement. "I hope many technology leaders will embrace this approach and advocate for well-designed regulation."
Source link