Senators ask FTC to investigate disclosure of Google+ vulnerability

The company knew about the security flaw potentially exposing personal data since March but didn't disclose it for more than half a year.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

Oct. 10, 2018 2:21 p.m. PT

2 min read

Senate Commerce Committee Holds Hearing On Consumer Data Privacy — Sen. Richard Blumenthal, second from the left, arrives for a hearing about consumer data privacy.
Chip Somodevilla/Getty Images

Google could face a Federal Trade Commission investigation over its Google+ security scare.

But the investigation wouldn't be over the vulnerability itself, which gave some third-party software developers access to private information on Google+. It would be over Google's decision not to disclose the security flaw when it fixed the problem in March.

On Google's blog post describing the vulnerability, the company said it chose not to alert the public at the time after finding that there was no evidence of data abuse and no way to accurately identify the people affected by the flaw. It also said it plans to shut down the social network permanently.

An internal memo suggested that Google did not disclose the issue because it didn't want to invite regulatory scrutiny, according to a report by The Wall Street Journal.

Now that decision itself could fall under regulatory scrutiny, as Sen. Richard Blumenthal, a Democrat from Connecticut, sent a letter to the FTC on Wednesday asking for an investigation into Google's decision against disclosure.

The letter is also signed by Sen. Edward Markey, a Democrat from Massachusetts and Sen. Tom Udall, a Democrat from New Mexico.

"The FTC should conduct a vigorous review whether the Google+ incident constitutes a breach of the company's consent decree or other commitments, and more broadly whether Google has engaged in deceptive acts and practices with respect to privacy," the letter reads.

Blumenthal said he would be sending this letter during a Senate hearing on data privacy on Wednesday, where he also asked Andrea Jelinek, the chair of the European Data Protection Board, if the European Union was investigating the same issue.

ICYMI: @SenBlumenthal saying that he plans on sending a letter to the FTC calling for an investigation into Google failing to disclose its Google Plus vulnerability pic.twitter.com/B1gBMNFMTi
— alfred 🆖 (@alfredwkng) October 10, 2018

Jelinek confirmed that European data regulators are investigating the issue, but not under the General Data Protection Regulation That's because the flaw had been discovered before May 25, when the EU regulation went into effect. So instead of an individual investigation from the GDPR, she noted, multiple entities in Europe, including Ireland and Hamburg's data regulators, will be investigating it.

"They will have to face more than one from the European authorities," Jelinek said.

Google has faced FTC scrutiny in the past, taking on a $22.5 million fine in 2012, the largest ever penalty for a violation at the time. Google didn't respond to a request for comment.

"The FTC does not comment on specific incidents or companies," FTC chairman Joe Simons said in a statement. "When we see a significant breach that puts consumers' private data at risk, you can be assured that we will be looking into it. We are committed to holding companies accountable if their practices violate the law."

You can read the full letter here:

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.

Infowars and Silicon Valley: Everything you need to know about the tech industry's free speech debate.