When Alphabet Inc. launched its Google+ social network, it was hoping to introduce a new service that would compete effectively with Facebook, by attracting its Gmail and G Suite users to add Google+ to their daily activities. As is true of many new product and service introductions though, Google+ has been plagued by challenges, and it never quite achieved the reach that Alphabet had hoped to attain. In this sense, it remains unlike Facebook.
But in another sense, Google+ offers a striking similarity to Facebook: It too was subject to a massive data breach, similar to the infamous Cambridge Analytica scandal. Specifically, starting some time in 2015 and extending into early 2018, when the loophole was finally discovered, developers working within the Google+ network were able to access vast data, including not just information that users explicitly gave them permission to view but also other, unpermitted information from these users, as well as data about their unwitting friends. A glitch in the interface meant that these developers could access even information that friends of the users had marked as private.
Perhaps even more notable is what Google did once it uncovered the problem though. Arguing that it could not precisely identify who had been affected or the extent to which their data were vulnerable, an internal memo (which came to light only recently) recommended that the company avoid disclosing the incident. The rationale was that because these data spanned such a long period of time, the relevant activity logs already had been discarded. Furthermore, Google does not track what developers do with users’ data, so it could not reach out to affected consumers to alert them.
But the internal memo also reveals another, perhaps less compelling justification for refusing to disclose the breach. It notes that the disclosure would probably invoke “immediate regulatory
interest,” spark comparisons with the Cambridge Analytica scandal, force Google’s CEO to testify in regulatory hearings, and, ultimately, cause substantial damage to the company’s reputation.
There are no precise regulations in the United States for when a company must disclose privacy breaches. Although the recently passed European General Data Protection Regulation (GDPR) would have required Google to make the issue public, the breach was discovered before it went into effect, so the company was not subject to those regulations. In this sense, its failure to disclose was not illegal. But was it ethical?
1. Did Google do the right thing in choosing not to disclose this breach?
2. More broadly, who should make the decision about what needs to be disclosed and what does not, when it comes to data privacy?
Source: Douglas MacMillan and Robert McMillan, “Google Exposed User Data, Feared Repercussions of Disclosing to Public,” The Wall Street Journal, October 8, 2018.