Getty
- Google exposed personal profile data of hundreds of thousands of Google+ users and then decided to not let people know, according to The Wall Street Journal.
- The Journal published excerpts from an explosive internal memo, in which Google's legal and policy staff advised the company's top executives to stay quiet about the issue.
- High among their concerns were Google being swept up in the Cambridge Analytica scandal, CEO Sundar Pichai having to give evidence to Congress, and coming under regulatory scrutiny.
- Google said it did not let people know because it did not have enough evidence about the breach.
Google was mired in its very own privacy scandal on Monday when The Wall Street Journal revealed that it exposed personal profile data of around 500,000 Google+ users - and then decided to not let people know.
The Journal published excerpts from an explosive internal memo, in which Google's legal and policy staff advised the company's executives to stay quiet about the issue after it was discovered by internal investigators in March.
The decision on whether to go public went before Google's Privacy and Data Protection Office, a board of senior executives who oversee privacy matters. CEO Sundar Pichai was also briefed, the Journal reported. In other words, people at the very top of the company were aware of the plan to keep quiet.
The memo included some key reasons for keeping the data snafu under wraps. Let's look at each in turn:
1. Admitting the problem could have thrust Google "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal."
Of all the reasons that Google did not go public, this is perhaps the most potent. The incident was discovered in the same month that it was revealed that Cambridge Analytica harvested the data of 50 million Facebook users.
Although the Google+ breach was on a much smaller scale, it appears that staff were anxious about the possibility of Google being swept up in the tsunami of bad press that engulfed Facebook, which ultimately wiped $60 billion off the social network's value.
2. It "almost guarantees Sundar will testify before Congress."
Google's legal and policy staff were worried that Pichai would be hauled in front of lawmakers to give evidence on the privacy problem.
This was the case for Facebook CEO Mark Zuckerberg, who was subjected to a two-day grilling in Washington. Zuckerberg also embarked on an apology tour that included an appearance in front of the European Parliament.
Google's top executives have displayed a reluctance to appear in front of Congress recently. Both Pichai and Alphabet CEO Larry Page declined to give evidence to the Senate Intelligence Committee last month.
Senators were so frustrated, they empty chaired Google at the hearing on election interference, where Facebook COO Sheryl Sandberg and Twitter CEO Jack Dorsey were represented.
3. The breach would spark "immediate regulatory interest"
The Journal reported that Google would have examined "a patchwork of state laws with differing standards" in determining whether to go public with the Google+ incident, given there's no federal breach notification law.
The incident also happened before the EU's GDPR data protection laws came into force in May. Still, Facebook's Cambridge Analytica breach was revealed in March, and that didn't prevent a £500,000 ($652,000) fine by Britain's Information Commissioner's Office.
Google could also face class-action lawsuits over its decision not to disclose the incident, according to the Journal. Facebook is dealing with similar legal threats.
Google's explanation
Google published a lengthy blog on Monday setting out the data breach and its decision to shut down Google+ for consumers. Within the blog, it explained why users were not notified earlier this year. Google said:
"Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
"Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance."
Get the latest Google stock price here.