LONDON  - Google is inadvertently making the case for tough data-security laws. The search giant’s alleged coyness over a security hole underlines that companies can’t be trusted to disclose when users’ data is at risk.

Parent group Alphabet said in a blog post on Monday that it is shutting down the consumer version of its flailing social network Google+. An internal review found a bug that allowed third-party apps to access bits of users’ profiles that weren’t supposed to be public. The up-for-grabs data included names, emails addresses, occupation, gender and age.

It’s a far cry from, say, Facebook’s Cambridge Analytica scandal - where information of up to 87 million users may have been improperly shared with political consultancy Cambridge Analytica. Google immediately patched the bug in March, and said up to 500,000 accounts were potentially affected. It found no evidence that third-party developers were even aware of the security hole, or that any data was misused.

Still, the company’s failure to notify users back in March helps validate tough privacy laws like Europe’s General Data Protection Regulation (GDPR) introduced in May. Google says the issue didn’t meet any of its thresholds for disclosure, including evidence of misuse or whether it could identify the right users to inform. Yet the Wall Street Journal, citing an internal memo shared with senior executives, reported that Google kept it secret for fear that disclosure would invite comparisons with the Facebook scandal and “immediate regulatory interest”.

Ironically, Google’s lack of transparency is the best argument for a regulatory crackdown. It’s hardly surprising that companies would consider commercial implications when deciding what to make public. That’s why the matter should be out of their hands. Europe’s GDPR, which took effect after Google found the bug, obliges companies to notify authorities of personal data breaches within 72 hours. It’s unclear whether that standard would have applied in this case, since Google’s bug looks more like a potential hole than an actual breach. But the search giant’s instinct to keep things secret is a reminder of why such provisions are necessary. U.S. lawmakers should take note.

On Twitter https://twitter.com/liamwardproud

CONTEXT NEWS

- Alphabet Inc's Google will shut down the consumer version of social network Google+ and tighten data sharing policies after announcing on Sept. 8 that private profile data of at least 500,000 users may have been exposed to hundreds of external developers.

- The issue was discovered and patched in March as part of a review of how Google shares data with other applications, Google said in a blog post. No developer exploited the vulnerability or misused data, the review found.

- The Wall Street Journal reported earlier that Google opted not to disclose the security issue due to fears of regulatory scrutiny, citing unnamed sources and a memo prepared by Google's legal and policy staff for senior executives.

- Google declined to comment beyond its blog post.

- Google said on Sept. 8 that none of the thresholds it requires to disclose a breach were met after reviewing the type of data involved, whether it could identify the users to inform, establish any evidence of misuse, and whether there were any actions a developer or user could take to protect themselves.

(Editing by George Hay and Bob Cervi)

© Reuters News 2018