After months of avoiding the national spotlight, Google has landed in the hot seat of social media privacy breaches. On Thursday, three Republican U.S. senators sent a letter to Google CEO Sundar Pichai demanding answers regarding the security bug that attacked their now-defunct social media platform, Google Plus.

Earlier this week, Google announced in a blog post that they would be shuttering the infrequently used Google Plus and that the private data of at least 500,000 users may have been exposed between 2015 and March 2018. The announcement disclosed that hundreds of external developers may have had access to data that wasn’t marked as public from users who never consented to Google sharing their information. Google only publicly came forward with information regarding the exposure after the Wall Street Journal broke the story on Oct. 8.

According to an internal memo quoted in the Journal, Google advisers were concerned that if they went public with news of the data exposure they would face the same wrath as seen in Facebook’s Cambridge Analytica data scandal. Google executives decided to follow this advice.

Rather than go public with information regarding the widespread exposure as soon as they discovered it in March 2018, Google quickly and quietly remedied the problem. As Facebook CEO Mark Zuckerberg fell into the spotlight over privacy policies and faced two days of Congressional questioning, Google was able to keep its scandalously patched up exposure under wraps for over six months.

Despite the strong comparisons between the two tech giants, Google may not be held to the same standards as Facebook. In Google’s case, there was a data “exposure” rather than a data “breach.” This small detail means that Google may not have been required by law to make the incident public. There are no clear-cut federal laws regarding the steps following a social media platform exposing the personal information of its users, but Google does have its own set of federal guidelines it is meant to follow.

In 2011, the Federal Trade Commission imposed a consent decree on Google regarding user data. The agency, which handles consumer-protection issues, had found that Google was mishandling the private data of its users on Buzz, the search giant’s earlier social media project. Regarding the current incident with Google Plus, it is still uncertain if they violated that decree.

“The 2011 Google order prohibits misrepresentations, specifically referencing misrepresentations about the efficacy of privacy controls. The order also says if you’re going to share data with third parties in a new way from what users were told, you need opt-in consent,” said Justin Brookman, a previous policy director of the FTC’s Office of Technology Research and Investigation.

According to Ashkan Soltani, a previous chief technologist at the FTC, Google’s misstep could be interpreted as a violation of the order. The security bug that caused the exposure revealed the personal data of users that went beyond what the users had agreed to share. Soltani says that the decree doesn’t discriminate between whether the exposure causes harm or not. As long as there was a time of deception on the part of Google, they could face serious fines.

Even if a ruling finds that Google participated in that deception for just two days, the company would face a charge of $16,000 per day per individual violation. With approximately 500,000 users affected, that brings the charges to about $16 billion, although the FTC would likely not charge the fine in full.

As of now, it is unclear how the FTC will proceed with its charges against Google. According to Brookman, how the FTC proceeds will depend on what exactly Google Plus stipulated in its terms of service when users signed up for the platform. The number of users that the exposure affected may also steer the FTC towards more lenient charges. The Cambridge Analytica scandal affected anywhere between 50 and 90 million Facebook users. In comparison, the 500,000 Google Plus users with exposed information are small fish for the FTC.

“For an agency with limited resources it’s unclear whether they would actually pursue something like this unless Congress or others made an issue of it,” said Soltani.
The apparent catch is that lawmakers are making an issue of it. Regardless of how many people were affected, members of Congress from both sides of party lines seem to view Google’s data exposure and Facebook’s privacy breach as two sides of the same coin.

A hearing of the Senate Commerce Committee was held on Wednesday to discuss this most recent privacy slip. The chair of the committee, Senator John Thune (R) from South Dakota, called for a stronger national privacy standard for companies such as Google and Facebook.

“In the wake of Facebook’s Cambridge Analytica scandal and other similar incidents, including a vulnerability in Google Plus accounts reported just this past week, it is increasingly clear that industry self-regulation in this area is not sufficient,” said Thune.

The Democrats are calling for action regarding Google’s data exposure as well. On Wednesday, Senators Richard Blumenthal from Connecticut, Edward Markey from Massachusetts, and Mark Warner from Virginia, sent a letter to the FTC asking for an investigation regarding Google’s decision to not disclose the vulnerability of Google Plus.

Warner tweeted earlier in the week about his belief that Google needed to work with Congress to protect the data of American users. In his twitter thread, Warner also mentioned that Congress’s Intel Committee invited Google to testify last month, but the company declined to send a top executive.

At the end of September, Google CEO Sundar Pichai agreed to testify to Congress. No exact date has been set, but he will testify in front of the House Judiciary Committee sometime after the November midterm elections.

In the meantime, Google must address the questions set forth by the letter sent by Republican senators to Pichai. In their letter, Senators Thune, Roger Wicke from Mississippi, and Jerry Moran from Kansas requested information and documentation regarding the security bug that caused the data exposure. The senators referenced the internal memo that was quoted in the Journal and requested a copy of that memo as well. The letter drew direct comparisons to Facebook’s Cambridge Analytica scandal.
“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” reads the senators’ letter.

The senators express disappointment in the letter that Keith Enright, Google’s chief privacy officer who had attended a committee hearing on privacy just two weeks prior, didn’t disclose any information about this major privacy issue. Moreover, the letter directly questions why Google did not make their data vulnerability publicly known as soon as the company discovered it.

Google has until Oct. 30 to respond to the questions that the senators laid out in their letter.