. butts swan: COMMITTEE ON COMMERCE. SCIENCE. AND TRANSPORTATION WASHINGTON, DC 205113-6125 . . Wt October 20] 8 Mr. Sundar Piehai Chief Executive Of?cer Google. Inc. l600 Amphitheatre Parkway Mountain View, CA 94043 Dear Mr. Piehai: Earlier this week, the Wall Street Journal reported' that, last March, Google discovered a vulnerability in its Google+ social network platform that had potentially left the private pro?le information of nearly 500,000 users exposed to app developers since 2015. Google reportedly opted not to disclose the existence of the issue at the time due, in part, to an inability to determine whether the vulnerability had in fact been exploited by any app developer to access private user data or which users were affected. But according to an internal memo cited in the article, a factor in Google?s decision not to disclose the vulnerability was fear that doing so would draw ?immediate regulatory interest.? bring Google ?into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal." and ?almost [guarantee] Sundar will testify before Congress.? Data privacy is an issue of great concern for many Americans who use online services. Particularly in the wake ofthe Cambridge Analytica controversy, consumers? trust in the companies that operate those services to keep their private data secure has been shaken. As the Senate Commerce Committee works toward legislation that establishes a nationwide privacy framework to protect consumer data, improving transparency will be an essential pillar ofthe effort to restore Americans? faith in the services they use. It is for this reason that the reported contents of Google?s internal memo are so troubling. At the same time that Faccbook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny. We are especially disappointed given that Google?s chief privacy of?cer testi?ed before the Senate Commerce Committee on the issue of privacy on September 26, 20 Smjust two weeks agowand did not take the opportunity to provide information regarding this very relevant issue to the Committee. Douglas MaeMillan and Robert McMillan. Google Exposed User Date. ew'ed Repercussions of'Dtset'osmg to Public, WALL ST. J., Oct 8, 2013. M17. Sunder ic-hai. I i, r30.18" Page 2 G'ccgle 111ust'l1e 111111et1111hc111111n5 with and lawmakers if the company is 1'11 111a111ta111 111 regain the trust. 11f the users 11f1ts sewices. heiefcre. we request your written respu'nses [11 the tell11'11"1ng quest] 1111s. 6) 7) Please describe indetaii whengand how Gongle-l1ecan1ela1va_re of this vulnei'ahilitv and what actiuns Gougle tuck to remedy it. An October 8., 201 8;G1111g_l_e 111.11g pest stated that the company 111111111 no evidence at" 111is11S'e 1'1fpr1'1?tile data 'as a result 11111-111. Gnugle+ vulner'ability.2 If Citiegle such evidence 'in the future, will: you c-t1n1n1itt'11? inti1r1ning this. C11nn?11ittee. required law enforcement and regulatcry agencies= and affected users? Why did Gauge-cheese not to disclose the vulnerability, t11 the Conn'nit'tee or 111 the _1111blic. until: many months after it was discovered? Did Gedg'lediscl?e the vulnerability tn any federal agencies, including the Federal Trade- C111111?11issi111?1 (FTC): prior .t11 public disclesure?? Did chgie'disclese the ulnerabi'iitv to its Independent Assessor tasked with emunning. Genghis- Privacy Program as part of the Agreement. C11 ntaining-Censent Order File N11. 10231 36hetween (tangle and. the If 11111., 111111111111? Are there similar incidents which'have 11111 been publicly di'sclesed? D11 31111111111111: all users of free .G'1111g1e services 11-1111 pruvide data. to the company sl1t1111dbe afforded the same- level 11f noti?catiun and mitigation effects as Ipai'dG-Suite Subscribers .in the event cf an incident 'ir'11-111'Ivi11g'ti1eir dataTP-i? Please provide a copy of chgle?s internal metric sited in, the Wall! article. 33131] Smith; P1 11111111110131 17111111131811; 111111 1111111 third-1.1arfv WAIPI's 11111! 4111111111811:11111111111111? (Tiehgfee {3111111Ie1Tl1e Keyword (Oct'8'; 11511p101ect?1110b11 "In its- connects with paid users 11ft: Suite apps? Guttvle _t_elis customers it 1vi'ili nuti? than about any incidents involv' 111g theil data- 1111111 11v and 1111111 tI 1' take 1eascn11ble Ste 5 1c misimize I 3'1 3t harin.? may 11111 apply 1'11 (Budgie-1- prelile data. 'even izf'it bejlunned- 111- a Suite Dcuglas Macivlillanand Hubert McMillan. supra note; I. Mr. Sundar Pichai October l. 2013 Page 3 Please provide your written response as soon as possible. but by no later than 5:00 pm. on October 30. 2013. Please also arrange for a staff briefing on this matter by contacting Jason Van Beek of the Committee staff at (202) 224-1251. Thank you for your prompt attention to this important matter. Sincerely. ?mi JO THUNE F. WICKER Chairman Ch? an Committee on Commerce. Science. Subcommittee on Communications, and Transportation Technology. Innovation. and the Internet ;3 Err mar-M JERRY JORAN Chairman Subcommittee on Consumer Protection. Product Safety. Insurance. and Data Security cc: The Honorable Bill Nelson. Ranking Member