Three senior Republican senators on Thursday asked Google to disclose more information about the leadership team's decision not to publicly admit for months that data from approximately 500,000 users had been shared with external developers.
Senate Commerce Committee Chairman John Thune and two subcommittee chairmen, Sen. Roger Wicker of Mississippi and Sen. Jerry Moran of Kansas, told Google CEO Sundar Pichai they found his company's handling of the Google+ incident to be "troubling" and were "especially disappointed" a company official did not share the discovery during a recent visit to Capitol Hill.
"As the Senate Commerce Committee works toward legislation that establishes a nationwide privacy framework to protect consumer data, improving transparency will be an essential pillar of the effort to restore Americans' faith in the services they use," the senators wrote in the letter. "It is for this reason that the reported contents of Google's internal memo are so troubling."
“At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny,” they said.
Google announced earlier this week it was suspending the consumer version of Google+ due to data "exposure." Since the incident is not technically a "breach," the company's legal responsibility to have reported it at the time is unclear.
An internal memo drafted by legal and policy staff stated that going public with news of the exposure could prompt "immediate regulatory interest."
Lawmakers said Google's handling of the discovery was jarring.
“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services," they wrote.
The senators have asked for Google to respond to its letter and share more information about the events surrounding the discovery of the exposure, the internal email chain regarding how it would respond to the incident, and if it reported it to federal regulators, by Oct. 30.