Google has been accused by one of its investors of trying to cover up and downplay a security blunder in Google+ could have caused the leak of half-a-million netizens' data.
Nearly 500 third-party applications could have accessed the names, email addresses, and ages of roughly 500,000 people, thanks to a privacy screw-up by the doomed social network. Google continues to insist it was all no big deal because it couldn't find any evidence the security weakness had been exploited.
The State of Rhode Island's pensions fund is not happy with that position, however, and has joined a combined lawsuit against the internet giant's parent Alphabet for failing to disclose the bug before it was exposed by the press.
If you imagine a pensions fund would provide dry legal argument, however, you'd be wrong. Right out the gate, the organization's submitted paperwork [PDF] – filed this week – goes for it: "By March 2018, data security at Google, whose entire existence depends on consumers trusting it with their private information, was a sinking ship."
"Defendants [Alphabet] stumbled upon a 'bug' they had overlooked for years, which potentially exposed hundreds of millions of users’ private information; they had no way to determine the extent of harm from it; they learned more bugs were likely coming, but were so helpless to stop them, they had to prepare to shut down the world’s fifth-largest social-media network; and all of this was happening at a time when Congressional hearings into consumer data leaks were underway and the markets were pummeling Facebook for its data-security failings."
Blimey. And then, before you have a chance to catch your breath, it's off again.
"So Defendants decided to deceive investors by portraying Google’s data-security situation as completely unchanged and themselves as completely trustworthy. Defendants’ uncandid approach continues with their MTD, which refuses to accept the facts as alleged in the Complaint and baselessly alleges new facts to contest them."
It comes to the defense of the original litigant – another investor – fuming that Google claims his case "fails to allege materiality" despite "allegations of a threat to Defendants’ 'lifeblood' that would be 'devastating' and could render Google 'worthless'."
And then it goes all-in on the sinking ship analogy, mocking Google's response that the security hole was "quickly remediated", arguing that "just like the Titanic’s course was 'quickly remediated' – after Captain Smith had failed to avoid a collision."
It says Google's response [PDF] and its legal arguments to have the case dismissed "defy facts" and "violate the rules of engagement" while remaining "inadequate." In short, it's not very happy with Google.
Alphabet top brass OK'd $100m-plus payouts to execs accused of sexual misconduct – court docsREAD MORE
It was back in October that Google admitted that it had found a huge bug in its Google+ social media effort eight months earlier. But it only revealed that fact after it had been exposed in a Wall Street Journal article. It killed the ailing service in response.
Google execs say they decided not to disclose the bug's existence, despite the potential severity, because they claimed it hadn't been noticed and exploited. Security researchers attacked the article as "fear mongering."
But investors felt differently. Its stock price fell and the company was hit with a lawsuit within a week. Google's response, at the end of May, was to ask for the entire case to be dismissed because, it claimed, the lawsuit had selectively chosen excerpts from the article, a subsequent Google blog post and an SEC filing and wasn't a fair or accurate representation of what really happened.
Just a bug, man
At the center of Google's argument is that it was only a bug and that no "breach" occurred and so it wasn't required to disclose the issue publicly. It notes that the Wall Street Journal removed the word "breach" from its article and replaced it with "bug" soon after Google contacted it about the piece.
But the State of Rhode Island's pensions fund points to internal Google documents that show executives were warned that the "Three-Year Bug" would likely trigger "immediate regulatory interest" and well as put them "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal." Revealing the bug would "almost guarantee [Google CEO] Sundar [Pichai] will testify before Congress," the internal memo said.
Around the same time, Google filed its quarterly SEC reports and made no mention of the bug's discovery. And that is the core of the lawsuit against Google: they should have revealed the bug to investors but didn't out of their own self-interest.
The legal filing argues that rather than come clean "Pichai and other senior Google executives, including the other Individual Defendants, decided to prepare to shutdown Google+, the world’s fifth largest social media network, and approved a plan to conceal everything."
The judge in the case is currently considering whether the throw the case in response to Google's request, or reject its appeal and allow it to move forward. ®