Alphabet still can't kill off Google+ insecurity lawsuit
You forgot about this social network? A small army of lawyers haven't
On Monday the US Supreme Court turned down Alphabet's request to hear it argue for the dismissal of a shareholder lawsuit that claimed Google quietly covered up a security issue that could have exposed almost 500,000 Google+ accounts.
A lawsuit filed in 2018 accused the search giant of deceiving investors by failing to disclose details of a design blunder in an API for its now-defunct social network Google+. It was estimated that 438 third-party apps could have siphoned off information, such as people's email addresses, genders, and ages, via the privacy shortcoming in the API.
It was believed as many as 500,000 users could have had their info obtained through this bug, though it's not thought any data actually leaked. Google secretly patched the hole, and everything was hunky-dory until the Wall Street Journal blew the lid off the saga. Google's share price dropped sharply at the disclosure, prompting investors to sue its parent biz Alphabet for failing to disclose the issue.
Other shareholders, such as the State of Rhode Island's pensions fund, joined the lawsuit, alleging private securities fraud. Alphabet successfully persuaded US District Judge Jeffrey White in San Francisco to dismiss the case [PDF] in 2020. Alphabet's lawyers argued that since no data was ever spilled, the incident was not a security breach and Google was not obligated to disclose the issue.
The plaintiffs didn't give up, however, and fought to overturn the decision at the Court of Appeals for the Ninth Circuit. A panel of judges sided with the shareholders, and the case was revived in 2021.
"Two statements made by Alphabet in its quarterly reports filed with the SEC on Form 10-Q omitted material facts necessary to make the statements not misleading," according to the bench [PDF].
The shareholders had "raised a strong inference that defendant Lawrence Page and therefore Alphabet, knew about the Three-Year Bug, the Privacy Bug, and a Privacy Bug Memo, and that Alphabet intentionally did not disclose this information in its 10-Q statements," the judges ruled.
- Alphabet in the soup for keeping quiet about Google+ data leak bug
- Latest Google+ flaw leads Chocolate Factory to shut down site early
- No return of the JEDI: Supreme Court declines to hear Oracle's challenge to now-dead cloud deal
- No day in court: US Foreign Intelligence Surveillance Court rulings will stay a secret
In an attempt to quash the case once again, Alphabet decided to take its arguments all the way to the Supreme Court. But America's highest judges rejected Alphabet's appeal, and decided they won't be hearing the case at all, so the lawsuit can continue.
Google did not immediately respond to The Register's questions. ®
- App stores
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Tavis Ormandy
- Trusted Platform Module
- Zero trust