An independent auditing firm signed off on Google’s privacy practices earlier this year after the internet giant had discovered a software bug that exposed private information on potentially hundreds of thousands of users.
The Hill obtained a redacted copy of the assessment conducted by the accounting firm Ernst and Young through a Freedom of Information Act request. The report concluded that Google had comprehensive privacy protections in place and that it was in compliance with a 2011 privacy settlement with the Federal Trade Commission (FTC).
The latest audit was submitted to the FTC in June and covered a two-year period: April 2016 through April.
“[Google’s] privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and have so operated throughout the Reporting Period,” Ernst and Young wrote in the audit.
On Monday, Google disclosed that it had discovered a security flaw in March, during the period covered by the audit. That security flaw gave third-party developers access to data on as many as 500,000 users of Google Plus, the company’s social media app.
Google said part of the reason it decided not to reveal the incident in March was because it could not determine the full effect of the exposure.
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” Ben Smith, Google’s vice president of engineering, said Monday in a blog post. “None of these thresholds were met in this instance.”
The audit is likely to raise new questions about how Google handled the potential breach and the criteria auditors are using to assess companies’ privacy policies.
Google agreed in 2011 to submit to independent privacy assessments every two years as part of a settlement with the FTC over charges that it had deceived users about its privacy practices.
Because much of Ernst and Young’s audit is redacted, it’s not entirely clear if Google disclosed the incident to the firm. But it appears that the auditors didn’t find any potential issues that would have raised red flags for them. The criteria that the firm used to assess Google’s privacy policies were redacted from the document.
Ernst and Young did not immediately respond to a request for comment from The Hill.
Google is now responding to the incident by shutting down Google Plus for consumers and restricting third-party access to some user information.
Google said that as many as 438 app developers may have been able to access some Google Plus users’ information that had been set to private, including names, email addresses and occupations. The company said that while it’s not able to fully determine which users were affected, it has found no evidence that any developers accessed the information or that any accounts were abused.
The Google Plus incident could potentially lead to an FTC probe into whether the internet search giant violated the terms of the settlement, which requires Google to clearly disclose all information sharing with third parties to users.
The FTC has faced questions in recent months about whether it’s equipped to police internet companies and whether such consent agreements are an effective deterrent against privacy violations.
“The FTC does not comment on specific incidents or companies,” FTC Chairman Joseph Simons said in an emailed statement to The Hill. “When we see a significant breach that puts consumers’ private data at risk, you can be assured that we will be looking into it.”
“We are committed to holding companies accountable if their practices violate the law,” Simons added.
The Wall Street Journal on Monday reported that part of the reason Google didn’t go public about the incident was that it would invite scrutiny from regulators at a time when Facebook was facing its own crisis over the Cambridge Analytica scandal.
Facebook, which is under a similar FTC settlement, had its privacy program cleared by PricewaterhouseCoopers during the period in which it discovered, and decided not to disclose, the massive Cambridge Analytica data leak, which saw Facebook data on millions of users end up in the hands of a right-wing political consulting firm.
That incident opened Facebook up to investigations from the FTC, the Department of Justice and the Securities and Exchange Commission. Both companies face the possibility of massive fines if they’re found to have violated their respective consent agreements.
Updated at 2:13 p.m.