Google Warns EU Data-Sharing Rules Could Enable Search Hacking

Google's senior security and privacy executives are raising alarms that European Union regulations designed to increase competition could create significant cybersecurity vulnerabilities, according to interviews and documents obtained by WIRED.

The warnings center on two pending decisions under the EU's Digital Markets Act, which European Commission officials are expected to finalize by July 27. The regulations would require Google to share anonymized search query data with competitors and grant AI services deeper access to the Android operating system.

Security team flags reidentification risks

Heather Adkins, Google's vice president of security engineering and a founding member of its security team, told WIRED that the proposed Android changes could trigger a measurable increase in fraud within weeks of implementation. "The fraudsters are creative and informed," Adkins said. "Past implementation [date], I would give it maybe weeks before we began to see an increase in fraud in Europe."

The search data-sharing requirements present different concerns. Under the proposals, Google would provide competitors with access to user search queries, click data, and ranking results at granularity levels the company says exceed current practices. While the EU plans include anonymization requirements and contractual restrictions preventing reidentification, Google maintains its privacy engineers demonstrated the data could be reidentified in under two hours.

David Lewis, Google's director of privacy advisory for Europe, the Middle East, and Africa, argued that if reidentification is possible, the data fails to meet the law's anonymization standard. The company also warns that smaller startups receiving this data would become targets for hackers, with Google losing any ability to secure information once transferred.

Why it matters

The dispute highlights a fundamental tension in technology regulation: balancing competition policy with security and privacy protections. The Digital Markets Act represents Europe's most aggressive attempt to break Big Tech monopolies, designating companies including Alphabet, Amazon, Apple, Meta, and Microsoft as "gatekeepers" subject to data-sharing requirements. How regulators resolve Google's security objections will set precedent for similar cases and determine whether opening closed ecosystems necessarily compromises user protection.

Competing views on technical safeguards

Not everyone accepts Google's assessment. Kamyl Bazbaz, chief communications and policy officer at DuckDuckGo, said the legal standard requires reducing reidentification risk to insignificant levels, not eliminating every theoretical possibility. "The concerns Google raises are addressable inside the existing framework," Bazbaz stated.

Alissa Cooper, executive director of the Knight-Georgetown Institute, described the Commission's technical and contractual proposals as a "very robust regime." She suggested independent experts should validate the anonymization properties rather than relying solely on Google's internal testing.

The Android proposals would allow AI services from other companies to use wake words and interact with installed applications—changes Google's Android security director Eugene Liderman said could undermine mobile security best practices by expanding access to microphones, cameras, and onscreen information. Apple has taken the unusual step of supporting aspects of Google's position on operating system access.

The European Commission acknowledged WIRED's request for comment but did not respond to specific questions about Google's security concerns. The details were first reported by WIRED.