Cybersecurity

Google Warns EU Search Data Sharing Could Spark Cybercrime Surge

Top Google security officials have raised alarms over planned European Union rules requiring Google to share its Search data and Android system access with competitors. They forecast that the proposed changes could lead to the de-anonymization of users’ search queries and spark a surge in cybercrime, including widespread fraud, according to multiple interviews and leaked company documents reviewed by WIRED.

What Happened

Under the EU’s Digital Markets Act (DMA), regulators are preparing decisions expected by July 27 to enforce data-sharing requirements on Google to promote competition. The DMA designates Google as a “gatekeeper” with a dominant market position in search and mobile operating systems. Consequently, Google must provide rival search engines with access to detailed search data—such as user queries, click data, and rankings—and open Android features to allow greater interoperability with AI services.

Google’s security leaders, including Heather Adkins, vice president of security engineering, and Eugene Liderman, director of Android security, warn that sharing search data at the granular levels demanded may allow cybercriminals to reverse-engineer anonymized data and identify individual users. They also caution that opening Android’s permissions to outside AI agents could enable fraudsters to exploit app permissions, microphones, and cameras, increasing the risk of scams and cyberattacks throughout the EU.
These concerns emerged after Google’s internal red team demonstrated that users could be re-identified from the shared search data within hours, a process that contradicts the EU’s requirement for fully anonymized data. Google also contends that once data leaves its control, it cannot guarantee its security, especially when shared with smaller tech firms that could become prime hacking targets.

Key Facts

The DMA came into effect at the end of 2022, targeting Big Tech firms such as Google, Apple, Amazon, Meta, Microsoft, and others as gatekeepers. Google Search holds approximately 90% of the global search market and is uniquely subject to these new data-sharing rules. The European Commission’s proposals include contractual safeguards requiring recipients to not attempt reidentification and to keep data secure, alongside independent audits of their security practices.

However, Google’s privacy advisory director for EMEA, David Lewis, stated that these protections rely heavily on legal agreements rather than robust technical guarantees. Google’s internal testing showed user data could be de-anonymized “in less than two hours” based on shared data granularity, though exact methods remain undisclosed. Similar concerns apply to Android interoperability rules that could expand third-party app and AI permission access.

What This Means

The warnings by Google’s security team highlight the delicate balance between enforcing competition law and protecting user privacy and cybersecurity. If user search data can be de-anonymized, personal and sensitive information may be exposed to malicious actors, potentially leading to privacy breaches and further criminal exploits.

For European users, this could mean an increased risk of personal data misuse, identity theft, or fraud originating from misappropriated search patterns or metadata. The potential expansion of app permissions on Android devices also raises the stakes for mobile security, potentially enabling unauthorized access to cameras or microphones by malicious software gaining entry via AI-enabled features. This could undermine mobile device security best practices that have protected millions to date.

Google’s cautionary stance suggests that technical and legal frameworks proposed must be rigorously tested and adjusted to ensure that increasing market competition does not inadvertently create new cybersecurity vulnerabilities. The ongoing debate also underscores the challenges regulators face in designing interoperability requirements that do not compromise security, especially when dealing with massive data sets held by dominant platforms.

Background

The Digital Markets Act aims to dismantle monopolistic control by technology giants by enforcing interoperability and data-sharing requirements. Google already shares some search data with competitors under DMA rules; however, recent EU proposals would significantly expand this data sharing. The debate reflects broader tensions between tech innovation, competition, privacy, and security concerns across the EU digital single market.

What Remains Unclear

It remains uncertain how the European Commission will finalize the data-sharing and Android interoperability rules by the July 27 deadline. The adequacy of anonymization techniques as well as the enforceability of contracts preventing data misuse are still under scrutiny. The Commission has not publicly responded to Google’s specific security warnings. It is also unclear how fast smaller competitors can implement the required security measures to protect user data once obtained.

Sources

This article is based on reporting and publicly available information from the following sources:

Read more Cybersecurity stories on Goka World News.

Ethan Clarke
About the editor

Ethan Clarke

Ethan Clarke Role: Cybersecurity Editor Ethan Clarke covers cybersecurity incidents, data breaches, online threats, ransomware, software vulnerabilities, and digital safety. His reporting focuses on confirmed details, affected systems, official advisories, and practical context without making unsupported accusations.

View all posts by Ethan Clarke