Top Google Security Staff Warn Search Data Could Be Hacked if EU Rules Change

Google's top security staff warned that proposed European Union rules under the Digital Markets Act, requiring Google to open its search data and Android operating system to competitors, could lead to increased hacking of search queries and a rise in cybercrime. Heather Adkins, Google's vice president of security engineering, said the changes could result in significant fraud on Android within weeks of implementation. The European Commission is set to make final decisions next month.

Google’s top privacy and security staff have warned that plans in Europe, designed to get it to open up its search data and Android https://www.wired.com/story/android-17-gemini-top-new-features/ operating system to competitors, could lead to people’s search queries being hacked and an increase in cybercrime across the content, according to multiple interviews and documents shared with WIRED. Mountain View’s alarm comes as European Commission officials are set to make final decisions next month in two cases, around Google Search and Android interoperability, under the European Union’s landmark Digital Markets Act https://www.wired.com/story/digital-markets-act-messaging/ competition rules. The rules, which were first adopted at the end of 2022, are designed to force open Big Tech companies that dominate markets https://www.wired.com/story/europe-dma-breaking-open-big-tech/ , make it easier for others to compete, and reduce reliance on a handful of firms https://www.wired.com/story/all-the-ways-europe-is-ditching-american-technology/ . Heather Adkins, Google’s vice president of security engineering and a founding member of its security team, says the company has concerns around the proposed changes for both Search and Android. In April, the European Commission published initial details, plus now-closed public consultations, on how Google should open up its search data https://digital-markets-act.ec.europa.eu/dma100209-consultation-proposed-measures-google-search-data-sharing en —sharing anonymized search data with rivals—and allowing other AI services to have more access to the Android https://digital-markets-act.ec.europa.eu/dma100220-consultation-proposed-measures-interoperability-google-android-article-67-dma en operating system. “If implemented as described today, I think within a short period of time on Android, we’d see a significant increase in fraud in the EU,” Adkins tells WIRED. “The fraudsters are creative and informed. Past implementation date , I would give it maybe weeks before we began to see an increase in fraud in Europe.” Meanwhile, Adkins also claims the proposed changes to Google Search could result in people’s search queries being de-anonymized by bad actors and search data shared with small companies being a target for criminal hackers. The European Commission’s proposals are complex, impact technical systems with billions of users, and are steeped in the continent’s competition laws. As European officials’ deadline of July 27 for announcing its final decisions approaches, Google has been increasingly vocal in its opposition to the parts of the plans it does not believe will work. Some Google competitors, who could benefit from accessing the data, say the plans have less privacy and security impacts than has been suggested. These competitors, independent researchers, and academics who have responded to the consultations have pointed out how Europe’s plans could work and also potential flaws with them. Rebuttals and counter rebuttals have been issued as competition law collides with privacy impacts. Spokespeople for the European Commission acknowledged WIRED’s request for comment but did not respond to questions about Google’s concerns. Since the end of 2022, the Digital Markets Act has allowed European officials to designate tech companies that have large market shares as “ gatekeepers https://digital-markets-act.ec.europa.eu/gatekeepers-portal en ” and use the rules to get them to open up their systems and data to competitors. Google parent company Alphabet, Amazon, Apple, Booking, ByteDance, Meta, and Microsoft are all considered gatekeepers, with their products—from LinkedIn and TikTok to Instagram and YouTube—being subject to the rules. Google’s search business, which is estimated https://gs.statcounter.com/search-engine-market-share to make up 90 percent of the worldwide search market, is, unsurprisingly, the only search engine that includes the rules. Under the DMA, Google already shares some data https://developers.google.com/search/help/about-search-data-program with search engine competitors; however, the planned changes alter how this would work. The plans broadly say https://digital-markets-act.ec.europa.eu/dma100209-consultation-proposed-measures-google-search-data-sharing en Google should provide online search engines with access to search data “on par” with the data that Google itself collects, including “any query input” people enter into Google Search plus some other metadata. Put simply: what people type into Google. It will also have to share click data and the ranking results of search queries. “This is a unique data set which only Google has had access to for many, many years, and there’s not a straightforward way for any other competitor to build or obtain access to something similar,” says Alissa Cooper, the executive director of the tech policy research hub the Knight-Georgetown Institute https://kgi.georgetown.edu/wp-content/uploads/2026/06/Knight-Georgetown-Institute-EU-DMA-Article-611-Public-Comment-4 30 26.pdf . These sharing requirements, according to the EU’s proposals, are protected by anonymization methods to protect individuals’ search queries being linked back to them. Those measures will be accompanied with contracts between Google and search competitors that it shares data with, broadly saying they cannot try to reidentify users, link the search data with other information, and that information must be shared securely. Google, however, claims in one document seen by WIRED that the proposed anonymization techniques contain “deep weaknesses” and it would have to release search data at “much higher levels of granularity” than it currently does. Google staff say they have proved the data can be reidentified, and if this is the case, “it is not anonymous in the first place.” “Privacy engineers have proved that this data can be easily reidentified. If data can be reidentified, it is not anonymous in the first place. And the law specifically requires it to be anonymized,” says David Lewis, Google’s director of the company’s privacy advisory for Europe, the Middle East, and Africa. “Whether Google has a vested interest or not is irrelevant to the question of whether millions of people's most private questions may end up with someone they don't know and never expected would see their searches.” The company previously said, according to Reuters’ reporting https://www.reuters.com/sustainability/boards-policy-regulation/top-google-scientist-says-eu-data-measures-pose-privacy-risk-users-2026-05-05/ , that its security red team could reidentify search users based on the data in “less than two hours.” The specific details of those tests have not been published. “Anonymization is hard, and you’ve got to have the right technical experts at the table to come up with the solutions,” says Google’s Adkins, who suggests there is a “middle ground” to be found. Adkins says large language models could also be an “ideal tool” for helping to de-anonymize data if it falls into malicious hands and adds that the company’s threat modeling also includes the data its shares being a target for hackers. “Our working assumption is, if we are asked to hand over data we lose control of it, and we just have no functional execution capability to secure it once it’s beyond the border of what we control,” Adkins says of the contractual approach outlined in the plans. “If you’re a small European startup and you’re getting this data from Google, you’re going to get hacked, and that’s just the kind of reality of the situation,” Adkins claims. The proposals include requirements on companies receiving search data to undergo independent audits of their setups and how data will be securely stored. Europe’s search proposals, plus Google’s response to them, have seen mixed and divisive views from privacy advocates, academics, and lawyers since they were released for public consideration in recent months. Independent security expert Lukasz Olejnik wrote https://blog.lukaszolejnik.com/the-european-commission-is-turning-google-search-into-a-privacy-and-national-security-risk/ in a long blog post discussing possible risks that the “sanitization” measures around the data “are not adequate for this volume, scale, and privacy landscape.” The risks of reidentification of people’s search queries should be “evaluated” against the proposed protection systems around the data sharing, Lena Hornkohl, an assistant professor of European law at the University of Vienna, has written https://legalblogs.wolterskluwer.com/competition-blog/unique-does-not-mean-identifiable-google-search-data-sharing-under-article-611-dma/ . Privacy-focused search engine Brave previously told Tech Radar https://www.techradar.com/vpn/vpn-privacy-security/google-is-not-collaborative-and-not-in-the-spirit-of-complying-with-this-regulation-can-the-eu-commission-strong-arm-google-into-levelling-the-playing-field-of-the-search-engine-market-and-is-this-really-in-the-interest-of-your-privacy it does not believe the current proposals would result in anonymous data and that they create a “severe privacy risk”—although it said the European Commission should take other measures to limit Google’s dominance instead. Other competitors believe Google’s concerns are unfounded. “The legal standard here doesn’t require eliminating every theoretical risk of reidentification—it requires reducing it to an insignificant level, which the Commission's approach does,” suggests Kamyl Bazbaz, chief communications and policy officer at the privacy-focused search engine DuckDuckGo. “The concerns Google raises are addressable inside the existing framework.” Cooper, from the Knight-Georgetown Institute, says the technical and contractual proposals put forward by the Commission appear to be a “very robust regime” and the data types that would be shared could “ unlock https://www.techpolicy.press/designing-europes-search-data-sharing-rules-for-competition-in-the-ai-era/ ” more competition in search. However, she says the answers to privacy and security questions around anonymization and various risks are “knowable” as Google already has the data. “We propose that independent experts have access to the data and be able to validate the properties that the data-sharing is supposed to have,” Cooper says. Away from search, the EU’s proposals for Android https://digital-markets-act.ec.europa.eu/dma100220-consultation-proposed-measures-interoperability-google-android-article-67-dma en could see Google have to further open up the operating system to allow AI firms and agents to use “wake words” on phones and tablets, as well as potentially allowing AI services from other companies to interact with installed applications and data. “I think we have the same goals in mind,” Eugene Liderman, the director of Google’s Android security team, tells WIRED, adding that speedily implementing the plans could create more risks. “It’s just that we have different opinions on how to get there and the pace at how we get there.” Both Liderman and Adkins say Google is concerned that scammers and fraudsters could exploit greater access to apps’ permissions under the proposals. Liderman says providing extra access to microphones, cameras, and onscreen information permissions would undermine mobile security best practices. Apple has, in a rare move, also supported https://www.reuters.com/sustainability/boards-policy-regulation/apple-criticises-eu-measures-help-ai-rivals-access-google-services-2026-05-13/ some of Google’s position on operating system access. “We need to put the proper tools in place both from an OS perspective but also from a transparency and accreditation perspective,” Liderman says.