Heather Adkins has spent years building Google’s defenses against the world’s most determined attackers. As vice president of security engineering and a founding member of the company’s security team, she rarely speaks out publicly. Yet in recent weeks she has issued stark warnings about plans from Brussels. The European Union’s drive to open up Google Search data and loosen controls on Android, she says, could hand hackers and fraudsters new openings they will quickly exploit.
Adkins is not alone. Other senior Google privacy and security staff have joined the pushback. Their message is blunt. Proposals under the Digital Markets Act to force sharing of granular search queries, clicks and rankings risk exposing millions of Europeans’ most intimate questions. Health concerns. Financial worries. Family matters. Once that data leaves Google’s tightly controlled systems, the company claims it cannot guarantee its safety.
The WIRED report published today lays out the details. Drawing on interviews and internal documents, it reveals how Google’s top experts view the EU’s timetable and technical requirements as dangerously rushed. Adkins told the publication that if the Android changes roll out as currently described, “we’d see a significant increase in fraud in the EU.” She added a chilling timeline. “The fraudsters are creative and informed. Past implementation [date], I would give it maybe weeks before we began to see an increase in fraud in Europe.”
Short. Direct. And rooted in years of watching how quickly attackers adapt.
At the heart of the dispute sits Article 6(11) of the DMA. The measure requires Google to share search data “on par” with what it collects itself. That means individual query inputs, associated metadata, click patterns and ranking signals. All to be provided to rival search engines and AI-powered services. The goal is straightforward. Break Google’s near 90 percent grip on European search and let competitors build better alternatives, especially in the age of AI.
But the mechanics worry Google’s engineers. The European Commission has proposed that this data be anonymized before sharing. Contracts would bind recipients not to reidentify users or combine the data with other sources. Independent audits would check compliance. Yet Adkins and her colleagues argue these safeguards contain deep weaknesses.
“Privacy engineers have proved that this data can be easily reidentified,” David Lewis, Google’s director of privacy advisory for Europe, the Middle East and Africa, told WIRED. “If data can be reidentified, it is not anonymous in the first place. And the law specifically requires it to be anonymized.” He went further. Whether Google has a commercial interest is beside the point. The real question is whether millions of people’s most private searches end up in the hands of strangers they never expected to see them.
Google has reportedly demonstrated internally that its own red team could reidentify users from the proposed data sets in less than two hours. The company also warns that large language models now make de-anonymization easier than ever. Feed the shared data into the right model and patterns emerge. A single unusual query combined with a click on a specific result can suddenly point back to an individual.
And then there is the hacking risk. Google’s working assumption, Adkins explained, is that once data leaves its control, the company has no ability to secure it. Small European startups receiving daily feeds of this information would become prime targets. “If you’re a small European startup and you’re getting this data from Google, you’re going to get hacked, and that’s just the kind of reality of the situation,” she said.
The concerns extend beyond search. Parallel DMA proceedings target Android interoperability. Proposals could require Google to let third-party AI services use wake words on devices, interact more deeply with installed apps, and gain broader access to permissions for microphones, cameras and on-screen data. Eugene Liderman, director of Google’s Android security team, told WIRED the company shares the EU’s goals but disagrees sharply on pace and method.
“I think we have the same goals in mind,” Liderman said. “It’s just that we have different opinions on how to get there and the pace at how we get there.” Both he and Adkins fear fraudsters would abuse expanded permissions to bypass mobile security best practices that have taken years to establish.
Apple, rarely aligned with Google on regulatory matters, has backed parts of this position on operating system access. The rare alignment underscores how seriously some in the industry take the risks.
These warnings arrive at a pivotal moment. The European Commission must issue final decisions by July 27 on both the search data and Android measures. Earlier this year it opened specification proceedings to define exactly how Google must comply. A January report from The Wall Street Journal first signaled that detailed guidance was coming, noting Google’s fears that further rules could compromise user privacy, security and innovation.
Independent experts and competitors have pushed back. Some argue the Commission’s proposed contractual and technical controls reduce reidentification risk to an insignificant level. DuckDuckGo’s chief communications and policy officer Kamyl Bazbaz has said Google’s concerns are addressable within the existing framework. The Knight-Georgetown Institute suggested independent experts should review the actual data to validate the safeguards.
Yet a May analysis from the Center for Cybersecurity Policy and Law raised similar red flags to Google’s. It highlighted the sensitivity of sharing highly granular query, click, view and ranking data at the individual record level on a daily basis with a wide range of recipients, including chatbots. The group warned that such distribution multiplies entry points for malicious actors and that anonymization techniques may not hold against evolving AI capabilities. It urged narrower scope, stronger oversight and limits on sharing with entities outside EU jurisdiction.
The debate is not abstract. Search data reveals more about people than many realize. A query about symptoms, loans or relationship problems can expose vulnerabilities. In the wrong hands that information fuels phishing, blackmail, identity theft or targeted scams. Scale that across hundreds of millions of users and the potential for widespread harm grows.
Google already shares some search data under existing DMA obligations. The new proposals go much further in volume, granularity and frequency. They also expand eligible recipients beyond traditional search rivals to AI services where search is only one feature.
Adkins has suggested a middle ground may exist. She noted that anonymization is difficult work requiring the right experts. Large language models could help with de-anonymization in malicious hands, she added, but the same technology might also strengthen protections if applied thoughtfully.
But time is short. The July deadline looms. European officials face pressure to deliver tangible competition gains after years of drafting and consultation. Google, for its part, has grown more vocal as decisions near.
The company insists its objections are technical, not commercial. Its security staff have spent careers defending user data against state actors, criminal gangs and opportunistic hackers. They know how quickly defenses crumble when new data flows and new access points are introduced without rigorous testing.
Critics counter that Google has every incentive to slow measures that could erode its market power. They point to past instances where the company resisted regulatory changes only to adapt successfully later. Some privacy advocates worry the warnings could be overstated to preserve dominance in AI-powered search.
Still, the specificity of the concerns stands out. References to red team exercises, reidentification proofs, fraud timelines measured in weeks, and the vulnerability of small startups receiving sensitive feeds suggest more than generic lobbying.
Recent incidents add context. Hackers have targeted Google data in the past. Separate breaches at European institutions have shown how even well-guarded organizations can lose control of sensitive records. The Council of Europe suffered a claimed breach this month exposing HR and payroll data. Such events remind regulators that data in motion or in new hands carries risk.
So far the European Commission has not publicly detailed responses to Google’s specific technical objections. Spokespeople acknowledged requests for comment but offered no further statement to WIRED.
The coming weeks will prove decisive. If the Commission proceeds with its current approach, Google’s security leaders predict measurable rises in fraud and successful attacks on shared data stores. If it adjusts the requirements, it may blunt the competitive impact it seeks.
Either way, the tension between competition policy and security engineering has rarely been so sharply drawn. One side sees barriers to innovation that must fall. The other sees user data that, once released, cannot be recalled. The users whose searches hang in the balance have no direct voice in the technical specifications being written in Brussels. Yet their private questions may soon test whether those specifications hold.


WebProNews is an iEntry Publication