Feeds

Google Buzz accused of EPIC FAIL

Tweetbooked Gmail hit with FTC complaint

SANS - Survey on application security programs

The Electronic Privacy Information Center (EPIC) - a high-profile public advocacy group - has filed a complaint with the US Federal Trade Commission over Google Buzz, the Tweetbook-esque "social networking" service that Mountain View bolted onto Gmail early last week.

In its complaint, EPIC says that the new service violated user expectations, diminished user privacy, and contradicted Google's privacy policy. The group even questions whether Buzz violated federal wiretap law. The US Electronic Communications Privacy Act prevents operators of "electronic communication" services from disclosing certain subscriber information without consent - including "addressing" information - and the privacy watchdog believes this "may" apply to Buzz.

"The argument is that Google could have violated federal law by disclosing address book contacts without getting proper consent," EPIC privacy counsel Kim Nguyen tells The Reg.

Like Facebook or Twitter, Buzz is a means of sharing personal info and media with others across the web in (near) real-time. But unlike a Facebook or a Twiiter, it's not a standalone service. It's an add-on for Gmail, designed to dovetail with Google's existing online email service and tap users' existing Gmail and Google Chat contacts.

Introduced last Tuesday and pushed out to an estimated 32.1 million Gmail users beginning that same day, Buzz automatically identified users' most frequent email and chat contacts as people they'd like "to follow" - i.e. people you'd like to receive posts from. By default, it exposed this list to the world, and many complained that the checkbox that allowed users to hide this list was far from prominent.

After a firestorm of criticism over the service, Google agreed to move the checkbox to a more prominent position. Then, over the weekend, it announced that it would change the way the service handled user Gmail contacts. At set-up time, rather than automatically identifying email and chat contacts for following, it would "suggest" people to follow and give the user the opportunity to make changes.

The word from CNET is that these changes were driven at least in part by complaints from employees at Google's weekly all-hands meeting.

But with its complaint, EPIC says the service still goes too far. The complaint urges the FTC to require Google to make Buzz "fully opt-in" - meaning it would only be added to Gmail if users specifically asked for it. "Sites like Facebook and Twitter are first and foremost social networking sites," Nguyen tells us. "Gmail users sign up for email addresses, and for most users, email is private. With Buzz, Google made a private email service into a social networking site, and that violates user expectations."

The complaint also urges the FTC to require Google to stop using Gmail users' private address books to build its social networking lists and to give users "meaningful control over their personal data."

Over the weekend, Google also added a Buzz tab to a user's central Gmail "settings" that let them disable Buzz entirely, and it provided a link to this tab from the initial Buzz setup screen. Earlier this week, in a blog post, the Electronic Frontier Foundation - another privacy advocate - said Google's weekend changes were "a significant step forward." But it was still critical of the way Google has handled the service and it at least indicated the service should be opt-in.

"While a full opt-in model would be less likely to result in inadvertent disclosures of private information, this is a significant step forward," wrote EFF's Kurt Opsahl. "Problems arose because Google attempted to overcome its market disadvantage in competing with Twitter and Facebook by making a secondary use of your information.

"Google leveraged information gathered in a popular service (Gmail) with a new service (Buzz), and set a default to sharing your email contacts to maximize uptake of the service."

Over the past few days, so many news stories have indicated that privacy concerns arose because Google failed to properly test the service before its release. But there's some confusion about the extent of this testing. According to the BBC, Google only tested the service with employees, forgoing "more extensive trials with external testers," while a CNET report says the company tested the service with at least some externtal users in its internal "usability lab."

Regardless, the fact remains that for all the changes Google made over the past week, Buzz is an opt-out service. And fundamentally, it's designed to hook into users' existing private email accounts and encourage them - in one way or another - to instantly expose more data than they would on a new standalone service.

As it filed its complaint over Google Buzz, EPIC also noted that the FTC has so far failed to take action over a complaint it filed in March of last year involving Gmail and other web-based Google Apps. In this March complaint, the privacy group called for a formal FTC probe of these services after a Google snafu saw the company inadvertently share certain Google Docs files with users who were unauthorized to view them.

EPIC urged the FTC to shut down Google's so-called cloud computing services, including Gmail and Google Docs, if Google can't ensure the safety of user data stored by these apps.

"After Goggle's most recent privacy misstep [involving Google Buzz], the FTC should rally respond to our [other complaint] and that's what we expect they will do," Nguyen tells us. ®

>Update: This story has been updated to clarify the contents of the Electronic Communications Privacy Act and correct the estimated number of Gmail users.

Top three mobile application threats

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.