Feeds

Google Buzz accused of EPIC FAIL

Tweetbooked Gmail hit with FTC complaint

Intelligent flash storage arrays

The Electronic Privacy Information Center (EPIC) - a high-profile public advocacy group - has filed a complaint with the US Federal Trade Commission over Google Buzz, the Tweetbook-esque "social networking" service that Mountain View bolted onto Gmail early last week.

In its complaint, EPIC says that the new service violated user expectations, diminished user privacy, and contradicted Google's privacy policy. The group even questions whether Buzz violated federal wiretap law. The US Electronic Communications Privacy Act prevents operators of "electronic communication" services from disclosing certain subscriber information without consent - including "addressing" information - and the privacy watchdog believes this "may" apply to Buzz.

"The argument is that Google could have violated federal law by disclosing address book contacts without getting proper consent," EPIC privacy counsel Kim Nguyen tells The Reg.

Like Facebook or Twitter, Buzz is a means of sharing personal info and media with others across the web in (near) real-time. But unlike a Facebook or a Twiiter, it's not a standalone service. It's an add-on for Gmail, designed to dovetail with Google's existing online email service and tap users' existing Gmail and Google Chat contacts.

Introduced last Tuesday and pushed out to an estimated 32.1 million Gmail users beginning that same day, Buzz automatically identified users' most frequent email and chat contacts as people they'd like "to follow" - i.e. people you'd like to receive posts from. By default, it exposed this list to the world, and many complained that the checkbox that allowed users to hide this list was far from prominent.

After a firestorm of criticism over the service, Google agreed to move the checkbox to a more prominent position. Then, over the weekend, it announced that it would change the way the service handled user Gmail contacts. At set-up time, rather than automatically identifying email and chat contacts for following, it would "suggest" people to follow and give the user the opportunity to make changes.

The word from CNET is that these changes were driven at least in part by complaints from employees at Google's weekly all-hands meeting.

But with its complaint, EPIC says the service still goes too far. The complaint urges the FTC to require Google to make Buzz "fully opt-in" - meaning it would only be added to Gmail if users specifically asked for it. "Sites like Facebook and Twitter are first and foremost social networking sites," Nguyen tells us. "Gmail users sign up for email addresses, and for most users, email is private. With Buzz, Google made a private email service into a social networking site, and that violates user expectations."

The complaint also urges the FTC to require Google to stop using Gmail users' private address books to build its social networking lists and to give users "meaningful control over their personal data."

Over the weekend, Google also added a Buzz tab to a user's central Gmail "settings" that let them disable Buzz entirely, and it provided a link to this tab from the initial Buzz setup screen. Earlier this week, in a blog post, the Electronic Frontier Foundation - another privacy advocate - said Google's weekend changes were "a significant step forward." But it was still critical of the way Google has handled the service and it at least indicated the service should be opt-in.

"While a full opt-in model would be less likely to result in inadvertent disclosures of private information, this is a significant step forward," wrote EFF's Kurt Opsahl. "Problems arose because Google attempted to overcome its market disadvantage in competing with Twitter and Facebook by making a secondary use of your information.

"Google leveraged information gathered in a popular service (Gmail) with a new service (Buzz), and set a default to sharing your email contacts to maximize uptake of the service."

Over the past few days, so many news stories have indicated that privacy concerns arose because Google failed to properly test the service before its release. But there's some confusion about the extent of this testing. According to the BBC, Google only tested the service with employees, forgoing "more extensive trials with external testers," while a CNET report says the company tested the service with at least some externtal users in its internal "usability lab."

Regardless, the fact remains that for all the changes Google made over the past week, Buzz is an opt-out service. And fundamentally, it's designed to hook into users' existing private email accounts and encourage them - in one way or another - to instantly expose more data than they would on a new standalone service.

As it filed its complaint over Google Buzz, EPIC also noted that the FTC has so far failed to take action over a complaint it filed in March of last year involving Gmail and other web-based Google Apps. In this March complaint, the privacy group called for a formal FTC probe of these services after a Google snafu saw the company inadvertently share certain Google Docs files with users who were unauthorized to view them.

EPIC urged the FTC to shut down Google's so-called cloud computing services, including Gmail and Google Docs, if Google can't ensure the safety of user data stored by these apps.

"After Goggle's most recent privacy misstep [involving Google Buzz], the FTC should rally respond to our [other complaint] and that's what we expect they will do," Nguyen tells us. ®

>Update: This story has been updated to clarify the contents of the Electronic Communications Privacy Act and correct the estimated number of Gmail users.

Internet Security Threat Report 2014

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.