Feeds

Google Buzz accused of EPIC FAIL

Tweetbooked Gmail hit with FTC complaint

Top 5 reasons to deploy VMware with Tegile

The Electronic Privacy Information Center (EPIC) - a high-profile public advocacy group - has filed a complaint with the US Federal Trade Commission over Google Buzz, the Tweetbook-esque "social networking" service that Mountain View bolted onto Gmail early last week.

In its complaint, EPIC says that the new service violated user expectations, diminished user privacy, and contradicted Google's privacy policy. The group even questions whether Buzz violated federal wiretap law. The US Electronic Communications Privacy Act prevents operators of "electronic communication" services from disclosing certain subscriber information without consent - including "addressing" information - and the privacy watchdog believes this "may" apply to Buzz.

"The argument is that Google could have violated federal law by disclosing address book contacts without getting proper consent," EPIC privacy counsel Kim Nguyen tells The Reg.

Like Facebook or Twitter, Buzz is a means of sharing personal info and media with others across the web in (near) real-time. But unlike a Facebook or a Twiiter, it's not a standalone service. It's an add-on for Gmail, designed to dovetail with Google's existing online email service and tap users' existing Gmail and Google Chat contacts.

Introduced last Tuesday and pushed out to an estimated 32.1 million Gmail users beginning that same day, Buzz automatically identified users' most frequent email and chat contacts as people they'd like "to follow" - i.e. people you'd like to receive posts from. By default, it exposed this list to the world, and many complained that the checkbox that allowed users to hide this list was far from prominent.

After a firestorm of criticism over the service, Google agreed to move the checkbox to a more prominent position. Then, over the weekend, it announced that it would change the way the service handled user Gmail contacts. At set-up time, rather than automatically identifying email and chat contacts for following, it would "suggest" people to follow and give the user the opportunity to make changes.

The word from CNET is that these changes were driven at least in part by complaints from employees at Google's weekly all-hands meeting.

But with its complaint, EPIC says the service still goes too far. The complaint urges the FTC to require Google to make Buzz "fully opt-in" - meaning it would only be added to Gmail if users specifically asked for it. "Sites like Facebook and Twitter are first and foremost social networking sites," Nguyen tells us. "Gmail users sign up for email addresses, and for most users, email is private. With Buzz, Google made a private email service into a social networking site, and that violates user expectations."

The complaint also urges the FTC to require Google to stop using Gmail users' private address books to build its social networking lists and to give users "meaningful control over their personal data."

Over the weekend, Google also added a Buzz tab to a user's central Gmail "settings" that let them disable Buzz entirely, and it provided a link to this tab from the initial Buzz setup screen. Earlier this week, in a blog post, the Electronic Frontier Foundation - another privacy advocate - said Google's weekend changes were "a significant step forward." But it was still critical of the way Google has handled the service and it at least indicated the service should be opt-in.

"While a full opt-in model would be less likely to result in inadvertent disclosures of private information, this is a significant step forward," wrote EFF's Kurt Opsahl. "Problems arose because Google attempted to overcome its market disadvantage in competing with Twitter and Facebook by making a secondary use of your information.

"Google leveraged information gathered in a popular service (Gmail) with a new service (Buzz), and set a default to sharing your email contacts to maximize uptake of the service."

Over the past few days, so many news stories have indicated that privacy concerns arose because Google failed to properly test the service before its release. But there's some confusion about the extent of this testing. According to the BBC, Google only tested the service with employees, forgoing "more extensive trials with external testers," while a CNET report says the company tested the service with at least some externtal users in its internal "usability lab."

Regardless, the fact remains that for all the changes Google made over the past week, Buzz is an opt-out service. And fundamentally, it's designed to hook into users' existing private email accounts and encourage them - in one way or another - to instantly expose more data than they would on a new standalone service.

As it filed its complaint over Google Buzz, EPIC also noted that the FTC has so far failed to take action over a complaint it filed in March of last year involving Gmail and other web-based Google Apps. In this March complaint, the privacy group called for a formal FTC probe of these services after a Google snafu saw the company inadvertently share certain Google Docs files with users who were unauthorized to view them.

EPIC urged the FTC to shut down Google's so-called cloud computing services, including Gmail and Google Docs, if Google can't ensure the safety of user data stored by these apps.

"After Goggle's most recent privacy misstep [involving Google Buzz], the FTC should rally respond to our [other complaint] and that's what we expect they will do," Nguyen tells us. ®

>Update: This story has been updated to clarify the contents of the Electronic Communications Privacy Act and correct the estimated number of Gmail users.

Choosing a cloud hosting partner with confidence

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.