Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Google Buzz'

Initial Reactions to Google Buzz

Notes of 11 February 2010

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2010

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/II/GB-100211.html


Background

Google announced the Buzz service in early February 2010. I'd had no prior warning about it, until receiving a call from the media.

I've done an amount of work over the years on enhancements to email. It's highly desirable that we be able to coordinate our various asynchronous communications (snail-mail, email, voice-mail) and synchronous communications (voice-conversations, chat/IM).

(Integration would be nice, but that's a pipe-dream for years to come. Too few of the tools we use are standardised, and too many are highly competitive. Every supplier thinks that they can be 'the first-mover that wins', and hence every supplier views formats and protocols as competitive weapons not as common infrastructure).

Google is doing, as usual, some interesting innovating. Wave may be a bit too vague, and any substantial deployment may be some time away. In the meantime, Buzz is trying to make one.

The initial reactions below relate solely to the privacy aspects of the product. One reason for that limitation is that that's what the reporter asked me about. But another is that Google has an extremely bad record in the privacy aspects of their products. And Buzz leverages off existing services, and vast holdings of personal data. So it's important that Google gets it right - important to Google's users, and important to Google itself.


Sources

My first, quick reactions below are based on a fairly cursory scan, using time snatched from other tasks. The comments have to be fairly cursory anyway, for the following reasons:

The two sources I've relied upon were:


1. The Privacy of gmail Subscribers

Personal data about gmail subscribers has been re-purposed. Specifically, each gmail subscriber's associations with 'other people' are being disclosed to other 'other people'. This has been done without formal notice to them, and without their consent.

There may be some lawyers' weasel-words (somewhere in the labyrinth of Policies, FAQ, Blog post and Principles web-pages, plus Videos, that together purport to be the company's 'terms' and 'privacy policy') which endeavour to impute consent to all manner of things, including this.

If so, those weasel-words abjectly fail crucial characteristics of consent, which are that it be informed, and freely-given. Despite long-running attempts by US corporations and the US FTC on their behalf, 'opt-out' is not consent, and can never be consent.

The actions taken are quite possibly illegal use and disclosure of personal data without consent.

The move is also amazingly naive for a corporation that professes to "know a lot about you". (Although perhaps ignorance about privacy is a corporate strategy. Google's CEO Eric Schmidt recently nailed his colours to the wall, joining Sun's Scott McNeely in the tiny club of people silly enough to say that 'privacy's dead' - "If you have something that you don't want [Google and its customers] to know, maybe you shouldn't be doing it in the first place").

The fact is: people don't have a single identity. And they don't have a single network of contacts. They have multiple identities, and they have different sets of contact networks associated with each of them. For many people, Buzz as it currently stands is an unhelpful jumbling of networks. For others, it's an intrusion. For yet others, it's downright threatening.

A further aspect of potentially very serious concern is the statement in the Privacy Policy that "your location will be collected by Google and displayed to other users, as described when you first attempt to use Buzz on a mobile device". This implies that location-display may be opt-out, not consent-based. And of course the personal data in this case is potentially highly-sensitive, from a safety perspective.


2. The Disclosure of gmail Profiles

Buzz displays some personal data about each subscriber, to other subscribers. This is a new function, and it's been created without notice, and the disclosures have been made without consent. Clarification is needed as to what the reasonable expectation of users was in relation to the personal data in that profile, prior to this action.

The Buzz Privacy Policy page includes the expressions "public Google profile" and "your Google profile, which is publicly searchable on the Web". So it may be that what is exposed by Buzz is already exposed. (I wonder where. I wasn't au fait with the notion of a public gmail profile. And a quick search didn't turn up such a collection).

If there were previously constraints on access to that personal data, and the additional exposure is material, and the additional exposure was not reasonably anticipated by the subscriber, then Google is likely to be in breach of privacy laws relating to use and disclosure.


3. The Privacy of Non-gmail Subscribers

Many people are caught up in Google's massive archive, without subscribing. This arises because the Google archive captures all of these things:

  1. emails that have been sent to them by gmail subscribers
  2. emails they have sent to gmail subscribers
  3. emails they have sent to people at non-gmail accounts which were passed through the recipient's gmail-account, with or without the knowledge of the sender
  4. emails they have sent to people at non-gmail accounts, which have been forwarded to other accounts (whether gmail-addresses, or background gmail-accounts that people flush their messages through)
  5. posts to e-lists that have at least one subscriber who uses a gmail-account (whether they subscribe from it, or flush their mail through it)

In all but case 1, Google has collected, stored, used and in part disclosed, the non-gmail subscriber's messages without their consent.

I'm unclear from what I've read so far whether non-gmail subscribers are caught up in Buzz.

What passes for an explanation in the Privacy Policy is "we may automatically select people for you to follow based on the people you email and chat with most". That can be read either way.

The Google-AU blog says "you're automatically following the people you email and chat with the most", which suggests that non-gmail subscribers are included in the pool (unless of course Google-AU thinks that people from outside Google's walled garden aren't 'people', for this purpose at least).

Hence ... depending on Google's algorithms and data-holdings, it seems possible that non-gmail subscribers may be imputed as 'friends' to gmail-subscribers.

Each gmail-subscriber's contact network is visible to more than just the individual subscriber, so the fact that a particular non-gmail subscriber has significant traffic with a particular gmail-subscriber would be disclosed to (many) other parties.

If my speculation in this section is correct, then Google is committing an even more serious breach of public expectations, and probably data protection laws, than it is in respect of gmail-subscribers. And note that even the 'opt-out' facility appears to have been provided to gmail-subscribers, but not non-gmail subscribers.


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 11 February 2010 - Last Amended: 11 February 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/GB-100211.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy