Google Buzz is No “Privacy Nightmare” (Unless You’re a Privacy Paternalist)

by on February 11, 2010 · 88 comments

I’m a big fan of CNET’s “Buzz Out Loud” podcast and often enjoy co-host Molly Wood’s occasional “Molly Rant” but I’m disappointed to see her jumping on the Google-bashing bandwagon with her latest rant: “Google Buzz: Privacy nightmare.” Instead of appreciating the “privacy by design” features of Buzz, she seems to be rushing to privacy paternalism—just as I feared many would when I blogged about the Buzz launch.

Molly’s primary complaint, repeated several times, is that “you automatically follow everyone in your Gmail contact list, and that information is publicly available in your profile, by default, to everyone who visits your profile.” Actually, while Buzz does automatically follow some users your contact list, it does so only for the ones you chat with most using Gmail (which I believe means only other Gmail users). After that, Buzz simply tells you when other users follow you, and makes it easy to follow them.

So what’s the big deal? Molly’s concern, shared by a number of other bloggers, is that, before a user can start Buzzing, they have to set up Google Profile (another Google product launched last August, which typically appears on the bottom of the first page of Google search results for that name) and the default setting for Google profiles is to “Display the list of people I’m following and people following me.” In this respect, your Google Profile is a lot like your Facebook profile, except that users can decide to hide their followers/followees on their Google profile. (On Facebook, that information is part of the limited bucket of “publicly available information” and can’t be hidden by the user from their profile, but users can opt-out of having their profile accessible at all through search engines or Facebook search.)

There are essentially three ways of dealing with this concern about inadvertent sharing of sensitive contacts:

  1. Buzz could autofollow no one—in which case many users would probably log in, see no Buzzes from other users because they’re not yet following anyone, wonder what all the fuss is about, and abandon the service without really getting the sample experience that having a small set of automatically added followers provides.
  2. Gogole could change the default setting for Google profiles not to “Display the list of people I’m following and people following me.” This change in default would make a huge difference in just how easy it is to build out one’s social network, since the best way to find friends you may not have in your own contact book is to look at the list of users your friends are following.
  3. Google provide clearer notice to users to remind them that their most frequent contacts may be publicly visible on their Gooogle profile—which is exactly what Google implemented earlier today by adding the text shown in this splash screen for initial creation of a Google Profile:

Somehow, I suspect that won’t be good enough for her and many other users complaining about this. I wouldn’t be surprised to see the privacy paternalists at EPIC filing another complaint with the FTC arguing that users are too stupid to figure this out for themselves, so the government has to do it for them—no matter the costs to other users in added hassle and a less useful network.

There just isn’t anything wrong with encouraging consumers to use your product rather than making it hard for them to get involved. The success of any social network in achieving a critical mass of vibrant, broad-based participation depends critically on differences as small as whether a user sees a few users when they first start out—or just an empty Inbox. Ban things like autofollowing, no matter how transparent to the user and easy to over-ride they might be, and you’ll make it a lot harder for the next social networking service to get off the ground—and pose a challenge to Google, Facebook and Twitter.

Molly’s next complaint:

let’s say you’ve customized your Google profile page with the vanity URL Google helpfully offers at the bottom of the page. Well, that’d be your e-mail handle. Anytime anyone does an @ reply to you, they’ve broadcast your e-mail address to the world.

True indeed. But she fails to mention that the vanity URL (in my case, http://www.google.com/profiles/berin.szoka) is purely opt-in.  When a user first sets up a Google Profile, they’re given a non-identifying string for their URL that doesn’t tie to their email address. Just above the option to opt-in to the vanity email is this explanation (emphasis added):

To make it easier for people to find your profile, you can customize your URL with your Google email username. (Note this can make your Google email address publicly discoverable.) This unique name will also be used in other links to your content on Google. To help others discover your profile, in some Google services contacts who know your email address will see a link to your profile

So… what more should Google to do? I guess they could bold and italicize the warning as I’ve done…

She’s even more clearly mistaken about the way Buzz works on mobile phones (as one commenter noted):

there are no preferences in the Android app–no way, near as I can tell–to choose to broadcast only to the list of people you follow or a group you’ve established, as you can in the Web interface. So be equally prepared for everyone around you to know who you are and where you are when you post to Buzz from your phone. Yeah, no, really. I’m totally not making this up.

Actually, Buzz is accessible through the mobile browser (not an app), and it gives users the same choice every time they post a new Buzz as to whether the Buzz should be public or private—just as on the desktop browser version. The default setting is public, yes, but so what? Is it really that hard to click “Private?” When you do, you’ll get a list of whatever contact groups you’ve created so you can share your Buzz just with that list—or you can start a new list.

Moreover, “Show Nearby Users” feature only shows Buzzes from users who have decided to broadcast their location.

A number of these responses were raised by commenters on the piece. Most notable was this comment (originally written in ee cummings style, which I have punctuated for readability), which takes issue with Molly’s central complaint that there should be more “setup required”:

i like your show for the most part, molly. but seriously, privacy on the internet these day is like having sex: it’s on us to protect ourselves. it may say “no set up required.” but if we are concerned about things getting out that we don’t want, always check the setting! it’s your virtual condom. wrap it up…

Crude, but exactly right: It’s one thing for Molly and others to suggest ways for Google to make the privacy controls for Buzz and Google Profile more accessible and easily understandable. Google’s already shown its eagerness incorporate constructive suggestions to that end. But it’s quite another thing for privacy paternalists to insist that we just can’t expect users to take any responsibility for their own privacy.

Instead of preaching “Sharing-abstinence-only” (which is what the paternalists’ cry for “opt-in” boils down to), we should be teaching users how to engage in “safer-sharing”—and encouraging companies like Google to build user interfaces that make safety options as easy to use as possible without breaking the whole site. As with sex, there’s no such thing as 100% safe-sharing, but, hey, that’s life. We accept risks all the time—every time we drive, get on a plane or trust that the restaurant meal we’re about to eat hasn’t been contaminated or poisoned. As Adam has reminded us, we need to keep in mind the “proportionality” of the risks involved compared to the benefits, and, ultimately, trust users to chose for themselves.

Addendum: Given the discussion below, I want to reiterate the point I stressed when I first blogged about this, responding to questions raised by Larry Magid in the initial Buzz launch press conference:

I’m glad that Larry is raising these concern as someone who has done yeoman’s work in educating Internet users, especially kids, about how to “Connect Safely” online (the name of his advocacy group). The fact that companies like Google know they’ll get questions like Larry’s is hugely important in keeping them on their toes to continually plan for “privacy by design.”

But I do worry that those with a political axe to grind will take these same questions and twist them into arguments for regulation based on the idea that if some people forget to use a tool or just don’t get care as much about protecting their privacy as some self-appointed “privacy advocates” think they should, the government—led by Platonic philosopher kings who know what’s best for us all—should step in to protect us all from our own forgetfulness, carefulness or plain ol’ apathy. After all, consumers are basically mindless sheep and if the government doesn’t look after them, the digital wolves will devour them whole!

So, by all means, let’s hear some healthy criticism about how Google has implemented Buzz and talk about how the “privacy by design” features can be improved. But let’s make sure to get our facts straight before rushing to assume the worst—or before calling in the Feds to take over.

  • http://www.ferreemoney.com/blog Social Media

    Sooner or later, I suspect someone will be provide a Biometric authentication solution so that in order for someone to view your Buzz content, you will have a RBAC engine to direct who gets to see what and when and how.

  • http://twitter.com/stuyparker Stuyvesant Parker

    If only everyone could be as smart as you, man. Good post, good refutation. I find the “privacy concerns” post by bloggers posting under their real names with their email addresses visible pretty darn hilarious myself.

  • Ryan Radia

    Berin, do you think Google has made it clear that your “following” list is determined automatically based on the Gmail contacts with whom you regularly chat?

    The main beef in the blogosphere seems to be that the implications of having a public Google profile with a public follow list aren't clear when initially setting up Buzz. I'm sympathetic to this concern — it does seem like a reasonable person might not realize that Buzz, unlike Twitter, auto-selects people to follow from otherwise-private Gmail contacts.

    Or is there some obvious warning from Google that I've overlooked?

  • gcr
  • http://techliberation.com/author/berinszoka/ Berin Szoka

    When I first logged onto buzz, it showed me the list of users I was already following along with suggestions as to more users I might want to follow (or who were following me). While I agree that it wasn't exactly clear how that initial crop of followers had been added, there was a big “UNFOLLOW” link next to each name. So even if I had objected to one of those persons being among my followers, I could have removed them.

    With the new notice, I'd say it's pretty crystal clear that the default is “Display the list of people I’m following and people following me” and equally clear how to uncheck that box. I suppose Google could make absolutely sure users haven't accidentally skipped past this by using the kind of extra warning used for Latitude and for other location-based services like Loopt—i.e., remind users later that they're sharing their follower/followee lists, just in case they really didn't mean to.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Yeah, I read that. Honestly, I don't understand what she's describing. She declined to opt-in to Buzz but somehow new contacts were added to her reader? She's so angry, she's not exactly clear about what happened.

    I'm not dismissing her complaint, but it's hard to respond without knowing more

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    One final thought before I turn in for the night: Have we all forgotten about the phone book? I mean, that book lists our name, telephone number (if you still have a landline) and address, all in one place. Shocking! And yet no one ever really to care all that much…

  • Pingback: AndroidInfoSite » Blog Archive » Nexus One Google Phone

  • Ryan Radia

    I see. It does seem like you'd have to ignore some fairly clear warnings to inadvertently share your follower list with the world. Still, given that Google is really thrusting Buzz on Gmail users, and that accidentally revealing to the public a user's Gmail chat contacts does have potentially serious privacy implications, I do think more precaution on Google's part would be appropriate. (To my surprise, Google's decision to stick Buzz in users' faces when they login to Gmail has even irked some of my reasonably tech-savvy friends who are generally big fans of Google products.)

    Consider this anecdote about Buzz's privacy issues from “Jim,” a commenter over at Techdirt:

    “My mother, several competing clients of mine, and a couple of young women who get naked for a living were all able to see each other today, despite me clicking to not go to buzz, for some reason it was all turned on by default and it took me a while to realize exactly what the implication was and how to turn it off.”

  • juliansanchez

    Unfortunately, I'm not crystal clear myself on either precisely what happened in her instance or, frankly, exactly how Buzz behaves by default. The Reader items should only have been shared if they had already been set to “public” (and therefore already visible) unless someone massively screwed up implementation. So it's certainly possible that either Buzz hasn't shared quite as much as she thinks with as many people as she thinks, especially if they're only email contacts by way of forwarding from an anonymous account, or (more worrying) some of the information had actually been shared all along.

    But as for her list of contacts—and it's hardly mysterious why she might not want her ex knowing who she's dating now—I don't think you've got to be “stupid” to (for instance) be hastily logging into Gmail and hit enter without looking too closely when some window pops up. Making it that easy to inadvertently share information collected for a wholly different purpose is just bad design: Non-stupid people routinely just click through dialogue boxes because nobody does or should expect that kind of exposure to be the consequence of absently hitting “OK” in their e-mail software. Or if they don't, I'm a moron too, because for all I know the Acrobat EULA stipulates that I agree to be streamed via webcam 24/7.

  • http://www.cordblomquist.com cordblomquist

    What more could Google do? Make the product opt-in. Twitter gained a user base without the help of being owned by the world's most popular search engine, so Buzz should be able to compete without being shoved into my Gmail account.

    I'm a professional web developer and social media promoter and I still have no idea what Buzz is doing with all of my info because it's not intuitive at all. I have a bunch of articles starred in my reader about Buzz which I need to read at some point (you may already know that), but I shouldn't have to do research to understand a product that was added to my Gmail without my asking.

    When I say “shouldn't” I'm not implying that Google ought not be allowed to do what it wants with it products, I'm saying that Google shouldn't do these things if it values the goodwill of its customers. Google is well within its rights to change products whenever it wants, but that doesn't mean we have to like it.

  • http://blog.ericreasons.com Eric Reasons

    Berin-
    I just got this very interesting e-mail from Google. It looks like Google, as you stated above, are taking people's constructive criticism to heart:

    ==
    Hi,

    To protect your privacy we would like you to know that Google Latitude is running on your Android-powered device and reporting your location.

    If you didn't enable this or want to stop reporting your location please open the Maps app on your device. Go to 'Menu' > 'Latitude' > 'Privacy' and change your privacy settings.

    Thanks,

    Google Latitude Team
    ===

  • http://www.cato.org/ Jim Harper

    My experience was similar to Ms. FU, Google. That I'm aware of, I didn't opt in. It just appeared and started connecting me to correspondents. I use my Gmail account for a mix of personal and professional communications, and I don't think the fact of emailing people is a reason for them to come into my social network and see who else is (rightly or wrongly) in my social network.

    I'm not ready to say “FU, Google.” Instead, WTF, Google?! This is just stupid and ham-handed.

  • Jim Harper

    The phone book doesn't tell anyone who you've been calling. The analogy is inapt.

  • http://www.timothyblee.com/ Tim Lee

    Berin, I think you're underestimating the cognitive “transaction costs” of evaluating a product like Buzz. It's one thing to say that users who sign up for a service like FaceBook or Twitter have an obligation to do their homework and make sure they're comfortable with how their information will be shared. People who are too busy to do that homework can just decline to sign up for the service.

    It's quite another thing to bolt these kinds of “features” onto an existing application that's not traditionally considered a social networking application. A lot of users will skim the “sign up for Buzz” dialog box, fail to understand its implications, and sign up for sharing features that are more promiscuous than they realize. I think that's more Google's fault than the user's. A reasonable user should be able to expect that if they choose the default options in their email client, that it won't result in suddenly exposing a bunch of private information to the world.

    None of which is to say that we should be getting the government involved. But public criticism is an important part of the market process. The bad publicity Google is now getting for its boneheaded decisions is an important part of the market process. There's nothing paternalistic about criticizing Google when it creates products that cause a significant number of its users to inadvertently expose more personal information than they intended.

  • http://infoadvocate.org/ gcr

    It is hard to tell what is going on. I turned off buzz as soon as it noticed who my follow relationships were, and I realized they had nothing to do with what I considered people that were important to have in a social network together. I don't use reader or that many other google social products, so I hope I'm ok.

    However, reading the rest of her blog, I'd be interested in hearing what she has to say about people who describe privacy advocates as “paternalist.”

  • http://www.cato.org/ Jim Harper

    Seconded: It's not paternalism to criticize products as a market actor.

  • http://www.techliberation.com Adam Thierer

    Tim… Of course it is true that “public criticism is an important part of the market process,” and that it can have a powerful impact on corporate behavior. The same holds true for debates over acceptable media content. The problem, however, is that far too many people (including now yourself above) put forward the “well, people are just too stupid or lazy to know what's good for them” argument and claim that consumers just can't be expected to read the fine print, check a little box, or just stop using a service.

    Worse yet, they then use that anti-personal responsibility ethos as an excuse for government intervention. Whether it's media content or privacy policies, I hear the same syllogism again and again:

    1 – People “don't understand the implications” / are getting fooled / don't know what's best for them
    2 – Companies can't be trusted to set the right defaults (namely, they can't be trusted to self-regulate to self-censors edgy content, or they can't be trusted to cripple information sharing by default in the name of privacy)
    3 – Therefore, SOMEONE (uh, that would be the feds) needs to set a better default (to establish a better “community standard”) to protect us

    Of course, I know YOU would not counsel #3 as the solution, I'm just saying that's where the logic of #1 and #2 lead. And if, as you suggest, public pressure and social norms change corporate content or innovation choices in a spontaneous fashion, then fine. I have no problem with that.

    Finally, let's not forget we are talking about an email / social networking feature here that no one forces us to use, and there are plenty of other options. As you said in your Tweet last night, you are glad you don't use Google as your default mail provider. Same goes for me. (Dirty little secret: I hate Gmail. Absolutely despise it. Almost never use it). And others are always free to use alternatives. If they do so because they don't like Gmail's new social sharing features via Buzz, then fine. That's a choice. It's the same choice I would support with a conservative group rallies people to stop watching certain shows because they are “smutty” — just so long as those groups don't try to tell ME what to watch or take away my access to exciting new services and innovations.

  • Ryan Radia

    I don't think pro-regulation privacy zealots deserve a monopoly on criticizing a market product's privacy features. Of course, if I take issue with Gmail, I don't have to use it. But if concerned users can successfully convince Google to change its ways for the better before jumping ship en masse, then it seems like the market is working. (Oh, and I suggest you try accessing Gmail with Outlook; thanks to IMAP+SSL it rivals native Exchange in many respects.)

  • http://www.timothyblee.com/ Tim Lee

    The problem, however, is that far too many people (including now yourself above) put forward the “well, people are just too stupid or lazy to know what's good for them” argument and claim that consumers just can't be expected to read the fine print, check a little box, or just stop using the service.

    Adam, I'm saying precisely that “consumers can't be expected to read the fine print” for all the websites they visit. This isn't about stupidity or laziness, it's about cost-benefit analysis. Digesting fine print takes time, and it would take a ridiculous amount of time to read all the fine print on every website I visit. Instead, I expect the web apps I use to behave in a reasonable fashion. Among other things, I expect them not to disclose my personal information without my clear and explicit consent. A large number of GMail users feel that Google has failed to live up to this obligation.

  • http://www.cato.org/ Jim Harper

    Adam, you're putting strategy ahead of sensibility: “Don't say anything that could support an argument for regulation.”

    Like Ryan, I don't think people who favor market regulation should hold their tongues about products and practices they don't like. In fact, doing so makes it appear to audiences we're trying to convince that we're just blind supporters of businesses, however rapacious they may be.

    I don't think Tim should even have to couch it as carefully as he does. I'll say it since he won't: Some people are too stupid to know what's good for them. It doesn't follow that regulators should look after them. Rather, market criticism of goods and services guides the design of products to the better for the ignorant as much as for the intellectual and the activist.

    And the question here is not whether anyone is forced to use anything. It's whether a company can change the information terms of a product people have chosen to use based on the preexisting terms. I don't think so. I think this is an F-up, and I'm all for calling it out.

  • http://www.techliberation.com Adam Thierer

    The argument that Google could have done more to make users clearly aware of the changes is probably the best one out there. But it begs the question: How much notice is enough? And what constitutes “clear and explicit” consent? Think about all the fine print in the many other contracts and documents we sign onto every day in this world. In each case, the question of notice and “clear and explicit consent” comes into play but generally let people sign off on all sorts of things without reading every word of what is in the contract. In Google's case, what would make you happy? I can imagine a scenario in which a lot of bells and whistles go off and you are asked 3 times to consent to sharing information in the way Buzz does. Is that enough? Or are you saying — like most privacy regulatory advocates do — that precisely because that oh-so-tedious mental transaction cost problem that the default setting should be required to be set at “Cripple Information Sharing”?

    The Net — and the engine that powers it (advertising) — is built on information sharing. A lot of people don't like that fact. But if you cripple information sharing by default because people don't like the “cost-benefit analysis” associated with reading fine print, it will have serious ramifications. Namely, we are going to start getting charged for services that are currently free of charge. Perhaps that is the path most people prefer; I just hope they understand the consequences.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Agreed completely, Ryan. I should have stressed more in my post that I didn't mean to discourage healthy criticism. As I mentioned in my original post about Larry Magid's questions,

    I'm glad that Larry is raising these concern as someone who has done yeoman's work in educating Internet users, especially kids, about how to “Connect Safely” online (the name of his advocacy group). The fact that companies like Google know they'll get questions like Larry's is hugely important in keeping them on their toes to continually plan for “privacy by design.”

    But I do worry that those with a political axe to grind will take these same questions and twist them into arguments for regulation based on the idea that if some people forget to use a tool or just don't get care as much about protecting their privacy as some self-appointed “privacy advocates” think they should, the government—led by Platonic philosopher kings who know what's best for us all—should step in to protect us all from our own forgetfulness, carefulness or plain ol' apathy. After all, consumers are basically mindless sheep and if the government doesn't look after them, the digital wolves will devour them whole!

    Molly, much as I love her, was off on several key factual details so my main purpose was to set her straight on how Buzz actually works and to note just how much granularity of privacy control it gives users. The key issue, I agree, is how Google has implemented the auto-following feature.

  • http://www.cato.org/ Jim Harper

    Adam, these transaction costs are typically taken care of by implying terms into contracts based on custom in the relevant industry or market. (If you think that’s socialist denial of individual responsibility, try living your life without implied contract terms. Ya can’t do it.)

    I’d find it very hard to believe that any industry or market has a convention that one party to a contract is allowed to change its terms.

    This is about changing the terms of a service after consumers chose to use Gmail based on one set of promises. It’s not about whether the Internet “is built on information sharing” blah blah blah.

  • http://www.timothyblee.com/ Tim Lee

    But it begs the question: How much notice is enough?

    That’s an excellent question. I don’t have a precise answer. Which is precisely why this kind of criticism and debate is necessary to figure out the answer. Calling people who think Google crossed the line “paternalistic” doesn’t help us understand where the line is.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Thanks, Eric. This is exactly what I was referring to when I suggested in a comment above that Google could address these concerns about the auto-following feature by sending the same sort of “unmissable notice” to new Buzz users as it sends to new Latitude users, reminding them that Buzz will start them off by following some of their most common contacts. To the extent that this is mainly what Molly was suggesting, it’s certainly not unfair criticism, nor is it necessarily “paternalistic.” But I still think it’s a stretch that not having this kind of additional, belts-and-suspenders notice makes Buzz a “Privacy Nightmare,” especially given all the other privacy controls built into the system. Again, the ability to limit access to a post to just your friends is a major improvement over Twitter. It’s very much like Facebook’s new publishing controls—a great feature for which they got zero credit from critics who fixated on the potential exposure of a user’s friend and pages lists.

  • http://www.techliberation.com Adam Thierer

    Well, we’re dangerously close to devolving into a spat about EULA’s again, which I don’t want to get into. But let me just say this… Every time we download a new program or even a new patch for a piece software (something I do almost every day in the Android market), or sign up for a new service, or whatever else we do online, there’s always this question of contact and consent haunting each transaction. While I agree more notice is, generally speaking, always a good thing, I do wonder how far we have to take these notions. There is implied consent all over the place on the Net; especially because almost everything online is free of charge. So I think we need to be careful about an overly formalist approach to contracts and consent in this regard. It could have profound implications for the way the online world works and — regardless of your dismissive tone, Jim — that is important.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Good clarification on the first point, Julian.

    As for the second point, I think you’re suggesting she may have accidentally opted-in to using Buzz because she just clicked through the initial “We’ve Just Launched Buzz – Would You Like to Join?” splash screen. I just tried going through the set up dialogue box again with another gmail account and it’s really a lot harder to miss the notice than you’re suggesting and it’s nothing click just clicking through a EULA. When the user logs onto gmail for the first time since Buzz’s launch, they’re taken to a completely new screen with a white background instead of a simple pop-up over Gmail. You can’t just hit “enter” to proceed. You have to click “Sweet! Check out Buzz” or “Nah, go to my inbox.” I clicked on the latter. Buzz still shows up in the folder list under “Inbox” but it’s empty–with no followers.

    Now, what WOULD concern me is if users who declined to opt-in to Buzz nonetheless had their top contacts added and their Google Reader shared items sent to those folks. If that actually is what happened to our angry blogger here, I’d agree that she’s right to be pissed off and I’m glad she’s raising the issue. But if that’s really what happened, I’d also be pretty surprised if Google didn’t fix the problem quickly.

    There’s another issue lurking in the background here, which you put your finger on: some users may indeed have chosen to make their Google reader shared items public and then be annoyed when Buzz shares those already-public posts with auto-followed users on Buzz. This is what law professor Dan Solove would call “increased accessibility” and it’s somewhat similar to the fact that it was always possible to see the fact someone was a fan of a particular Facebook page if you just looked at that Page—but some users complained when all their pages were made visible from their public profile (even though they can opt-out of having that profile itself made accessible through Facebook search or external search engines).

    Sites need to be able to make changes in accessibility over time because, in the social networking space, many features will necessarily change accessibility of even previously public information. The trick, I think, is to figure out how to handle such changes in a way that recognizes some basic contractarian principles. In principle, I’m in full agreement with the sentiment I hear expressed here from my cyber-libertarian comrades-in-arms that the burden rests with a site to inform users about the change. Again, that’s where bolding key text and making an opt-out easy becomes essential—which is precisely what Google’s done with the revised splash-screen I included in my post above, to make it easier for users to change the “show followers” setting on their Profile. Perhaps Google ought to go further still, such as by reminding users about the auto-following feature. But it’s worth noting that the initial “Welcome to Buzz” screen does point this out, as you’ll see in this scren capture.

    I’ve highlighted the key text. Perhaps Google should indeed bold that text. (I wasn’t being snarky or dismissive when I suggested that in my post above.) And perhaps some of this stuff merits a reminder email a la Latitude (see my response to Eric below).

    But… “privacy nightmare?” Really? My main point here is that you’d have to both have a pretty low opinion of the intelligence of the average user and assume that Google really was out to screw its users here to reach the “nightmare” conclusion. If this discussion highlights anything, it’s just how strong the reputational pressure is on companies, even as big and successful as Google and Facebook, to “get it right” when it comes to this sort of thing—and, if they don’t get it quite right out of the box, to fix real problems in ways that don’t break the experience for everyone.

    Let me emphasize something I alluded to above: Yes, obviously, Google has a lot to gain here by encouraging user participation but so do Google users! Buzz would be a far more valuable tool for me and everyone else if it actually managed to break beyond the narrow confines of techie-uber-geekdom and bring in users like my Mom or . I’d really, really love for a site to do what Twitter has not and succeed in making a new form of status updates ubiquitously used in the same way gmail is. The value of such a tool was really driven home to me this past week as some of my non-Twitter- and non-Facebook-using friends and relatives called me to ask how I was faring in the blizzard, whether I had lost power, etc. I was happy to talk to them, of course, but I would rather not have rehashed basic information that they could have gotten from simply looking at my latest Buzzes. With that information out of the way, we could have gotten on to much more interesting conversations. And of course, the folks that actually called to check on me are just the tip of the iceberg compared to all the people who simply had no idea what was going on and didn’t think (or have time) to call.

    So if I’m willing to cut Google some slack here for things like autofollowing, it’s because I see great value for all users in trying to invent something like “Email 2.0.” If they want to make that happen half as badly as I do, they’ll be listening very, very carefully to complaints about how Buzz has rolled out and work to address these concerns by making sure privacy-sensitive users know what they’re doing. I much prefer that kind of innovation through trial-and-error to simply trying to revert to restrictive default settings.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Fair enough. Again, I certainly don’t mean to dismiss all privacy advocates as paternalists. My title was a bit glib in that respect. What I was really trying to suggest is that there are essentially four ways of looking at this (or a spectrum that includes these points):
    1) Google can do no wrong. Anyone who’s confused is stupid and deserves whatever happens to them.
    2) Google may not have gotten this exactly right and there’s room for improvement here, but the answer lies in building in some better notices to users to make sure they know what’s happening here. Google’s alrady done some of that but there room for them to do more.
    3) Google really screwed up. The only way to fix these problems is for Google to turn off auto-following and/or set Profiles not to show followers/followees by default.
    4) This is a “Privacy Nightmare!” The FTC should get involved immediately, sanction Google heavily to avoid such future travesties, and impose restrictive defaults.

    The first is certainly not my position. I’d put myself squarely in the second camp. I’m not quite suere where Molly would fall between the third and fourth camps (and I’m sorry if I lumped 3 and four together under the “Privacy Nightmare”=”Privacy Paternalism”) title), but there some of her commenters and other bloggers certainly fall into the fourth camp (“This should be illegal!”). I think most of the debate here is taking place somewhere between the second and third positions. Apart from suggesting that getting the government involved would be unwise and that we should be careful to get our facts right (which Molly didn’t quite do), my main point here is that the more trust we have in users (and also that reputational pressure generally works to promote privacy by design or, in some cases, re-design if the initial product isn’t quite right), the closer towards #2 we’ll fall.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Agreed!

  • http://www.cato.org/ Jim Harper

    Well, there are evidently several moving parts to this question. Evidently, I’m in the category of Gmail users who declined to opt-in to Buzz, but was signed in to it anyway. At their promotional splash page yesterday, I hit “No, just take me to Gmail” or whatever, where I found Buzz inserted into my navigation tree. After a while, I did click on that link, after which I found it populated with followers and people I was following.

    I did not consent to that, I don’t think there’s a good argument that my use of Gmail was implied consent to making me a Buzz user, and I don’t think there’s an implied term in Gmail’s policies that Google can change its terms to make me a Buzz user.

    The way the Internet functions would not be upended by holding service providers to the terms of their promises. There is plenty of (explicit and implied) contractual information sharing on the web that’s not going to stop because contract terms are fixed and enforceable.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Fair enough, Tim. If I had taken your approach to titles, I might have called this thread something like “More on Buzz” instead of trying to make a fairly nuanced point without the characters necessary to do so. My point being: my title may be a bit unfair by implying an equation of criticism with paternalism. I hope you’ll see from my four-part breakdown that I didn’t intend that.

    That said, I do think “nightmare” is too strong to apply to PEBCAK situations (“Problem Exists Between Chair and Keyboard”) like this one. That is, perhaps Google could have done more here to avoid the possibility for user error, but does that really make this a nightmare? How much more does Google have to do to protect users from their own carelessness? Somewhere along the spectrum of responses to that answer, we enter the land of paternalism—even if the government isn’t yet involved. And of course, the thing that makes these debates so difficult is that the government almost inevitably will become involved.

  • http://www.juliansanchez.com/ Julian Sanchez

    The setting you mention at the outset may be new, or maybe that’s just an account without much action on it, because I definitely did not do anything of the sort, and my account got populated with followers anyway.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    Again, Jim, as I noted above, if Buzz is actually opting-in users who initially decline to opt-in, that’s genuine cause for concern. I don’t have a problem with them adding Buzz to the navigation tree under “Inbox” but I’d agree that, when the user clicks on Buzz, they get some kind of reminder about what Buzz is, how it works and why they might want to use it.

    The next question I’d ask is: What does it actually mean to be opted-in if you’re not using buzz? (I think this is where our stalking-victim blogger ran into problems.) If a user declined to opt-in and isn’t posting any Buzzes, why does it matter whether Buzz has auto-added some followers for them?

    I think the answer lies here, from the screen users find the first time they visit Buzz: “Your Google Reader shared items, Picasa Web public albums, and Google Chat status messages will automatically appear as posts in Buzz.” Our blogger friend seemed to be concerned about the first issue. But in all three cases, these items are already public, so the concern seems to be simply a matter of increasing the accessibility of those already-public items.

    I’m not saying Google shouldn’t do more to make it clear to users that this is happening, especially if they’ve declined to opt-in to Buzz but, again, why can’t that be handled through better notice?

  • http://www.timothyblee.com/ Tim Lee

    Berin, shooting yourself in the foot hurts, and this fact is unaffected by the fact that you can opt out of shooting yourself in the foot. Likewise, the fact that people don’t have to sign up for Buzz doens’t prove that Buzz isn’t a privacy nightmare.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    I think you’re right, Julian. As Jim’s experience suggests, even users who decline to opt-in have Buzz set up for them (even if they’re not buzzing anything). So, as I discuss below, the question we need to ask is, what does it mean to be opted-in to Buzz.

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    I think you’re right, Julian. As Jim’s experience suggests, even users who decline to opt-in have Buzz set up for them (even if they’re not buzzing anything). So, as I discuss below, the question we need to ask is, what does it mean to be opted-in to Buzz.

  • http://www.juliansanchez.com/ Julian Sanchez

    So, in the case of the angry blogger, I can see where even revealing the identities of her other contacts could be a serious problem. “Oh, so THAT’S the new guy…” But if I understand what she’s saying correctly, she had made a point of setting her shared Google Reader items to “private”—and was then horrified to discover that her frequent contacts had become “followers” entitled to see those shared items, along with her own comments containing references to where she lived and worked. If that’s what happened, it really is inexcusable, even if they fix it after the fact.

    The meta-point here, though, is that we do this for a living and we’re not entirely clear on how this thing is sharing our information one way or the other. Doesn’t that suggest a problem to you? Especially given the sheer quantity of information Google has, provided for wholly different purposes?

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    As a general matter, I take your point to heart, Julian: this is confusing and Google certainly should have done a better job of explaining it. That does suggest a problem to me, but what, exactly, do you think that problem is?

    But as to the specific issue of Google Reader, I’m pretty sure “shared” posts were previously shared with everyone—that is, not private. If that’s right, I draw two points from that. First, in Google’s defense, if all Buzz does is make shared items even more accessible, I’m not sure what the big deal is.

    Second, if all my shared items are now going to be piped into Buzz automatically, why can’t I exercise the same Public/Private sharing option from inside Google Reader that I can from Buzz? I really love the granularity of privacy controls that I have in Buzz, being able to share a Buzz with a specific list. It would be great to have that same control throughout the tools being integrated into Buzz, like Reader.

  • http://www.cato.org/ Jim Harper

    “Meta” is one layer removed, Berin. Julian is pointing out that information policy experts don’t understand the issues here. How on earth can average consumers intelligently assess Buzz if we can’t.

    Google has sit-downs with people like us to talk through details of services we all have long experience with. But they dump Buzz on us and the public without a tinker’s dam of information about how it works, how it will integrate with existing services, etc. This is a big #googlefail

    (BTW, now that I’ve used the phrase “tinker’s dam” in a sentence, I am officially a curmudgeon. By cracky!)

  • http://www.cato.org/ Jim Harper

    “Meta” is one layer removed, Berin. Julian is pointing out that information policy experts don’t understand the issues here. How on earth can average consumers intelligently assess Buzz if we can’t.

    Google has sit-downs with people like us to talk through details of services we all have long experience with. But they dump Buzz on us and the public without a tinker’s dam of information about how it works, how it will integrate with existing services, etc. This is a big #googlefail

    (BTW, now that I’ve used the phrase “tinker’s dam” in a sentence, I am officially a curmudgeon. By cracky!)

  • http://techliberation.com/author/berinszoka/ Berin Szoka

    I agree with you, Jim, that our defense of “market regulation” will be made stronger for not holding our tongues when criticism is factually accurate well-deserved. It’s a very difficult thing, though, to do that without lending support to the feeding frenzy that so often explodes upon the release of a new product. And as I emphasized when Facebook launched its new privacy system, “If you jump on companies every time they announce a new privacy-by-design feature, you leave them like deer in the headlights, they’ll be terrified to move forward with anything.”

    Again, my point is not that we should take option #1 of the four options I laid out above (apologizing for everything Google might do) but that we should be careful about heading too far down the path of #3 (suggesting restrictive defaults) because even if the government doesn’t get involved in mandating those (which often happens very subtly and rarely overtly), much of the argument for such defaults rests on the idea that users just can’t be trusted.

    That said, I do take the point raised above about mental accounting costs to heart. There is a roll for user interface designers to play in being, yes, a bit “paternalistic” in a purely non-coercive sense. But there’s a fine line in practice between simply trying to ensure users don’t accidentally make choices they didn’t mean to make and assuming that users will screw up and make choices that are truly harmful, and therefore designing everything around the worst case scenario, unlikely as that might be.

  • Adam

    Berin, and anyone else who may think that opposition to the Buzz rollout is unfounded, I have a feeling that you may not have a complete picture of the situation. I agree that when one chooses to use such a service one should not expect total privacy, and one should take care in configuring the settings and managing one’s shared information appropriately. But I am a GMail user with no interest in using Buzz; I have already disabled it, so whatever privacy issues may arise in the use of the service are unimportant to me. My concern is the privacy failure which happened when Buzz was rolled out. Let me just lay out the facts and then their implications:

    1) On Feb 9th, all US GMail users were automatically opted in to Buzz without their consent. This seems lost on people who talk about “setting up” Buzz. It set itself up.
    2) If you are such a user, Google also automatically made you follow some random people with whom you have had contact via Google chat or GMail (I am not sure if any other Google services were used in this automatic process). Supposedly, this should have happened with “frequent” contacts, but many people have reported auto-following one-time contacts, or people they don’t know at all (probably contacts so old they’ve been forgotten).
    3) If you have ever set up a profile for your Google account, then all the people you are following or who follow you are published on that public profile. The profile is only visible to other users with profiles (but bear in mind that anyone could create a profile in 2 minutes if they desired to see your contacts).

    Each of these actions is worse, to my mind, than the previous.

    1) Being opted in to Buzz would simply be annoying.

    2) Being made to automatically follow people is a serious privacy failure. Those may be people with whom you have stopped communication. Now they will be led to believe you are interested in communicating again. If your account is on a shared computer, whomever you share it with will also see this false information. In my case, I found myself following some old coworkers, and one of them following me, and thankfully there were no unpleasant consequences. But I can only imagine the fallout that has happened to some people, who may have automatically followed an ex-spouse or lover or even someone who stalked or abused them in the past. People have already related such stories in the GMail support forums.

    3) Having some of your contacts revealed to some other contacts could be similarly devastating. I’m not going to leave it to your imagination. Your boss could have automatically followed you and clicked through to your profile only to find you are following a competitor. Journalists have probably have their sources revealed. Whistle blowers have probably been outed. This is awful, by any sane measure.

    So what is the answer? Unfortunately, once information is leaked, it can’t be put back in the bottle. It may have already been noticed, or indexed by search engines. All that remains is to swiftly act to limit the damage, by un-following those contacts who were auto-followed, deleting one’s profile and disabling Buzz.

    The only good news is that if you disable Buzz completely (Including un-following, and deleting your profile — the “Turn off Buzz” link alone does not do this), then the fact that you have followers has no visible effect and can be ignored.

    I will also add that I’m continually angered by to see that while Google has addressed some issues encountered by people who want to use Buzz, improving it and so on, none of the three fundamental problems I have listed above have been so much as mentioned by the GMail blog or the Google employees in the support forums. If this were a really stupid mistake and Google apologized and tried to make it better, I would be pissed off but understanding of human error.

    But one really has to conclude that all of this is completely intentional; Google expects people not to notice or care (and many do not). I do care, and unless Google addresses those issues in some meaningful way, I’ll have to try to find another email provider that does everything GMail does, without willfully trampling my privacy.

  • Adam

    Buzz is not an opt-in service. I think that misunderstanding has led you to a large misunderstanding of the problem.

  • Adam

    Buzz is not an opt-in service. I think that misunderstanding has led you to a large misunderstanding of the problem.

  • http://blog.ericreasons.com Eric Reasons

    Berin-
    I just got this very interesting e-mail from Google. It looks like Google, as you stated above, are taking people's constructive criticism to heart:

    ==
    Hi,

    To protect your privacy we would like you to know that Google Latitude is running on your Android-powered device and reporting your location.

    If you didn't enable this or want to stop reporting your location please open the Maps app on your device. Go to 'Menu' > 'Latitude' > 'Privacy' and change your privacy settings.

    Thanks,

    Google Latitude Team
    ===

  • http://www.cato.org/ Jim Harper

    My experience was similar to Ms. FU, Google. That I'm aware of, I didn't opt in. It just appeared and started connecting me to correspondents. I use my Gmail account for a mix of personal and professional communications, and I don't think the fact of emailing people is a reason for them to come into my social network and see who else is (rightly or wrongly) in my social network.

    I'm not ready to say “FU, Google.” Instead, WTF, Google?! This is just stupid and ham-handed.

  • Jim Harper

    The phone book doesn't tell anyone who you've been calling. The analogy is inapt.

  • http://www.timothyblee.com/ Tim Lee

    Berin, I think you're underestimating the cognitive “transaction costs” of evaluating a product like Buzz. It's one thing to say that users who sign up for a service like FaceBook or Twitter have an obligation to do their homework and make sure they're comfortable with how their information will be shared. People who are too busy to do that homework can just decline to sign up for the service.

    It's quite another thing to bolt these kinds of “features” onto an existing application that's not traditionally considered a social networking application. A lot of users will skim the “sign up for Buzz” dialog box, fail to understand its implications, and sign up for sharing features that are more promiscuous than they realize. I think that's more Google's fault than the user's. A reasonable user should be able to expect that if they choose the default options in their email client, that it won't result in suddenly exposing a bunch of private information to the world.

    None of which is to say that we should be getting the government involved. But public criticism is an important part of the market process. The bad publicity Google is now getting for its boneheaded decisions is an important part of the market process. There's nothing paternalistic about criticizing Google when it creates products that cause a significant number of its users to inadvertently expose more personal information than they intended.

  • http://www.juliansanchez.com/ Julian Sanchez

    If you go to your Google Reader sharing settings, you’ll see that you can set shared items to be “public” or “protected”—in the latter case shared only with contacts. Her claim, as I understand it, is that she had quite deliberately set her shared items to “protected,” but that Buzz then made all her frequent contacts eligible to view her “protected” notes.

Previous post:

Next post: