Compliance Management, Network Security, Privacy, Threat Management, Vulnerability Management

Google, FTC settle over faulty privacy in Buzz

In an unprecedented settlement with arguably the most powerful presence on the internet, the Federal Trade Commission has ordered Google to fix its privacy practices following widespread backlash resulting from the launch of its Buzz social networking service.

The FTC announced Wednesday that it has ordered Google to implement a comprehensive privacy program, the first time the nation's consumer protection agency has issued such a decree, according to a news release. In addition, Google must conduct independent privacy audits every two years for the next 20 years and is prohibited from making "future privacy misrepresentations."

The FTC alleged that Google lied to users of its Buzz service, unveiled in 2010.

"On the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: 'Sweet! Check out Buzz,' and 'Nah, go to my inbox,'" according to the FTC.

But the FTC complaint contended that those users who declined the new service were signed up for some features anyway. And for those who did accept, according to the FTC, Google failed to inform them that doing so would automatically set them to "follow" the people with whom they frequently email and chatted, essentially making some or all the names in a user's address book public information.

"In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors," the FTC release said.

Google violated its privacy policy, which stated that it would ask for users' permission prior to sharing and reusing their data, the FTC alleged.

Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, a privacy watchdog, said the settlement will benefit Google users because it will give them significant control over how their information is used in the future. According to reports, the settlement also applies to Google's accidental collection of Wi-Fi data.

"It's a strong indication of where the FTC is thinking people should be," Opsahl told on Wednesday.

But the case also underscores the lack of real power that the FTC has to crack down on the shoddy privacy practices of corporations, Christopher Soghoian, a privacy researcher at Indiana University, told on Wednesday

"It demonstrates the limitations of the FTC's authority," said Soghoian, a former technologist in the FTC's Division of Privacy and Identity Protection. "Rather than being able to go after Google for leaking their users' data on the internet, they have to bust them for the weaselly statements made in their privacy policy."

He added, though, that the settlement may lead to a federal law, as Google now likely will aggressively lobby for all companies to have to move to an "opt-in" model.

"If we're stuck with this for the next 20 years, let's make sure our competitors have to deal with it too," Soghoian said, speaking from Google's perspective.

Alma Whitten, Google's director of privacy, product and engineering, admitted in a blog post Wednesday that Buzz did not initially live up to the company's standards for openness.

"We'd like to apologize again for the mistakes we made with Buzz," the post said. "While [Wednesday's] announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."

Opsahl said the incident may spur other internet companies to be more honest with their users, especially considering Buzz never really took off, partly because of the privacy outrage.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.