Google Agrees to 20 Years of Privacy Audits

It’s been just about a year since members of Congress asked the US Federal Trade Commission (FTC) to look into privacy issues concerning Google Buzz, Google's social networking site.

Now Google has agreed to settle FTC complaints that the company “used deceptive tactics and violated its own privacy promises to consumers when it launched its social network”. According to the settlement, Google can’t misrepresent their privacy policies in the future and must submit to biennial, independent privacy audits for the next 20 years.

Launched in February 2010, Buzz offered a way for Gmail users to post updates and share content, much as they would on other social networking sites like Facebook. To Google's chagrin, the new product came under fire almost instantly for its privacy settings.

By default, Buzz made all items a user posts public and searchable on the Internet. Gmail users, who were signed up by default, also found their contact lists had been mined to populate the Buzz network and were visible to other users. The long list of Buzz privacy issues outlined by the FTC details how this data mining went awry:

…many users complained about the automatic generation of lists of followers and people to follow from email contact lists that included in some cases: individuals against whom they had obtained restraining orders; abusive ex-husbands; clients of mental health professionals; clients of attorneys; children; and recruiters they had emailed regarding job leads.

Google quickly responded to complaints, adding new features and changing default settings (The Washington Post’s Rob Pegoraro posted a good run-down of Buzz’s first week).

The FTC then stepped in to investigate whether Google broke an implicit or explicit promise that information obtained from Gmail users would only be used to provide them with e-mail service. According to the FTC, Google’s actions were “deceptive” because the company failed to obtain permission from users to use their information in other ways even though the company said it would.

This isn’t the first federal fallout in all the fuss over Google Buzz. In September 2010, Google agreed to pay $8.5 million to settle a class-action lawsuit filed on behalf of users.

Google apologized on Wednesday for Buzz’s failures. “We don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control,” Google’s privacy director Alma Whitten wrote on the company blog. Whitten links to a few places where Google users can go to manage their privacy settings.

The FTC says this is the first time it has created a settlement that has "required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information".

Could this settlement usher in a new era of FTC involvement in protecting privacy on the Internet? After all, gaps in privacy protection aren't exclusive to Google. Facebook has been repeatedly criticized for failing to keep user information private. Just weeks ago, the e-commerce site Etsy made headlines after turning on a social networking feature that exposed the previously private (and potentially embarrassing) shopping histories of its users.

“Today’s action should serve as a reminder to Facebook, Twitter, Yahoo and other sites with social aspects that they should be more careful and transparent when it comes to sharing their users’ information,” says Levi Sumagaysay of Good Morning Silicon Valley.

The FTC will grant 30 days for public comments before finalizing the agreement. You can make comments on it through May 2, 2011 on this site.

Related Stories

Tech Talk

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.

Newsletter Sign Up

Sign up for the Tech Alert newsletter and receive ground-breaking technology and science news from IEEE Spectrum every Thursday.

Advertisement
Advertisement