In re Google Buzz
Concerning the Privacy of Electronic Address Books
- States Reach $17 Million Settlement with Google Over Privacy Violations: The Maryland Attorney General Douglas Gansler, joined by attorneys general in 36 states and the District of Columbia, has reached a $17 million settlement with Google over privacy violations. Google violated state consumer protection and privacy law by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The Federal Trade Commission fined Google $22.5 million last year over similar practices which violated an earlier settlement that was the result of a complaint filed by EPIC. EPIC previously objected to the Google-DoubleClick merger on privacy grounds and specifically warned that Google’s use of Doubleclick techniques would lead to impermissible tracking of Internet users. Earlier EPIC had urged the Federal Trade Commission and other consumer protection agencies to support advertising models that are not linked to actual user identity. For more information, see EPIC: Google Buzz, EPIC: Google/DoubleClick Merger. (Nov. 18, 2013)
- Supreme Court Lets Stand Contested Facebook Settlement, But Chief Justice Cautions About Future Cases: The Supreme Court has denied a petition for review in Marek v. Lane, a decision upholding the class action settlement of Facebook’s controversial "Beacon" Program. The settlement provided substantial fees to attorneys, no benefits to class members, and established a funding entity, controlled in part by Facebook "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement, but concerns have been raised about the misuse of cy pres procedures. Chief Justice Roberts, focusing on the "unusual" allocation of funds in the Facebook matter suggested that the Supreme Court would eventually need to address "fundamental concerns surrounding the use of such remedies in class action litigation" including "how to assess its fairness as a general matter; whether new entities may be established as part of such relief; if not, how existing entities should be selected; what the respective roles of the judge and parties are in shaping a cy pres remedy; [and] how closely the goals of any enlisted organization must correspond to the interests of the class." EPIC and other consumer privacy organizations have routinely raised similar concerns about abuse of the class action process. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz. (Nov. 4, 2013)
- EPIC, Privacy Groups, Urge Court to Reject Proposed Google Settlement: EPIC, joined by several leading privacy and consumer protection organizations, submitted a letter to the Northern District of California regarding a proposed settlement in a class-action lawsuit against Google. The settlement was proposed by class action lawyers on behalf of Google users in a case concerning the unlawful disclosure of search terms by Google to third parties. Under the terms of the proposed settlement, Google would be allowed to continue to disclose user search terms to third parties. The letter explains that the proposed settlement "provides no benefit to Class members" because it does not require Google to change its business practices. "Furthermore," the letter states, "the proposed cy pres allocation is not aligned with the interests of the purported Class members." "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Under Ninth Circuit precedent, cy pres funds must be used to advance the interests of the class members. EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: Search Engine Privacy and EPIC: Google Buzz. (Aug. 22, 2013)
- Court Denies Appeal in Cy Pres Matter Over Objection that Settlement Fails to Provide Relief to Class Members: The Ninth Circuit has refused to hear an appeal in a case involving a class-action lawsuit over Facebook’s Beacon program, which disclosed personal information without user consent. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Courts typically provide cy pres awards that reflect the reason for the litigation and are aligned with the interests of class members. In the Facebook case the court chose instead to provide the funds to a new foundation created by Facebook, which was appealed. Six judges dissented from the denial, writing that "the majority in this case creates a significant loophole in our case law that will confuse litigants and judges, while endorsing cy pres settlements that in no way benefit class members." EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz. (Feb. 28, 2013)
- EPIC FOIA Uncovers Google’s Privacy Assessment: Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Federal Trade Commission, EPIC: Google Buzz, and EPIC: Open Government. (Sep. 28, 2012)
- FTC Fines Google $22.5 Million for Privacy Violations: The Federal Trade Commission fined Google $22.5 million for violating the terms of a settlement reached with the company last year. Google violated the settlement by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The settlement prohibits Google from misrepresenting the extent to which it maintains the privacy and security of personal information, and requires the company to submit to independent privacy audits for the next 20 years. The settlement follows from a complaint filed by EPIC over Google Buzz, the social network service launched in early 2010. Google recently consolidated user data across its products and services, prompting objections from European data protection authorities, state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order. (Aug. 9, 2012)
- Warwick Ashford, Buzz Gets its Inevitable EPIC FTC Complaint, Gizmodo (February 17, 2010).
- Sam Diaz, Google Buzz: Privacy Concerns Grab Gov't Attention, Hint at Desperation, ZDNet (February 17, 2010).
- Scott Fulton III, Canada Curious about Google Buzz, EPIC Accuses Google of Deception, Beta News (February 17, 2010).
- Mark Hefflinger, Privacy Group EPIC Asks FTC to Compel Google Buzz Changes, Digital Media Wire (February 17, 2010).
- Cecilia Kang, Privacy Advocates File FTC Complaint on Google Buzz, The Washington Post: Post Tech Blog (February 17, 2010).
- Kimberly Kimbrough, Privacy Group Files a Complaint Against Google's Buzz Service, Examiner (February 17, 2010).
- Ryan Paul, EPIC Fail: Google Faces FTC Complaint over Buzz Privacy, Ars Technica (February 17, 2010).
- Dan Raywood, Google Buzz is Set Back Again after it is Hit by a Complaint from the Electronic Privacy Information Centre, SC Magazine (February 17, 2010).
- Kara Reeder, EPIC Hits Google Buzz with Privacy Complaint, IT Business Edge (February 17, 2010).
- Stephen Shankland, Privacy Group Files Buzz Complaint with FTC, CNET News (February 17, 2010).
- Maggie Shiels, Google Buzz 'Breaks' Privacy Laws Says Watchdog, BBC News (February 17, 2010).
- Ryan Singel, EPIC: Google May have Broken Wiretap Law, MSNBC (February 17, 2010).
- Joelle Tessler, Privacy Group Files FTC Complaint on Google Buzz, The Washington Post (February 17, 2010).
- Amy Tierney, Watch Dog Group Stung by Google Buzz; Files FTC Complaint, TCMnet (February 17, 2010).
- Byron Acohido, How Google Buzz Lowers the Bar for Privacy, Security, The Last WatchDog on Internet Security (February 16, 2010).
- Thomas Claburn, Google Sorry about Buzz Privacy, InformationWeek (February 16, 2010).
- Wendy Davis, EPIC Files Privacy Complaint against Google Buzz, PC World (February 16, 2010).
- Sam Gustin, Privacy Group Files Complaint with Feds over Google's Social Network, Daily Finance (February 16, 2010).
- Jessica Guynn, Magid on Tech: Legal Noise over Google Buzz, Palo Alto Daily News (February 16, 2010).
- John Paczkowski, Google Buzz Hit with FTC Complaint by Privacy Group, eWeek (February 16, 2010).
- Privacy Group Files FTC Complaint on Google Buzz, ABC 7 News (February 16, 2010).
Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.
On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:
Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.
Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.
Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.
EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.
The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.
EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.
The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
The FTC stated:
Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.The FTC further stated:
According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.
- Agreement Containing Consent Order
- Complaint; Exhibits A-D
- Concurring Statement of Commissioner J. Thomas Rosch
- Letter from FTC's David Vladeck regarding EPIC's Google Buzz Complaint
- EPIC's Amended Complaint in In re Google Buzz
- EPIC's FTC Complaint in In re Google Buzz (Feb. 16, 2010)
- EPIC's FTC Complaint regarding Cloud Computing in In re Google (Mar. 17, 2009)
- Dave Navetta, FTC Privacy Enforcement and the Google Buzz Settlement, InfoSec Island, April 13, 2011.
- Mike Zapler, Signs Point to Broader Probe of Google, Politico, April 5, 2011.
- Jill R. Aitoro, Google-FTC Settlement: Bad Precedent?, Washington Business Journal, April 5, 2011.
- E.B. Boyd, What the Google Buzz-FTC Settlement Means for the "Apology Approach" to Innovation , Fast Company, April 4, 2011.
- Tony Romm, Gauntlet thrown down in Google Buzz settlement, Politico, March 31, 2011.
- Claire Cain MillerGoogle Introduces New Social Tool and Settles Privacy Charge, New York Times, March 30, 2011.
- Matt Rosoff, Google Will Face Privacy Audits For The Next 20 Long Years (GOOG), San Francisco Chronicle, March 30, 2011.
- Matt Peckham, Google, FTC Bury the Axe Over Google Buzz, Time, March 30, 2011.
- Rob Pegoraro, FTC’s lesson for Google: defaults, design matter, Washington Post Blog, March 30, 2011.
- Nathan Koppel, Google Stung By Its Own Buzz, The Wall Street Journal Blog, March 30, 2011.
- Benjamin Pimentel, Google settles with FTC, unveils new social tool, The Wall Street Journal, March 30, 2011.
- Sara Forden, Google Settles Data Privacy Complaint With FTC on ‘Buzz’ Social Network, Bloomberg, March 30, 2011.
- Declan McCullagh, Google settles FTC charges over Buzz, CNET News, March 30, 2011.
- Martin J. Young, Partnership Buzz, Asia Times (February 27, 2010).
- Jessica Guynn, Google Buzz poses a major privacy risk for kids, analyst (and parent) says, LA Times (February 22, 2010).
- David Mattison, Google Gets Stung by its Own Buzz, Information Today (February 22, 2010).
- James Temple, Privacy, complexity seen as Google blind spots, San Francisco Chronicle (February 21, 2010).
- Doug Hanchard, EPIC explains their FTC complaint about Buzz, ZDNet (February 20, 2010).
- Jeff Cormier, Google Buzz lawsuit and privacy problems persist, Examiner.com (February 20, 2010).
- Ian Paul, Control Google Buzz Overload, PC World (February 19, 2010).
- James Temple, Local Class Action Complaint Filed over Google Buzz, San Francisco Chronicle (February 17, 2010).
- Katherine Boehret, Google Buzz Isn't Exactly Humming Along, Wall Street Journal (February 16, 2010).
- David Coursey, Google Apologizes for Buzz Privacy Issues, PC World (February 15, 2010).
- Laurie Sullivan, Google Revisits Privacy Controls on Buzz, Again, MediaPost (February 15, 2010).
- Ben Parr, Google Changes Buzz Privacy Settings, CNET News (February 14, 2010).
- Miguel Helft, Google Alters Buzz to Tackle Privacy Flaws, N.Y. Times Bits (February 13, 2010).
- Jason Kinkaid, Google Buzz Abandons Auto-following Amid Privacy Concerns,,
- Harry McCracken, Google Buzz's Privacy Problem: A Simple Solution, PC World (February 13, 2010).
- Jessica E. Vascellaro, Google to Revamp Buzz Amid Privacy Concerns, Wall Street Journal (February 13, 2010).
- Jackson West, Google Buzz Privacy Concerns Hit Home, NBC News (February 13, 2010).
- Charles Arthur, Google Buzz's Open Approach Leads to Stalking Threat, Guardian (February 12, 2010).
- F*ck You Google, Gizmodo (February 12, 2010).
- Tom Krazit, More Google Buzz Tweaks, Separate Version Coming?, CNET News (February 12, 2010).
- Jared Newman, Google Buzz's Privacy Tweaks: Good Start, Not Enough, Network World (February 12, 2010).
- Shane Richmond, Google Buzz Tweaked after User Concerns, Telegraph (February 12, 2010).
- Larry Seltzer, Google Buzz Privacy Concerns are Overblown, PC Mag (February 12, 2010).
- Laurie Sullivan, Google Buzz Publicly Airs Privacy Confusion, MediaPost (February 12, 2010).
- Richard Waters, Google Seeks to Quell Buzz Privacy Outcry, Financial Times (February 12, 2010).
- Robin Wauters, Google Buzz Privacy Issues have Real Life Implications, TechCrunch (February 12, 2010).
- Don Cruise, Lawyers (or journalists) with Gmail Accounts: Careful with the Google Buzz, The Supreme Court of Texas Blog (February 11, 2010).
- Jessica Dolcourt, Buzz Off: Disabling Google Buzz, CNET News (February 11, 2010).
- Andrew Hickey, 3 Google Buzz Privacy Concerns, Channel Web (February 11, 2010).
- Evgeny Morozov, Wrong Kind of Buzz around Google Buzz, Foreign Policy Blog (February 11, 2010).
- Kevin Purdy, Google Updates, Explains Buzz Privacy Setup, Lifehacker (February 11, 2010).
- Bradford Schmidt, Google Buzz Privacy Fears Overstated, Technorati (February 11, 2010).
- Berin Szoka, Google Buzz is No "Privacy Nightmare" (Unless You're a Privacy Paternalist), The Technology Liberation Front (February 11, 2010).
- Nicholas Carlson, WARNING: Google Buzz Has a Huge Privacy Flaw, Silicon Alley Insider (February 10, 2010).
- Molly Wood, Google Buzz: Privacy Nightmare, CNET News (February 10, 2010).