Focusing public attention on emerging privacy and civil liberties issues

In re Google Buzz

Concerning the Privacy of Electronic Address Books

Top News

  • Judge Rules that Courts Lacks Jurisdiction over FTC, Acknowledges "Serious Concerns" with Google Privacy Changes: A federal court today dismissed EPIC's lawsuit against the FTC, because the "decision to enforce the Consent Order is committed to agency discretion and is not subject to judicial review." However, the Judge also said "the Court has not reached the question of whether the new policies would violate the consent order or if they would be contrary to any other legal requirements." And she said "the FTC, which has advised the Court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC will appeal the decision on judicial review, asking the DC federal appeals court to rule that courts can require federal agencies to enforce final orders. For more, see EPIC: EPIC v. FTC (Google Consent Order). (Feb. 24, 2012)
  • "FOIA Matters" - EPIC Obtains Google Privacy Compliance Report: As the result of a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained a full copy of Google's first Privacy Compliance Report. Last year, spurred by a complaint pursued by EPIC, the FTC reached a settlement with Google and required the company to file regular reports with the Commission detailing its steps to comply with the Consent order. However, the report obtained by EPIC raises new questions about the company's efforts to safeguard user privacy. EPIC has recently filed a lawsuit against the FTC to compel the agency to enforce the Consent Order. For more information see: EPIC: EPIC v. FTC (Google Consent Order) and EPIC: In re Google Buzz. (Feb. 17, 2012)
  • EPIC Sues Federal Trade Commission to Enforce Google Consent Order: EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network." (Feb. 8, 2012)
  • EPIC Seeks Public Release of Google's Privacy Report : EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz. (Feb. 1, 2012)
  • Congress Seeks Answers on Google's Plans for Data Consolidation: Eight members of Congress wrote to Google asking the company to explain the "steps [that] are being taken to ensure the protection of consumers' privacy rights." The letter follows Google's announcement that it would begin combining data gathered on consumers of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. The members' letter includes 11 specific questions ranging from the ways in which Google collects information to the specific consequences for Android phone users. In 2010, EPIC, along with other privacy groups, wrote a letter to Google about the company's decision to combine user data among 12 Google services. The groups warned that the practical effect would be to reduce privacy protection for users of Google services. For more information, see EPIC: In re: Google Buzz and EPIC: Google search. (Jan. 27, 2012)
  • Court Rejects Privacy Class Action Deal, Holds that Settlement Distribution Should be Related to Nature of Lawsuit: A federal appeals court rejected a proposed settlement that would terminate a class action lawsuit brought by AOL users. The Court held that the proposed deal was inconsistent with the "cy pres" doctrine, a legal principle that allows courts to allocate funds to groups that protect the class' interests. The Court ruled that cy pres distributions should be based on the nature of the lawsuit, the objectives of the relevant law, and the interests of the class members including their geographic diversity. AOL users sued the company for inserting footers containing promotional messages into users' email messages. The lawsuit alleged violations of several laws, including the Electronic Communications Privacy Act. The parties settled the suit, agreeing to distribute $110,000 to several charities, none of which work to protect internet users' privacy. EPIC previously highlighted the dangers of improper cy pres distributions in Lane v. Facebook and In re: Google Buzz. (Nov. 22, 2011)
  • Court Awards Funds to EPIC in Google Buzz Case: A federal district court overseeing a class action case concerning Google Buzz has revised a proposed settlement agreement to ensure that EPIC receives part of the settlement fund. EPIC's complaint about Buzz to the Federal Trade Commission resulted in sweeping new privacy safeguards for Google users. But EPIC was excluded from a proposed agreement in which a Court had ordered distribution of settlement funds to organizations "who would reasonably benefit the class through established Internet privacy education and policy programs." Judge Ware held that "the Court does not find good cause to exclude EPIC from the list of recipients of the cy pres funds. EPIC has demonstrated that it is a well-established and respected organization within the field of internet privacy and that it has sufficiently outlined how the cy pres funding will be used to further the interests of the class." For more information, see EPIC - In re Google Buzz. (Jun. 1, 2011)
  • Senate Judiciary Committee Holds Mobile Privacy Hearing: The Senate Judiciary Subcommittee on Privacy, Technology, and Law held a hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy." Lawmakers heard testimony from the Federal Trade Commission, as well as from from Apple and Google representatives. Chairman Leahy said that safeguarding privacy "is one of the most important and challenging issues facing the nation," and indicated that he would introduce legislation to update the Electronic Communications Privacy Act. EPIC previously recommended new privacy safeguards for location data. For more information, see EPIC: Locational Privacy and EPIC: In re Google Buzz. (May. 10, 2011)
  • EPIC Proposes "Fair Information Practices" for Google: Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google. (May. 3, 2011)
  • Public Submits Comments on Proposed Google Consent Order: Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz. (May. 2, 2011)

EPIC's Complaint in the News

Background

Google

Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.

Google Buzz

On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:

Google Buzz.png

Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.

Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.

Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.

EPIC's FTC Complaint

EPIC’s FTC complaint highlights several aspects of the Google Buzz service that threaten Gmail users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Google with respect to Google’s transformation of an email service to a social networking service without offering Gmail users meaningful control over their information or opt-in consent. The complaint argues that Google’s change in business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.

EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.

The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.

EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

FTC Proposed Agreement

    The FTC stated:
    Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
    The FTC further stated:
    According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
    In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
    Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.

FTC Documents

EPIC Filing

Response to Proposed FTC Settlement

News Stories and Blog Items