In re Google Buzz

Concerning the Privacy of Electronic Address Books

Top News

  • Following EPIC Complaint, FTC Acknowledges Review of Google Consent Order: The FTC confirmed this week that it is investigating Google's compliance with the 2011 consent order. EPIC sent a letter to the FTC last week urging the Commission to determine whether Google violated the consent order following a report that Google tracked user location even when users opt-out. EPIC explained that modifying the "privacy policy" after obtaining the location data from users would not comply with the FTC's consent order. In the response to EPIC, the agency said that FTC attorneys monitor compliance with the agency's consumer protection orders and "the Google order is undergoing just such a review." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement, and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." (Aug. 22, 2018)
  • EPIC to FTC: Google's Location Tracking Violates Consent Order: Following a report that Google tracks user location even when users opt-out, EPIC wrote to the FTC that Google violated the 2011 consent order. EPIC said "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order." EPIC also told the FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." (Aug. 17, 2018)
  • US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices: EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
  • Apple Will Bolster Encryption Of Devices, Prevent Apps From Selling Contact Lists: Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Jun. 14, 2018)
  • EPIC Renews Call for FTC to Stop Google's Tracking of Consumer Purchases: EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners. (May. 7, 2018)
  • EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees: In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)
  • EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan: EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Dec. 5, 2017)
  • EPIC Challenges Google Cookie Tracking Settlement as Unfair to Class Members: EPIC filed an amicus with a federal appeals court urging the court to reject a proposed class action settlement in a consumer privacy case. The case involved Google tracking internet users in violation of the users' privacy settings. EPIC said the settlement resulted in no change in business practices and wrongly awarded cy pres funds to organizations that Google would otherwise support. The settlement was also opposed by the Attorneys General of thirteen states. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google. EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement. (Nov. 22, 2017)
  • EPIC Calls for Greater FTC Enforcement: In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)
  • EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases: EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world. (Jul. 31, 2017)

EPIC's Complaint in the News

Background

Google

Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.

Google Buzz

On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:

Google Buzz.png

Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.

Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.

Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.

EPIC's FTC Complaint

EPIC’s FTC complaint highlights several aspects of the Google Buzz service that threaten Gmail users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Google with respect to Google’s transformation of an email service to a social networking service without offering Gmail users meaningful control over their information or opt-in consent. The complaint argues that Google’s change in business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.

EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.

The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.

EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

FTC Proposed Agreement

    The FTC stated:
    Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
    The FTC further stated:
    According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
    In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
    Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.

FTC Documents

EPIC Filing

Response to Proposed FTC Settlement

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.