In re Google Buzz
Concerning the Privacy of Electronic Address Books
- Apple Will Bolster Encryption Of Devices, Prevent Apps From Selling Contact Lists: Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Jun. 14, 2018)
- EPIC Renews Call for FTC to Stop Google's Tracking of Consumer Purchases: EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners. (May. 7, 2018)
- EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees: In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)
- EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan: EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Dec. 5, 2017)
- EPIC Challenges Google Cookie Tracking Settlement as Unfair to Class Members: EPIC filed an amicus with a federal appeals court urging the court to reject a proposed class action settlement in a consumer privacy case. The case involved Google tracking internet users in violation of the users' privacy settings. EPIC said the settlement resulted in no change in business practices and wrongly awarded cy pres funds to organizations that Google would otherwise support. The settlement was also opposed by the Attorneys General of thirteen states. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google. EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement. (Nov. 22, 2017)
- EPIC Calls for Greater FTC Enforcement: In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)
- EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases: EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world. (Jul. 31, 2017)
- Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections: Rep. Marsha Blackburn (R-TN) has introduced the The Browser Act, H.R. 2520, aimed at protecting online privacy. The Browser Act would apply to Internet ISPs as well as Internet companies, such, as Google and Facebook, and would generally require "opt-in" consent before sensitive information could be collected or disclosed. However, the bill lacks a private right of action or a remedy for violations. The bill gives enforcement authority to the FTC which has mostly failed to protect consumers online privacy. The bill lacks data breach notification, and would overwrite stronger state privacy laws that protect consumers. In comments to the FCC and elsewhere, EPIC has set out a comprehensive framework for online privacy. (May. 19, 2017)
- EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017: EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Feb. 16, 2017)
- EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order : Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices. (Apr. 1, 2016)
- Warwick Ashford, Buzz Gets its Inevitable EPIC FTC Complaint, Gizmodo (February 17, 2010).
- Sam Diaz, Google Buzz: Privacy Concerns Grab Gov't Attention, Hint at Desperation, ZDNet (February 17, 2010).
- Scott Fulton III, Canada Curious about Google Buzz, EPIC Accuses Google of Deception, Beta News (February 17, 2010).
- Mark Hefflinger, Privacy Group EPIC Asks FTC to Compel Google Buzz Changes, Digital Media Wire (February 17, 2010).
- Cecilia Kang, Privacy Advocates File FTC Complaint on Google Buzz, The Washington Post: Post Tech Blog (February 17, 2010).
- Kimberly Kimbrough, Privacy Group Files a Complaint Against Google's Buzz Service, Examiner (February 17, 2010).
- Ryan Paul, EPIC Fail: Google Faces FTC Complaint over Buzz Privacy, Ars Technica (February 17, 2010).
- Dan Raywood, Google Buzz is Set Back Again after it is Hit by a Complaint from the Electronic Privacy Information Centre, SC Magazine (February 17, 2010).
- Kara Reeder, EPIC Hits Google Buzz with Privacy Complaint, IT Business Edge (February 17, 2010).
- Stephen Shankland, Privacy Group Files Buzz Complaint with FTC, CNET News (February 17, 2010).
- Maggie Shiels, Google Buzz 'Breaks' Privacy Laws Says Watchdog, BBC News (February 17, 2010).
- Ryan Singel, EPIC: Google May have Broken Wiretap Law, MSNBC (February 17, 2010).
- Joelle Tessler, Privacy Group Files FTC Complaint on Google Buzz, The Washington Post (February 17, 2010).
- Amy Tierney, Watch Dog Group Stung by Google Buzz; Files FTC Complaint, TCMnet (February 17, 2010).
- Byron Acohido, How Google Buzz Lowers the Bar for Privacy, Security, The Last WatchDog on Internet Security (February 16, 2010).
- Thomas Claburn, Google Sorry about Buzz Privacy, InformationWeek (February 16, 2010).
- Wendy Davis, EPIC Files Privacy Complaint against Google Buzz, PC World (February 16, 2010).
- Sam Gustin, Privacy Group Files Complaint with Feds over Google's Social Network, Daily Finance (February 16, 2010).
- Jessica Guynn, Magid on Tech: Legal Noise over Google Buzz, Palo Alto Daily News (February 16, 2010).
- John Paczkowski, Google Buzz Hit with FTC Complaint by Privacy Group, eWeek (February 16, 2010).
- Privacy Group Files FTC Complaint on Google Buzz, ABC 7 News (February 16, 2010).
Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.
On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:
Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.
Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.
Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.
EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.
The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.
EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.
The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
The FTC stated:
Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.The FTC further stated:
According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.
- Agreement Containing Consent Order
- Complaint; Exhibits A-D
- Concurring Statement of Commissioner J. Thomas Rosch
- Letter from FTC's David Vladeck regarding EPIC's Google Buzz Complaint
- EPIC's Amended Complaint in In re Google Buzz
- EPIC's FTC Complaint in In re Google Buzz (Feb. 16, 2010)
- EPIC's FTC Complaint regarding Cloud Computing in In re Google (Mar. 17, 2009)
- Dave Navetta, FTC Privacy Enforcement and the Google Buzz Settlement, InfoSec Island, April 13, 2011.
- Mike Zapler, Signs Point to Broader Probe of Google, Politico, April 5, 2011.
- Jill R. Aitoro, Google-FTC Settlement: Bad Precedent?, Washington Business Journal, April 5, 2011.
- E.B. Boyd, What the Google Buzz-FTC Settlement Means for the "Apology Approach" to Innovation , Fast Company, April 4, 2011.
- Tony Romm, Gauntlet thrown down in Google Buzz settlement, Politico, March 31, 2011.
- Claire Cain MillerGoogle Introduces New Social Tool and Settles Privacy Charge, New York Times, March 30, 2011.
- Matt Rosoff, Google Will Face Privacy Audits For The Next 20 Long Years (GOOG), San Francisco Chronicle, March 30, 2011.
- Matt Peckham, Google, FTC Bury the Axe Over Google Buzz, Time, March 30, 2011.
- Rob Pegoraro, FTC’s lesson for Google: defaults, design matter, Washington Post Blog, March 30, 2011.
- Nathan Koppel, Google Stung By Its Own Buzz, The Wall Street Journal Blog, March 30, 2011.
- Benjamin Pimentel, Google settles with FTC, unveils new social tool, The Wall Street Journal, March 30, 2011.
- Sara Forden, Google Settles Data Privacy Complaint With FTC on ‘Buzz’ Social Network, Bloomberg, March 30, 2011.
- Declan McCullagh, Google settles FTC charges over Buzz, CNET News, March 30, 2011.
- Martin J. Young, Partnership Buzz, Asia Times (February 27, 2010).
- Jessica Guynn, Google Buzz poses a major privacy risk for kids, analyst (and parent) says, LA Times (February 22, 2010).
- David Mattison, Google Gets Stung by its Own Buzz, Information Today (February 22, 2010).
- James Temple, Privacy, complexity seen as Google blind spots, San Francisco Chronicle (February 21, 2010).
- Doug Hanchard, EPIC explains their FTC complaint about Buzz, ZDNet (February 20, 2010).
- Jeff Cormier, Google Buzz lawsuit and privacy problems persist, Examiner.com (February 20, 2010).
- Ian Paul, Control Google Buzz Overload, PC World (February 19, 2010).
- James Temple, Local Class Action Complaint Filed over Google Buzz, San Francisco Chronicle (February 17, 2010).
- Katherine Boehret, Google Buzz Isn't Exactly Humming Along, Wall Street Journal (February 16, 2010).
- David Coursey, Google Apologizes for Buzz Privacy Issues, PC World (February 15, 2010).
- Laurie Sullivan, Google Revisits Privacy Controls on Buzz, Again, MediaPost (February 15, 2010).
- Ben Parr, Google Changes Buzz Privacy Settings, CNET News (February 14, 2010).
- Miguel Helft, Google Alters Buzz to Tackle Privacy Flaws, N.Y. Times Bits (February 13, 2010).
- Jason Kinkaid, Google Buzz Abandons Auto-following Amid Privacy Concerns,,
- Harry McCracken, Google Buzz's Privacy Problem: A Simple Solution, PC World (February 13, 2010).
- Jessica E. Vascellaro, Google to Revamp Buzz Amid Privacy Concerns, Wall Street Journal (February 13, 2010).
- Jackson West, Google Buzz Privacy Concerns Hit Home, NBC News (February 13, 2010).
- Charles Arthur, Google Buzz's Open Approach Leads to Stalking Threat, Guardian (February 12, 2010).
- F*ck You Google, Gizmodo (February 12, 2010).
- Tom Krazit, More Google Buzz Tweaks, Separate Version Coming?, CNET News (February 12, 2010).
- Jared Newman, Google Buzz's Privacy Tweaks: Good Start, Not Enough, Network World (February 12, 2010).
- Shane Richmond, Google Buzz Tweaked after User Concerns, Telegraph (February 12, 2010).
- Larry Seltzer, Google Buzz Privacy Concerns are Overblown, PC Mag (February 12, 2010).
- Laurie Sullivan, Google Buzz Publicly Airs Privacy Confusion, MediaPost (February 12, 2010).
- Richard Waters, Google Seeks to Quell Buzz Privacy Outcry, Financial Times (February 12, 2010).
- Robin Wauters, Google Buzz Privacy Issues have Real Life Implications, TechCrunch (February 12, 2010).
- Don Cruise, Lawyers (or journalists) with Gmail Accounts: Careful with the Google Buzz, The Supreme Court of Texas Blog (February 11, 2010).
- Jessica Dolcourt, Buzz Off: Disabling Google Buzz, CNET News (February 11, 2010).
- Andrew Hickey, 3 Google Buzz Privacy Concerns, Channel Web (February 11, 2010).
- Evgeny Morozov, Wrong Kind of Buzz around Google Buzz, Foreign Policy Blog (February 11, 2010).
- Kevin Purdy, Google Updates, Explains Buzz Privacy Setup, Lifehacker (February 11, 2010).
- Bradford Schmidt, Google Buzz Privacy Fears Overstated, Technorati (February 11, 2010).
- Berin Szoka, Google Buzz is No "Privacy Nightmare" (Unless You're a Privacy Paternalist), The Technology Liberation Front (February 11, 2010).
- Nicholas Carlson, WARNING: Google Buzz Has a Huge Privacy Flaw, Silicon Alley Insider (February 10, 2010).
- Molly Wood, Google Buzz: Privacy Nightmare, CNET News (February 10, 2010).