In re Google Buzz
Concerning the Privacy of Electronic Address Books
- EPIC Files FTC Complaint to Stop Google from Tracking In-Store Purchases: EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world. (Jul. 31, 2017)
- Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections: Rep. Marsha Blackburn (R-TN) has introduced the The Browser Act, H.R. 2520, aimed at protecting online privacy. The Browser Act would apply to Internet ISPs as well as Internet companies, such, as Google and Facebook, and would generally require "opt-in" consent before sensitive information could be collected or disclosed. However, the bill lacks a private right of action or a remedy for violations. The bill gives enforcement authority to the FTC which has mostly failed to protect consumers online privacy. The bill lacks data breach notification, and would overwrite stronger state privacy laws that protect consumers. In comments to the FCC and elsewhere, EPIC has set out a comprehensive framework for online privacy. (May. 19, 2017)
- EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017: EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Feb. 16, 2017)
- EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order : Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices. (Apr. 1, 2016)
- FTC Releases 2014 Data Security Update, But Enforcement Questions Remain: The Federal Trade Commission has released the 2014 Privacy and Data Security Update. The report is "an overview of the FTC's enforcement, policy initiatives, and consumer outreach and business guidance in the areas of privacy and data security." In the report, the FTC explains that "If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations." However, the FTC has consistently failed to enforce consent orders with Google, Facebook, and other companies that have engaged in unfair or deceptive trade practices. The Commission has also failed to modify proposed settlement agreements after seeking public comment. For more information, see EPIC: FTC, EPIC: Facebook Privacy, and EPIC: In re: Google Buzz. (Jul. 1, 2014)
- Judge Approves Controversial Settlement Over Objection of Consumer Privacy Organizations: A federal judge in California has approved a settlement agreement in a lawsuit against Google that will allow the company to continue to sell data about users' browsing history to advertisers. EPIC and several other consumer privacy organizations objected to the settlement, stating that it requires no change in Google's business practices and provides no benefit to those on whose behalf the case was brought. EPIC and the groups also recommended that the court adopt an objective basis for distributing cy pres funds, noting that the awards are often made for the benefit of the lawyers settling the case and not the class members. Class action settlements have come under increasing scrutiny in recent years, with courts increasingly concerned about collusion between attorneys and faux settlements that do not reflect the purpose of the initial lawsuit. In a case that reached the Supreme Court, Chief Justice Roberts said that courts will need to look more closely at these settlements to determine whether there are fair, whether organizations designated to receive funds reflect the interests of class members, and also the obligation of judges to carefully review these proposals. For more information, see EPIC: Search Engine Privacy and EPIC: Google Buzz. (Apr. 1, 2014)
- States Reach $17 Million Settlement with Google Over Privacy Violations: The Maryland Attorney General Douglas Gansler, joined by attorneys general in 36 states and the District of Columbia, has reached a $17 million settlement with Google over privacy violations. Google violated state consumer protection and privacy law by placing advertising tracking cookies on Safari browsers despite telling users that it would honor the default Safari privacy settings, which prevented the placement of such cookies. The Federal Trade Commission fined Google $22.5 million last year over similar practices which violated an earlier settlement that was the result of a complaint filed by EPIC. EPIC previously objected to the Google-DoubleClick merger on privacy grounds and specifically warned that Google’s use of Doubleclick techniques would lead to impermissible tracking of Internet users. Earlier EPIC had urged the Federal Trade Commission and other consumer protection agencies to support advertising models that are not linked to actual user identity. For more information, see EPIC: Google Buzz, EPIC: Google/DoubleClick Merger. (Nov. 18, 2013)
- Supreme Court Lets Stand Contested Facebook Settlement, But Chief Justice Cautions About Future Cases: The Supreme Court has denied a petition for review in Marek v. Lane, a decision upholding the class action settlement of Facebook’s controversial "Beacon" Program. The settlement provided substantial fees to attorneys, no benefits to class members, and established a funding entity, controlled in part by Facebook "Cy press" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement, but concerns have been raised about the misuse of cy pres procedures. Chief Justice Roberts, focusing on the "unusual" allocation of funds in the Facebook matter, suggested that the Supreme Court would eventually need to address "fundamental concerns surrounding the use of such remedies in class action litigation" including "how to assess its fairness as a general matter; whether new entities may be established as part of such relief; if not, how existing entities should be selected; what the respective roles of the judge and parties are in shaping a cy pres remedy; [and] how closely the goals of any enlisted organization must correspond to the interests of the class." EPIC and other consumer privacy organizations have routinely raised similar concerns about abuse of the class action process. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz. (Nov. 4, 2013)
- Warwick Ashford, Buzz Gets its Inevitable EPIC FTC Complaint, Gizmodo (February 17, 2010).
- Sam Diaz, Google Buzz: Privacy Concerns Grab Gov't Attention, Hint at Desperation, ZDNet (February 17, 2010).
- Scott Fulton III, Canada Curious about Google Buzz, EPIC Accuses Google of Deception, Beta News (February 17, 2010).
- Mark Hefflinger, Privacy Group EPIC Asks FTC to Compel Google Buzz Changes, Digital Media Wire (February 17, 2010).
- Cecilia Kang, Privacy Advocates File FTC Complaint on Google Buzz, The Washington Post: Post Tech Blog (February 17, 2010).
- Kimberly Kimbrough, Privacy Group Files a Complaint Against Google's Buzz Service, Examiner (February 17, 2010).
- Ryan Paul, EPIC Fail: Google Faces FTC Complaint over Buzz Privacy, Ars Technica (February 17, 2010).
- Dan Raywood, Google Buzz is Set Back Again after it is Hit by a Complaint from the Electronic Privacy Information Centre, SC Magazine (February 17, 2010).
- Kara Reeder, EPIC Hits Google Buzz with Privacy Complaint, IT Business Edge (February 17, 2010).
- Stephen Shankland, Privacy Group Files Buzz Complaint with FTC, CNET News (February 17, 2010).
- Maggie Shiels, Google Buzz 'Breaks' Privacy Laws Says Watchdog, BBC News (February 17, 2010).
- Ryan Singel, EPIC: Google May have Broken Wiretap Law, MSNBC (February 17, 2010).
- Joelle Tessler, Privacy Group Files FTC Complaint on Google Buzz, The Washington Post (February 17, 2010).
- Amy Tierney, Watch Dog Group Stung by Google Buzz; Files FTC Complaint, TCMnet (February 17, 2010).
- Byron Acohido, How Google Buzz Lowers the Bar for Privacy, Security, The Last WatchDog on Internet Security (February 16, 2010).
- Thomas Claburn, Google Sorry about Buzz Privacy, InformationWeek (February 16, 2010).
- Wendy Davis, EPIC Files Privacy Complaint against Google Buzz, PC World (February 16, 2010).
- Sam Gustin, Privacy Group Files Complaint with Feds over Google's Social Network, Daily Finance (February 16, 2010).
- Jessica Guynn, Magid on Tech: Legal Noise over Google Buzz, Palo Alto Daily News (February 16, 2010).
- John Paczkowski, Google Buzz Hit with FTC Complaint by Privacy Group, eWeek (February 16, 2010).
- Privacy Group Files FTC Complaint on Google Buzz, ABC 7 News (February 16, 2010).
Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.
On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:
Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.
Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.
Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.
EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.
The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.
EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.
The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
The FTC stated:
Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.The FTC further stated:
According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.
- Agreement Containing Consent Order
- Complaint; Exhibits A-D
- Concurring Statement of Commissioner J. Thomas Rosch
- Letter from FTC's David Vladeck regarding EPIC's Google Buzz Complaint
- EPIC's Amended Complaint in In re Google Buzz
- EPIC's FTC Complaint in In re Google Buzz (Feb. 16, 2010)
- EPIC's FTC Complaint regarding Cloud Computing in In re Google (Mar. 17, 2009)
- Dave Navetta, FTC Privacy Enforcement and the Google Buzz Settlement, InfoSec Island, April 13, 2011.
- Mike Zapler, Signs Point to Broader Probe of Google, Politico, April 5, 2011.
- Jill R. Aitoro, Google-FTC Settlement: Bad Precedent?, Washington Business Journal, April 5, 2011.
- E.B. Boyd, What the Google Buzz-FTC Settlement Means for the "Apology Approach" to Innovation , Fast Company, April 4, 2011.
- Tony Romm, Gauntlet thrown down in Google Buzz settlement, Politico, March 31, 2011.
- Claire Cain MillerGoogle Introduces New Social Tool and Settles Privacy Charge, New York Times, March 30, 2011.
- Matt Rosoff, Google Will Face Privacy Audits For The Next 20 Long Years (GOOG), San Francisco Chronicle, March 30, 2011.
- Matt Peckham, Google, FTC Bury the Axe Over Google Buzz, Time, March 30, 2011.
- Rob Pegoraro, FTC’s lesson for Google: defaults, design matter, Washington Post Blog, March 30, 2011.
- Nathan Koppel, Google Stung By Its Own Buzz, The Wall Street Journal Blog, March 30, 2011.
- Benjamin Pimentel, Google settles with FTC, unveils new social tool, The Wall Street Journal, March 30, 2011.
- Sara Forden, Google Settles Data Privacy Complaint With FTC on ‘Buzz’ Social Network, Bloomberg, March 30, 2011.
- Declan McCullagh, Google settles FTC charges over Buzz, CNET News, March 30, 2011.
- Martin J. Young, Partnership Buzz, Asia Times (February 27, 2010).
- Jessica Guynn, Google Buzz poses a major privacy risk for kids, analyst (and parent) says, LA Times (February 22, 2010).
- David Mattison, Google Gets Stung by its Own Buzz, Information Today (February 22, 2010).
- James Temple, Privacy, complexity seen as Google blind spots, San Francisco Chronicle (February 21, 2010).
- Doug Hanchard, EPIC explains their FTC complaint about Buzz, ZDNet (February 20, 2010).
- Jeff Cormier, Google Buzz lawsuit and privacy problems persist, Examiner.com (February 20, 2010).
- Ian Paul, Control Google Buzz Overload, PC World (February 19, 2010).
- James Temple, Local Class Action Complaint Filed over Google Buzz, San Francisco Chronicle (February 17, 2010).
- Katherine Boehret, Google Buzz Isn't Exactly Humming Along, Wall Street Journal (February 16, 2010).
- David Coursey, Google Apologizes for Buzz Privacy Issues, PC World (February 15, 2010).
- Laurie Sullivan, Google Revisits Privacy Controls on Buzz, Again, MediaPost (February 15, 2010).
- Ben Parr, Google Changes Buzz Privacy Settings, CNET News (February 14, 2010).
- Miguel Helft, Google Alters Buzz to Tackle Privacy Flaws, N.Y. Times Bits (February 13, 2010).
- Jason Kinkaid, Google Buzz Abandons Auto-following Amid Privacy Concerns,,
- Harry McCracken, Google Buzz's Privacy Problem: A Simple Solution, PC World (February 13, 2010).
- Jessica E. Vascellaro, Google to Revamp Buzz Amid Privacy Concerns, Wall Street Journal (February 13, 2010).
- Jackson West, Google Buzz Privacy Concerns Hit Home, NBC News (February 13, 2010).
- Charles Arthur, Google Buzz's Open Approach Leads to Stalking Threat, Guardian (February 12, 2010).
- F*ck You Google, Gizmodo (February 12, 2010).
- Tom Krazit, More Google Buzz Tweaks, Separate Version Coming?, CNET News (February 12, 2010).
- Jared Newman, Google Buzz's Privacy Tweaks: Good Start, Not Enough, Network World (February 12, 2010).
- Shane Richmond, Google Buzz Tweaked after User Concerns, Telegraph (February 12, 2010).
- Larry Seltzer, Google Buzz Privacy Concerns are Overblown, PC Mag (February 12, 2010).
- Laurie Sullivan, Google Buzz Publicly Airs Privacy Confusion, MediaPost (February 12, 2010).
- Richard Waters, Google Seeks to Quell Buzz Privacy Outcry, Financial Times (February 12, 2010).
- Robin Wauters, Google Buzz Privacy Issues have Real Life Implications, TechCrunch (February 12, 2010).
- Don Cruise, Lawyers (or journalists) with Gmail Accounts: Careful with the Google Buzz, The Supreme Court of Texas Blog (February 11, 2010).
- Jessica Dolcourt, Buzz Off: Disabling Google Buzz, CNET News (February 11, 2010).
- Andrew Hickey, 3 Google Buzz Privacy Concerns, Channel Web (February 11, 2010).
- Evgeny Morozov, Wrong Kind of Buzz around Google Buzz, Foreign Policy Blog (February 11, 2010).
- Kevin Purdy, Google Updates, Explains Buzz Privacy Setup, Lifehacker (February 11, 2010).
- Bradford Schmidt, Google Buzz Privacy Fears Overstated, Technorati (February 11, 2010).
- Berin Szoka, Google Buzz is No "Privacy Nightmare" (Unless You're a Privacy Paternalist), The Technology Liberation Front (February 11, 2010).
- Nicholas Carlson, WARNING: Google Buzz Has a Huge Privacy Flaw, Silicon Alley Insider (February 10, 2010).
- Molly Wood, Google Buzz: Privacy Nightmare, CNET News (February 10, 2010).
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,