Why Only Google is to Blame for the Buzz Fiasco

Two weeks ago, Google launched Buzz, a service that lets you “[s]hare updates, photos, videos, and more”. In a way, Buzz is Google’s response to Twitter and Facebook.

Competing with incumbents as successful as these two is a challenge even for Google. Therefore, in order to give Buzz some serious momentum right from the start, Google management decided to tie the new service into their popular Gmail infrastructure and started rolling out a pre-populated “friends” list for every user the day the service went live.

The contacts for these “friends” lists were compiled automatically from users’ Gmail and Google Chat contacts, and the lists themselves were made public by default. As a result, Google managed to expose many a Gmail users’ address book for everyone to see.

Excusing Google

In the wake of this privacy fiasco, some journalists managed to provide a level-headed and insightful view of the story and also pointing out just how dire the consequences of this privacy breach may be for some of Google’s users like human rights activists or women hiding from their abusive spouses. Others, however, let Google off the hook much more easily.

Take, for example, Ron Miller’s article, “Cheating Spouses Might Want to Avoid Google“. Attention-grabbing title aside, Ron does point out that Google “probably” is “[u]ltimately responsible”. When you read between the lines, however, Ron’s overall point of view becomes apparent: “Those who complain should have known better than to trust Google!”

And it’s not just a problem specifically with Google, either, as Ron says:

“If you have something to hide, maybe you should think twice about using the internet to conduct your business”

And:

“There is no privacy on the internet, period”.

In an interview with CNBC, Google’s CEO Eric Schmidt said something very similar:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

There are many variations on this notion, but it always comes down to the same smug and corrosive attitude: only those people care about privacy who want to get away with inherently illegal and/or immoral behavior.

That notion, of course, is complete and utter nonsense.

What do people have to hide?

Not too long ago, I started compiling a list of questions to ask next time someone tells me they have nothing to hide. Obviously, the easiest way to test someone’s sense of privacy is to ask them questions that are seriously Not Safe For Work. Then again, inquiring about a person’s financial net worth usually is invasive enough to make almost anyone balk at such inquiries.

Fact of the matter is that we all have something, nay a lot to hide: a company’s business plan; an inventor’s blueprints; a person’s medical history; a writer’s manuscript; a journalist’s list of informants; a chef’s recipes; a teenager’s diary; a lover’s Valentine’s Day plans; a jobseeker’s contacts; …

You get the idea.

If these are examples for “something that you don’t want anyone to know”, then, according to Eric Schmidt’s quote above, you shouldn’t be starting a business, invent something, go see a doctor, and so on. Come to think of it, last time I checked, Google did not want anyone outside the company to know how their page rank algorithm works. Good heavens! Why, they should be forced to take their search engine offline immediately!

Freedom and privacy go hand in hand

Admittedly, for some of the examples I gave above, the consequences of the data becoming public isn’t all that dramatic. The reason for that is that we live in a free society: we are free to say what we think; we are free to believe what we want; we are free to travel to whatever places we find interesting. True, depending on what you say, what you believe, where you go, chances are that it will have consequences for you, e.g., when searching for a new job.

For someone living in a state with a suppressive government, however, being able to keep certain things very private may become a matter of life and death. For such brave souls who have the guts to communicate via blogs, email, etc., how their fellow-countrymen are treated by their “sovereign”, having their contacts list exposed due to the Buzz screw-up may very well turn into a nightmare.

If we were expected, or even required, to justify our claim to privacy — which, by the way, is included in the Universal Declaration of Human Rights (it’s in article 12) — every time we decide not to share certain data with the general public, that would be no less than the end of a truly free society.

The key question, therefore, is not who is entitled to which level of privacy; that question has been answered in December 1948 (see the link in the previous paragraph). Instead, we should ask ourselves whether we are willing to trust a company whose CEO publicly displays such a disregard for his customer’s demands just because all of that company’s products are “free”.

What kind of privacy should we expect from Internet companies?

When I do business with a company, any company, I expect them to do all they can to protect any data I share with them. If they won’t do this, I expect them to openly and honestly tell me so up front. I want to decide what subset of my personal data I make available online by choosing which online services I entrust with my data, and which privacy settings I choose for the respective services.

For some data services, that “setting” is a simple “Never, ever share this stuff with anyone!”, e.g., the statements of my online bank account, the backup I store “in the cloud”, or the address book that I share between multiple machines via an online service.

And this is exactly where Google screwed up big time: Google has so many smart people working for them that it boggles the mind how they could so massively misjudge the effects of the public, pre-populated Buzz “friends” lists.

In the NYT article I link to above, Todd Jackson, product manager for Gmail and Google Buzz, is quoted as saying:

Google remains completely committed to freedom of expression and to privacy, and we have a strong track record of protecting both.

The article goes on to say:

Mr. Jackson defended the setup of the Buzz service. He said that Buzz came with a built-in circle of contacts to provide a better experience to users and that many liked that feature. He said that it was very easy for users to edit who they were following on the service and who could follow them. He also said that anyone could hide their list of Buzz contacts with a single click.

Apparently, Mr Jackson does not even understand why people are outraged by Google’s actions, and the combination of his comment and Mr Schmidt’s quote above, does show that users should not trust Google to do the right thing when it comes to protecting their private data.

In defense of in-experienced customers

Ron Miller is absolutely right on this one, of course: do not trust Google to take good care of your personal data.

I do feel, however, that, instead of blaming the users for not being careful enough, he should have pointed his finger squarely at Google for displaying such, well, pick one: naivité/ignorance/stupidity/arrogance/delusion.

What’s more, I don’t see any basis for extrapolating this to mean that none of the Internet services out there can be trusted. I don’t recall that my bank ever published any account data, that Apple publicized their MobileMe customers’ address book data, that Mozy allowed public access to their customers’ backed-up files, etc.

So what now?

While I was working on this article, John C. Welch posted a great comment on the TidBITS Talk mailing list:

Keep this in mind at all times with google: you are never, ever their customer. You are their product. The people buying ads are their customers.

With that in mind, I wish that people would take this away from the Buzz incident:

  • Be careful about whom you entrust with your personal data
  • Understand a service’s privacy settings before you enter any data
  • Avoid Google, because they have proven that they don’t understand their customer’s need for privacy. At all.

And most importantly:

  • Don’t feel compelled to justify your desire for privacy. Fact of the matter is, the onus is on the companies to justify their desire for violating it.

Share this: del.icio.usDiggreddit


3 Readers have commented on this article:

Subscribe to this article's comments

  1. Ralf Bergs

    I mostly agree with everything what you wrote but your criticism on Ron Miller’s “key” quotes.

    As you’re probably well aware, you can’t even generally trust “trustworthy” companies your sensitive data, since they sometimes leak such data due to technical incompetence (read: “they f*ck up”).

    So, I do agree with Ron’s statement: “If you have something to hide, maybe you should think twice about using the internet to conduct your business.”

    I wholeheartily agree with your comment on Eric Schmidt’s quote, tho. His statement simply is ridiculous — but what else do you expect from the world’s largest “data craken?!”

  2. Jochen Wolters

    Ralf,

    how do you interpret “something to hide”? Does that refer only to those who have sinister intentions, or does it refer to anyone who wants to keep certain data private?

    I am convinced that this differentiation makes a lot of sense for propaganda purposes — “I don’t have a problem with the PATRIOT act, because I have nothing to hide!” –, but if you take civil liberties seriously, privacy also means that it is nobody’s business why someone wants to keep certain things private.

    In that sense, everybody has something to hide, and if you take Ron’s statement at face value in this context, you would not be able to do business with any online company anymore.

    Obviously, data leaks and privacy breaches are real threats, and yet we assume that companies like banks, airlines, hotels, etc. at least try to keep our data safe. Otherwise we would, indeed, not be willing to share data like our addresses, credit card numbers, etc. with such businesses. This applies to both online and offline business transactions, though: if you cannot entrust anyone with this kind of data, you would not even be able to purchase a plane ticket from a brick-and-mortar travel agent’s either.

    In the specific case of Buzz, however, the people in charge decided to deliberately publicize personal data like email address lists. And that is why I no longer trust Google, even though I see no reason to cut my data ties with other online business.

  3. Ralf Bergs

    I interpret “something to hide” in a way referring “to anyone who wants to keep certain data private.”

    And indeed, “in that sense, everybody has something to hide.”

    If you have to submit personal information such as birthday, phone number, etc. to an online business my advice would be to think about whether you really need to submit that information in order to complete the transaction. Why I usually do with that kind of information is that I submit “fake” data in cases where I know the information is not needed (or need not to be true) to submit my order.