Google Buzz, Social Norms and Privacy

February 11, 2010 at 8:47 pm 20 comments

Another day, another privacy backlash — this time with Google Buzz. What’s new? Lots, as it turns out.

There are many minor ways in which Google Buzz fails, both with regard to privacy and otherwise. For example, I’ve been posting my Buzz updates publicly because the user interface for posting it to a restricted group is horribly clunky. (Post only to my followers? What’s the point of that, when anyone can start following me?! Make it easy to post to a group that I have control over!)

But the major privacy SNAFU, as you’ve probably heard, is auto-follow. Google automatically makes public a list of the top 25 or so people you’ve corresponded with in Gmail or Google talk. Worse, the button to turn this “feature” off resides in your Google-wide profile, making it unnecessarily hard to find because it isn’t within the Buzz interface itself.

This is a classic example of what happens when the user interface is created by programmers instead of designers, a recurring problem for Google. Programmers partition features in a way that fits the computer’s natural data model, rather than the user’s natural mental model.

But getting back to privacy, it is a certainty in a statistical sense that Google outed a few affairs and other secret relationships. For even if you were yourself savvy enough to turn off the public display of your top correspondents, there’s a good chance the other party wasn’t, and might not have turned it off on their end.

When I enabled Buzz and realized what had happened, something changed for me in my head. I’d always regarded email and chat as a private medium. But that’s not true any more; Google forced me to discard my earlier expectations. Even if Google apologizes and retracts auto-follow (not that I think that’s likely), the way I view email has permanently changed, because I can’t be sure that it won’t happen again. I lost some of the privacy expectation that I had of not only Google’s services, but of email and chat in general, albeit to a lesser extent.

What I’ve tried to do in the preceding paragraphs is show in a step-by-step manner how Google’s move changed social norms. The larger players like Google and Microsoft have been very conservative when it comes to privacy, unlike upstarts like Facebook. So why did Google enable auto-follow? By all accounts, their hand was forced: they needed a social network to compete with Facebook and Twitter. Given the head-start that their competitors have, the only real way to compete was to drag their users into participating.

Google ended up changing society’s norms in a detrimental way in order to meet their business objectives. This has become a recurring theme (c.f. the section on Facebook in that article). I don’t think there is any possibility of putting the genie back in the bottle; this trend will only continue. This time it was about who I email; soon my expectations about the contents of emails themselves will probably change.

I believe that in the long run, the only “stable equilibrium” of privacy norms, as it were, would be for everyone to simply assume that everything they type into a computer will be publicly visible either instantly or at some point in the future, outside their control. That is not necessarily as terrible as it may seem. Nonetheless, society will take a long time to get there. Until then, the best we can do is push back against intrusions as much as possible, delaying the inevitable, giving ourselves enough time to adapt.

Do your part to fight back against auto-follow. Let Google know how you feel. Blog about it or leave a comment.

Updates

  1. A New York Times blogger picked up the controversy.
  2. Joe Bonneau has an analysis of users’ confused reactions.
  3. Google has announced that it is rolling out some user-interface changes in response to the feedback. That is better than before, but the default is still public auto-follow.
  4. The horror stories due to auto-follow have begun.
  5. I have a new article with advice on privacy-conscious design.
  6. Google decided to nix auto-follow after all! Awesome.

Thanks to Joe Bonneau for reviewing a draft of this article.

To stay on top of future posts, subscribe to the RSS feed or follow me on Twitter.

Entry filed under: Uncategorized. Tags: , , , , , .

The Secret Life of Data Privacy is not Access Control (But then what is it?)

20 Comments Add your own

  • 1. Andrew Warner  |  February 11, 2010 at 9:24 pm

    These guys are so eager to be like the big boys that they’re losing sight of basic ideas like beta launching and getting user feedback.

    Great post!

    Reply
  • 2. Monica Chew  |  February 11, 2010 at 10:25 pm

    Great post. I wanted to point out that even if you hide your followers and your followers hide you, your public posts are still visible and people will be able to partially infer who is following you from who responded to your buzz.

    http://www.google.com/profiles/randomwalker#buzz

    I guess if you are conducting an affair, it is important to tell your partner not to reply to your blog or buzz posts.

    Reply
  • 3. ginsu  |  February 11, 2010 at 11:32 pm

    I’m not sure the social norm can change just because two big companies wish it so. There are countervailing trends in media coverage, intelligent analysis, and governmental scrutiny. None of these alone are enough to change the methods of the big companies. But the trends taken together currently mean that the companies are pressured to provide the options for different preferences – albeit hidden and by default not the choice that most users would choose.

    But . . . if users are not by default getting things they want, over time (in theory), a competitive market will provide services that enable user preference to succeed over company desired defaults.

    Reply
  • 4. Jennifer Lee  |  February 11, 2010 at 11:44 pm

    I agree that we may have to start assuming everything we share online will spread further soon or later. Despite the nice features of Buzz, it might cause additional concerns.

    I took me some time to figure out if some of the contacts decided themselves to follow me, or simply because of the auto-follow feature. So I decided to share only items in my Google Reader. Yet when someone suddenly started to follow my shared items in the reader (another decision to think about whether to follow them back)… it makes me wonder if the auto-follow has gone as far as the reader too.

    Very well-written post!

    Reply
  • 5. Lauren Gelman  |  February 12, 2010 at 4:16 am

    Does your thinking about whether this is normatively a good outcome change if Courts rules that for 4th A analysis you have no reasonable expectation of privacy in the content of email? Which means the gvt can access any email you write at any time with no process?

    Reply
    • 6. Arvind  |  February 12, 2010 at 5:06 am

      Lauren, my answer would be no, for two reasons. First, the law is supposed to codify social norms, philosophically speaking, rather than prescribe them. So if there was a court ruling denying 4th amendment protection for email, it would not automatically imply that people don’t have a privacy expectation any more. Such a ruling might prompt me to think about whether the expectation has changed, and I would conclude that it has not.

      Second, just because the courts give the Government a certain power doesn’t mean private entities can appropriate such power for themselves.

      Reply
  • 7. Viktor  |  February 12, 2010 at 5:25 am

    I don’t understand why Google are not content with what they already have, but feel the need to do weird and extreme things like Google Wave and Buzz. They need to stop trying to take over the world and just be good at what they do already. they made a browser, an operating system, etc. etc. World domination plans much?

    Reply
  • 8. Lauren Gelman  |  February 12, 2010 at 5:31 am

    My point is that the Fourth Amendment only protects information in which we have a reasonable expectation of privacy. So if it is true as you say here, that we no longer should expect that we have any privacy in email, that courts will enforce that norm to mean that gvt can have access with no process required.

    I’m saying that a declaration that we no longer should expect anything we type into a computer to be private has pretty far reaching implications.

    Reply
    • 9. Arvind  |  February 12, 2010 at 5:43 am

      I did not make such a declaration! The following statements might help clarify my position:

      1. In general, people today hold email privacy as inviolate and sacrosanct.
      2. Google this week dented that expectation slightly, but by no means destroyed it.
      3. The current events pertain only to privacy over the identities of one’s correspondents, but it is possible or likely that future changes will undermine the privacy of email contents.
      4. We need to fight back against these changes, because companies shouldn’t be allowed to impose them unilaterally on us.
      5. At the same time, we need to recognize that in the long run, we are heading in the direction of ever-decreasing privacy.
      6. Again, we are not anywhere close to throwing out our privacy norms yet. So there is currently no case to be made for denying 4th A protection for email.
      7. It is in our own interest as individuals to be able to adapt to changing norms, because they are indeed changing, however slowly. We can slow down the change but we cannot turn back the clock.

      Reply
  • [...] 13, 2010 In my previous article on the Google Buzz fiasco, I pointed out that the privacy problems were exacerbated by the fact [...]

    Reply
  • 11. caz  |  February 13, 2010 at 9:18 am

    If I haven’t set up a Buzz profile then my privacy on gmail is the same as it was preBuzz. Is this correct? Apologies for treating you like a user’s forum. I’m searching for some clarification and haven’t yet found it.

    Reply
    • 12. Arvind  |  February 13, 2010 at 9:46 am

      That’s a great question. I tried to follow you, and it allowed me to do that (and I unfollowed you right away). So that means you can follow anyone, even if they haven’t turned on Buzz. I don’t know if that means your Google reader/picasa activity etc. will be fed into Buzz even if you haven’t enabled it. I’m guessing probably not.

      Other than that, the only worrisome thing is that your top contacts might be publicly visible, as I explained in the article, for no fault of yours, but because the other party left their auto-follow list publicly visible.

      Reply
      • 13. caz  |  February 13, 2010 at 9:53 am

        Thanks Arvind. So anyone can follow me. Grr. Can I trouble you again and ask what you could see? Q2. Are we all vulnerable if our gmail addresses are a contact for someone turns Buzz on? For instance I emailed someone once about buying a chair from them. They join Buzz – does this make me followable?

        Reply
        • 14. Arvind  |  February 13, 2010 at 10:04 am

          For now, there is nothing I could see about you. There is a possibility that as you make new updates (on Picasa, Google reader), they will show up for anyone who’s following you. However, I think this is unlikely. In short, my guess is that anyone can follow anyone, regardless of whether they’ve ever emailed before, but this doesn’t result in any information revealed unless the party being followed joins Buzz. Make sense?

          Reply
          • 15. caz  |  February 13, 2010 at 10:18 am

            So we need to investigate what updates show up. Presumably Google ones but there may be agreements to share with other orgs.
            Thanks for the concise explanation. Everything else seemed to be aimed at people who are using Buzz and want to control it. I don’t want ‘in’ at this stage.
            Hope your guess is correct.

            Reply
  • 16. Benlog » Buzz Kill  |  February 14, 2010 at 2:20 am

    [...] here, you really want to be reading Arvind Narayanan’s blog in general, and in particular his post on this issue: When I enabled Buzz and realized what had happened, something changed for me in my head. I’d [...]

    Reply
  • 17. Anna  |  February 14, 2010 at 9:01 pm

    I sort of like this auto follow. I don’t think I would have ever entered it on my own, but as it stands with one click I can see all the stuff that any of my acquaintances, who actually write, write. See I came across this article only through autofollow.

    It might be inconvenient because a person’s writings end up split between so many places: facebook, buzz, blog. If I wanted to read what someone writes, before buzz I only had to check his blog, but now I also have to check the buzz. If I want reread a post, I have to remember was it on the facebook, the blog, or the buzz…

    Reply
    • 18. Arvind  |  February 14, 2010 at 10:32 pm

      Looks like you’re thinking of auto-connect, which is another feature that Google disabled in response to the criticism but one that I don’t have as much of a problem with.

      Auto-follow is about automatically adding your top correspondents to your follow list.

      But the larger point here is that there is no doubt that these features are useful to many people. But that doesn’t make it OK to force it on everyone, because it has the potential to seriously harm some people.

      Reply
  • 19. Mark  |  February 15, 2010 at 10:32 am

    Excellent post. Google is just the latest, but I find myself getting very tired of the constant chipping away at our privacy and of the decreasing ability to make choices ourselves on how much we are forced to give away. The default starting position for a service used to be ‘nothing’, it’s quickly heading toward ‘everything’ on any service that is commercially based, although most “amateur” web services are quite the opposite – which makes it very clear as to why.

    Your remark that “Google ended up changing society’s norms in a detrimental way in order to meet their business objectives.” is as depressing as it is true. The stark truth is that businesses do this because if they were to start from ‘private’ and ask us to reveal more, we largely wouldn’t, which wouldn’t be good for shareholders. It is not merely that our details and conversations are not private, but that they do not in fact belong to us to control at all and are simply another resource to be plundered at will without regard for any fallout for the owner or the long term potential damage to society.

    At the very least, if we cannot keep our information private, there should be laws protecting the commercial exploitation of such data without the owners express consent. After all, I publish commercial photography widely, and copyright laws give me the right to determine how and if that is exploited. How is personal data any different?

    Reply
  • [...] woken up to this yet. Unwanted linkage is therefore something that can upset users greatly. The auto-connect feature in Google Buzz is the best example. Opt-in rather than opt-out is probably the way to go, at least for a few years [...]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


About 33bits.org

I'm an assistant professor of computer science at Princeton. I research (and teach) information privacy and security, and moonlight in technology policy.

This is a blog about my research on breaking data anonymization, and more broadly about information privacy, law and policy.

For an explanation of the blog title and more info, see the About page.

Subscribe

Be notified when there's a new post — subscribe to the feed, follow me on Google+ or twitter or use the email subscription box below.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 213 other followers


Follow

Get every new post delivered to your Inbox.

Join 213 other followers