Friday, February 12, 2010 - The Progress & Freedom Foundation Blog

Google Buzz is No "Privacy Nightmare" (Unless You're a Privacy Paternalist)

I'm a big fan of CNET's "Buzz Out Loud" podcast and often enjoy co-host Molly Wood's occasional "Molly Rant" but I'm disappointed to see her jumping on the Google-bashing bandwagon with her latest rant: "Google Buzz: Privacy nightmare." Instead of appreciating the "privacy by design" features of Buzz, she seems to be rushing to privacy paternalism--just as I feared many would when I blogged about the Buzz launch.

Molly's primary complaint, repeated several times, is that "you automatically follow everyone in your Gmail contact list, and that information is publicly available in your profile, by default, to everyone who visits your profile." Actually, while Buzz does automatically follow some users your contact list, it does so only for the ones you chat with most using Gmail (which I believe means only other Gmail users). After that, Buzz simply tells you when other users follow you, and makes it easy to follow them.

So what's the big deal? Molly's concern, shared by a number of other bloggers, is that, before a user can start Buzzing, they have to set up Google Profile (another Google product launched last August, which typically appears on the bottom of the first page of Google search results for that name) and the default setting for Google profiles is to "Display the list of people I'm following and people following me." In this respect, your Google Profile is a lot like your Facebook profile, except that users can decide to hide their followers/followees on their Google profile. (On Facebook, that information is part of the limited bucket of "publicly available information" and can't be hidden by the user from their profile, but users can opt-out of having their profile accessible at all through search engines or Facebook search.)

There are essentially three ways of dealing with this concern about inadvertent sharing of sensitive contacts:

  1. Buzz could autofollow no one--in which case many users would probably log in, see no Buzzes from other users because they're not yet following anyone, wonder what all the fuss is about, and abandon the service without really getting the sample experience that having a small set of automatically added followers provides.
  2. Gogole could change the default setting for Google profiles not to "Display the list of people I'm following and people following me." This change in default would make a huge difference in just how easy it is to build out one's social network, since the best way to find friends you may not have in your own contact book is to look at the list of users your friends are following.
  3. Google provide clearer notice to users to remind them that their most frequent contacts may be publicly visible on their Gooogle profile--which is exactly what Google implemented earlier today by adding the text shown in this splash screen for initial creation of a Google Profile:

Somehow, I suspect that won't be good enough for her and many other users complaining about this. I wouldn't be surprised to see the privacy paternalists at EPIC filing another complaint with the FTC arguing that users are too stupid to figure this out for themselves, so the government has to do it for them--no matter the costs to other users in added hassle and a less useful network.

There just isn't anything wrong with encouraging consumers to use your product rather than making it hard for them to get involved. The success of any social network in achieving a critical mass of vibrant, broad-based participation depends critically on differences as small as whether a user sees a few users when they first start out--or just an empty Inbox. Ban things like autofollowing, no matter how transparent to the user and easy to over-ride they might be, and you'll make it a lot harder for the next social networking service to get off the ground--and pose a challenge to Google, Facebook and Twitter.

Molly's next complaint:

let's say you've customized your Google profile page with the vanity URL Google helpfully offers at the bottom of the page. Well, that'd be your e-mail handle. Anytime anyone does an @ reply to you, they've broadcast your e-mail address to the world.

True indeed. But she fails to mention that the vanity URL (in my case, http://www.google.com/profiles/berin.szoka) is purely opt-in. When a user first sets up a Google Profile, they're given a non-identifying string for their URL that doesn't tie to their email address. Just above the option to opt-in to the vanity email is this explanation (emphasis added):
To make it easier for people to find your profile, you can customize your URL with your Google email username. (Note this can make your Google email address publicly discoverable.) This unique name will also be used in other links to your content on Google. To help others discover your profile, in some Google services contacts who know your email address will see a link to your profile

So... what more should Google to do? I guess they could bold and italicize the warning as I've done...

She's even more clearly mistaken about the way Buzz works on mobile phones (as one commenter noted):

there are no preferences in the Android app--no way, near as I can tell--to choose to broadcast only to the list of people you follow or a group you've established, as you can in the Web interface. So be equally prepared for everyone around you to know who you are and where you are when you post to Buzz from your phone. Yeah, no, really. I'm totally not making this up.

Actually, Buzz is accessible through the mobile browser (not an app), and it gives users the same choice every time they post a new Buzz as to whether the Buzz should be public or private--just as on the desktop browser version. The default setting is public, yes, but so what? Is it really that hard to click "Private?" When you do, you'll get a list of whatever contact groups you've created so you can share your Buzz just with that list--or you can start a new list.

Moreover, "Show Nearby Users" feature only shows Buzzes from users who have decided to broadcast their location.

A number of these responses were raised by commenters on the piece. Most notable was this comment (originally written in ee cummings style, which I have punctuated for readability), which takes issue with Molly's central complaint that there should be more "setup required":

i like your show for the most part, molly. but seriously, privacy on the internet these day is like having sex: it's on us to protect ourselves. it may say "no set up required." but if we are concerned about things getting out that we don't want, always check the setting! it's your virtual condom. wrap it up...

Crude, but exactly right: It's one thing for Molly and others to suggest ways for Google to make the privacy controls for Buzz and Google Profile more accessible and easily understandable. Google's already shown its eagerness incorporate constructive suggestions to that end. But it's quite another thing for privacy paternalists to insist that we just can't expect users to take any responsibility for their own privacy.

Instead of preaching "Sharing-abstinence-only" (which is what the paternalists' cry for "opt-in" boils down to), we should be teaching users how to engage in "safer-sharing"--and encouraging companies like Google to build user interfaces that make safety options as easy to use as possible without breaking the whole site. As with sex, there's no such thing as 100% safe-sharing, but, hey, that's life. We accept risks all the time--every time we drive, get on a plane or trust that the restaurant meal we're about to eat hasn't been contaminated or poisoned. As Adam has reminded us, we need to keep in mind the "proportionality" of the risks involved compared to the benefits, and, ultimately, trust users to chose for themselves.

Addendum: Given the discussion below, I want to reiterate the point I stressed when I first blogged about this, responding to questions raised by Larry Magid in the initial Buzz launch press conference:

I'm glad that Larry is raising these concern as someone who has done yeoman's work in educating Internet users, especially kids, about how to "Connect Safely" online (the name of his advocacy group). The fact that companies like Google know they'll get questions like Larry's is hugely important in keeping them on their toes to continually plan for "privacy by design."

But I do worry that those with a political axe to grind will take these same questions and twist them into arguments for regulation based on the idea that if some people forget to use a tool or just don't get care as much about protecting their privacy as some self-appointed "privacy advocates" think they should, the government--led by Platonic philosopher kings who know what's best for us all--should step in to protect us all from our own forgetfulness, carefulness or plain ol' apathy. After all, consumers are basically mindless sheep and if the government doesn't look after them, the digital wolves will devour them whole!


So, by all means, let's hear some healthy criticism about how Google has implemented Buzz and talk about how the "privacy by design" features can be improved. But let's make sure to get our facts straight before rushing to assume the worst--or before calling in the Feds to take over.

There's an active discussion on this post over at the Technology Liberation Front. So go check that out if you want to add your two cents or see what others have said.

posted by Berin Szoka @ 12:13 AM | Privacy