Focusing public attention on emerging privacy and civil liberties issues

In re Google Buzz

Concerning the Privacy of Electronic Address Books

Top News

  • Court Rejects Privacy Class Action Deal, Holds that Settlement Distribution Should be Related to Nature of Lawsuit: A federal appeals court rejected a proposed settlement that would terminate a class action lawsuit brought by AOL users. The Court held that the proposed deal was inconsistent with the "cy pres" doctrine, a legal principle that allows courts to allocate funds to groups that protect the class' interests. The Court ruled that cy pres distributions should be based on the nature of the lawsuit, the objectives of the relevant law, and the interests of the class members including their geographic diversity. AOL users sued the company for inserting footers containing promotional messages into users' email messages. The lawsuit alleged violations of several laws, including the Electronic Communications Privacy Act. The parties settled the suit, agreeing to distribute $110,000 to several charities, none of which work to protect internet users' privacy. EPIC previously highlighted the dangers of improper cy pres distributions in Lane v. Facebook and In re: Google Buzz. (Nov. 22, 2011)
  • Court Awards Funds to EPIC in Google Buzz Case: A federal district court overseeing a class action case concerning Google Buzz has revised a proposed settlement agreement to ensure that EPIC receives part of the settlement fund. EPIC's complaint about Buzz to the Federal Trade Commission resulted in sweeping new privacy safeguards for Google users. But EPIC was excluded from a proposed agreement in which a Court had ordered distribution of settlement funds to organizations "who would reasonably benefit the class through established Internet privacy education and policy programs." Judge Ware held that "the Court does not find good cause to exclude EPIC from the list of recipients of the cy pres funds. EPIC has demonstrated that it is a well-established and respected organization within the field of internet privacy and that it has sufficiently outlined how the cy pres funding will be used to further the interests of the class." For more information, see EPIC - In re Google Buzz. (Jun. 1, 2011)
  • Senate Judiciary Committee Holds Mobile Privacy Hearing: The Senate Judiciary Subcommittee on Privacy, Technology, and Law held a hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy." Lawmakers heard testimony from the Federal Trade Commission, as well as from from Apple and Google representatives. Chairman Leahy said that safeguarding privacy "is one of the most important and challenging issues facing the nation," and indicated that he would introduce legislation to update the Electronic Communications Privacy Act. EPIC previously recommended new privacy safeguards for location data. For more information, see EPIC: Locational Privacy and EPIC: In re Google Buzz. (May. 10, 2011)
  • EPIC Proposes "Fair Information Practices" for Google: Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices, as part of the Privacy Program. EPIC also recommended encryption for Google's cloud-based services, new safeguards for reader privacy, limitations on data collection, and warrant requirements for data disclosures to government officials. EPIC said that similar privacy safeguards should be established for other Internet companies. The FTC investigation and settlement arises from a complaint filed by EPIC with the Commission in February 2010. For more information, see EPIC: In re Google Buzz and FTC - Public Comments on In Re Google. (May. 3, 2011)
  • Public Submits Comments on Proposed Google Consent Order: Today marks the end of the public comment period for the Federal Trade Commission's landmark Consent Order with Google regarding Buzz, Gmail, and all Google products and services. As part of the legal order, Google must adopt a "Comprehensive Privacy Plan" to safeguard its users data and personal information. EPIC launched an online petition and a "Fix Google Privacy" page to promote public participation in the FTC's deliberations. The FTC's action against Google follows a Complaint and an Amended Complaint, filed by EPIC on behalf of Gmail subscribers and other users. For more information, see EPIC: In re Google Buzz. (May. 2, 2011)
  • EPIC Launches "Fix Google Privacy" Campaign: In response to the recent announcement that Google has agreed to adopt a "Comprehensive Privacy Plan," EPIC has launched "Fix Google Privacy," a campaign to encourage Internet users to offer their suggestions to improve safeguards for Google's products and services. Submissions to EPIC will be forwarded to the Federal Trade Commission and considered by the agency as part of the final Privacy Plan. All comments must be sent before May 2, 2011. For more information, see EPIC - In Re Google Buzz and FTC - Analysis to Aid Public Comments. (Apr. 5, 2011)
  • EPIC, Privacy Groups File Objection to Proposed Google Buzz Settlement: EPIC and a coalition of consumer and privacy organizations have filed an objection to the "cy pres" allocation proposed by the attorneys in the Google Buzz matter. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. In these cases, courts are often concerned about collusion between attorneys that produces quick settlements and does not protect the interests of the class members. EPIC, which filed the successful complaint with the Federal Trade Commission that led to the Google Buzz agreement, and the other groups say that the proposed settlement does not satisfy the "cy pres" requirement. They note that several of the organizations proposed by Google are currently funded by Google. Other parties in the case have also objected to the proposed settlement. The Court has already stated that "the final approval list of cy pres organizations may draw, but need not be drawn, entirely from the submission of nominations by Class Counsel." The Court also said, "The Court reserves the right to designate cy pres recipients who would reasonably benefit the Class through established Internet privacy education and policy programs on its own motion." For more information, see In re Google Buzz. (Apr. 1, 2011)
  • FTC Announces Agreement in EPIC Google Buzz Complaint: The Federal Trade Commission has reached a agreement with Google regarding Buzz, the social network service launched in early 2010. The FTC action follows a complaint and an amended complaint filed by EPIC on behalf of Gmail subscribers and other Internet users. The FTC agreement with Google is far-reaching. It is the most significant privacy decision by the Commission to date. For Internet users, it should lead to higher privacy standards and better protection for personal data. EPIC has pursued similar successful complaints at the FTC in the past, including Microsoft Passport and Choicepoint, the databroker firm. For more information, see EPIC - In re Google Buzz. (Mar. 30, 2011)
  • Privacy Groups Object to Google's "Simplified" Privacy Policy : EPIC and 14 other privacy and consumer protection groups sent a letter to Google CEO Eric Schmidt about Google's revised privacy policy. Under this new policy, twelve specific Google privacy policies will be replaced by a single policy that will enable greater data sharing within the corporation. EPIC previously raised similar concerns about Google Buzz in a complaint to the Federal Trade Commission. In the complaint, EPIC argued that Google's Gmail-specific privacy policy was more protective of users than their general privacy policy. For more information, see EPIC: In re Google Buzz. (Oct. 6, 2010)
  • Google Settles Buzz Lawsuit, Allocates Funds for Internet Privacy Groups: Google has entered into a settlement agreement in a class action suit concerning the social network service Buzz. With Buzz, Google made private email contacts of Gmail susbcribers publicly available without consent. Gmail users filed a class action lawsuit. The plaintiffs alleged violations of federal privacy and consumer fraud laws. As part of the settlement agreement, Google will establish an $8.5 million settlement fund to pay the attorneys, compensate the lead plaintiffs, and establish a cy pres fund for "existing organizations focused on Internet privacy policy or privacy education." Earlier this year, EPIC raised similar concerns about Google Buzz in a formal complaint to the Federal Trade Commission. EPIC has also objected to a settlement in the Facebook Beacon case on the grounds that the settlement would allow Facebook, the defendant, to control the private foundation established by the settlement. The Google settlement would not establish a similar entity. For more information see EPIC: In re Google Buzz. (Sep. 7, 2010)

EPIC's Complaint in the News

Background

Google

Google is a company created by Larry Page and Sergey Brin in 1998. Originally, Google was a search engine service, but since its inception, the company has expanded to create several web applications that encourage sharing of information. These applications include Gmail, Google Calendar, and Google Docs. On February 9, 2010, Google introduced its newest web application, Google Buzz.

Google Buzz

On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with the following screen:

Google Buzz.png

Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.

Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.

Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.

EPIC's FTC Complaint

EPIC’s FTC complaint highlights several aspects of the Google Buzz service that threaten Gmail users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Google with respect to Google’s transformation of an email service to a social networking service without offering Gmail users meaningful control over their information or opt-in consent. The complaint argues that Google’s change in business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.

EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.

The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.

EPIC’s complaint analyzes the two rounds of changes to the Google Buzz service. After both changes, Google Buzz still populates the suggested social networking list of people a user follows based on frequent address book and chat contacts. Although the “welcome page” states that “[y]ou can find more people to follow later,” the contacts from a user’s address book and chat list make up a user’s initial “follow” list. Further, Google Buzz still allows people to automatically follow a user. The burden remains on the user to block those unwanted followers. The “welcome screen” still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, “The first time you post in Buzz you’ll create a profile which includes the list of people you follow—you can choose not to display this list if you’d like.” Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

FTC Proposed Agreement

    The FTC stated:
    Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
    The FTC further stated:
    According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.
    In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.
    Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.

FTC Documents

EPIC Filing

Response to Proposed FTC Settlement

News Stories and Blog Items