Sign up to our newsletter
The latest security news direct to your inbox
So how bad was the roll out of Google Buzz? Let’s start with a little bit of history first.
Either before or after you read this blog, I would appreciate your impressions of how Google rolled out buzz. I have a survey up at http://www.surveymonkey.com/s/JSS79XJ
Several years ago, Microsoft initiated their SDL, Security Design Lifecycle to improve the security of their products. Google is way overdue for starting a Privacy Design Lifecycle. Google’s respect for privacy makes Microsoft’ worst security problems seem inconsequential.
According to satirical joke known as the “Google’s Approach to Privacy” http://mail.google.com/mail/help/privacy.html
We have 5 privacy principles that describe how we approach privacy and user information across all of our products:
1. Use information to provide our users with valuable products and services.
2. Develop products that reflect strong privacy standards and practices.
3. Make the collection of personal information transparent.
4. Give users meaningful choices to protect their privacy.
5. Be a responsible steward of the information we hold.
When Google Launched Buzz they completely ignored items 4 and 5.
The policy http://www.google.com/privacypolicy.html goes on to promise:
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
* We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
* We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.
Very, very, very importantly, Google claims:
First, you need to do a few Google searches. Copy and paste the following into a Google search box.
General Practitioner site:google.com/profiles
Sexual therapist site:google.com/profiles
There are many other potential searches, but what this is showing are the public profiles of people who have legal or ethical obligations to keep confidential the identities of the people they communicate with. What Google did was deliberately violate their own privacy guidelines and policies so as to breach the confidentiality of users and they did so because the immediate build of a social network was deemed more important that adhering to their policy or respecting a single person in the world. In other words they have no compliance and no concern.
People at Google absolutely know that even disclosing that a victim of domestic violence is seeking help may put that victim in harm’s way. I know some Google people know this because I have been at the same meetings their security people have been at when representatives of NNEDV. The National Network to End Domestic Violence, told of how even exposing that an abuse victim is looking for help can end in violence or death. Google places an instant social network high above the safety of people.
When Google rolled out Buzz, they made the private contacts of many people public knowledge. To this day Google has admitted no wrong doing and has only apologized for causing discomfort and not for violating their agreements.
The odds are that if you have a Gmail account and perform the searches I suggested, and then look at who is following who or being followed by who, and their public profiles, you can put two and two together to find out who is being seen/treated by who, and in some cases for what general therapies.
You can look up a psychologist and see what they specialize in. Perhaps depression, the treatment of children, marriage counseling, etc. You can look up who they follow and who follows them and often find out the location of the people if they list it in their public profile. It sometimes isn’t hard to put two and two together, especially if you know one or both parties.
If a user emailed a company about any number of private issues, this may have been revealed to the world. It was not the content of the email, but Google forced the user to divulge the nature of the contact.
It has been interesting following the responses on Buzz. A large number of users seem to think that the value of privacy and a contact is roughly zero.
Do expect Google to start making your Gmail emails public. Unless the class action lawsuit against Google is certified and truly hurts Google, there is no deterrent to Google brazenly ignoring it.
Director of Technical Education
Author ESET Research, ESET