TechWeb

Google Settles FTC Privacy Suit Over Buzz

Mar 30, 2011 (10:03 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=229400616


Google Chrome 10 Boosts Performance, Management
Slideshow: Google Chrome 10 Boosts Performance, Management
(click image for larger view and for slideshow)
Under terms of Google's settlement Wednesday with the Federal Trade Commission (FTC) over charges it violated user privacy with its Buzz social networking service, Google will undergo third-party privacy audits for the next two decades and implement a comprehensive privacy program.

The FTC charged Google with using deceptive tactics and violating the company's own privacy promises to consumers, according to the complaint. The government agency also alleged that Google violated the substantive privacy requirements of the Safe Harbor Framework, which gives companies a method to lawfully transfer data from the European Union to the United States.

"When companies make privacy pledges, they need to honor them," said Jon Leibowitz, chairman of the FTC, in a release. "This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

Although terms are Google-specific, the government apparently hopes other social networks pay close attention to the settlement.

"Terms of the order apply only to Google. But the best practices set forth in the order should serve as a guide to industry," the FTC tweeted, as part of its steady stream of responses to questions via Twitter. "FTC staff proposed framework for protecting consumer privacy in Dec. Will continue aggressive law enforcement in privacy too."

When Google launched Buzz via Gmail in February 2010, the developer led users to believe they could choose whether or not to join the network. But users' options for declining or leaving the social media site were ineffective, according to the FTC.

"The launch of Google Buzz fell short of our usual standards for transparency and user control -- letting our users and Google down," wrote Alma Whitten, director of privacy, product, and engineering at Google, in a company blog. "While we worked quickly to make improvements, regulators -- including the U.S. Federal Trade Commission -- unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again. Today, we've reached an agreement with the FTC to address their concerns."

Google also incorrectly stated it was acting in accord with the Safe Harbor framework, a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. In order to participate, companies must self-certify each year that they meet pre-defined privacy principles; the FTC said Google did not give consumers notice or choice when their information was used for a different purpose than for which it was gathered.

"Case demonstrates FTC's continuing commitment to enforcing U.S.-EU Safe Harbor. Always looking for more cases," the FTC tweeted.




Real Time Conversation With Google Translate
(click image for larger view)
Slideshow: Real Time Conversation With Google Translate
As a result of this misrepresentation, Google has agreed to get users' consent before the company shares that information with third parties if Google makes changes to its products or services that alter the privacy promise made when the data originally was collected. In addition, Google will create and maintain a "comprehensive privacy program," and will hire a third party to conduct an audit of its privacy and data-protection practices every two years, the settlement said.

"Covered info includes all info collected from or about consumers including search," the FTC tweeted. "Google could be subject to civil penalties in the amount of $16,000 per violation (standard) for violating consent decree."

The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC soon after Google released Buzz, based on the developer's data-privacy practices.

When Buzz debuted, Gmail users received a message about the service and got two options: "Sweet! Check out Buzz," and "Nah, go to my inbox." Even users who selected the opt-out "Nah" button were, however, enrolled in some features of Buzz, the FTC said. Google did not inform users who opted in to Buzz that their most frequently emailed contacts would, by default, be made public, the government said. In addition, the "Turn Off Buzz" choice did not completely remove users from the network, according to the FTC.

The government agency was not alone in its complaints. Consumers submitted thousands of grievances complaining about public disclosure of their email contacts which, at times, included former spouses, competitors, patients, students, and employers, the complaint said. Businesses also responded: In May, the University of California-Davis decided to end its Gmail pilot, which could have led to campus-wide deployment, because faculty members doubted Google's ability to keep their correspondences private, in large part because of Google Buzz and international outrage -- and lawsuits -- about the social network.

Google did make some changes to Buzz in response to those criticisms. In September, for example, Google simplified its privacy policies in an effort to make them easier to understand and to operate with greater transparency.

Last year, several independent lawsuits were rolled into a class action suit against Google and Buzz. Google settled that case in November, committing $8.5 million, less legal fees, to "organizations promoting privacy education and policy on the Web," according to Google.