10 Comments

Summary:

Privacy authorities from 10 countries this morning released a joint letter at a conference in Washington, D.C., taking Google to task over the way it launched its social tool, Google Buzz, saying the new service “betrayed a disappointing disregard for fundamental privacy norms and laws.”

Updated: Privacy authorities from 10 countries this morning released a joint letter at a conference in Washington, D.C., that takes Google to task over the way it released its social tool, Google Buzz, saying the launch “betrayed a disappointing disregard for fundamental privacy norms and laws.” The group also said that the privacy problems associated with the new service, which went live in February, should have been “readily apparent” and that it isn’t the first time the company has “failed to take adequate account of privacy considerations when launching new services.” The letter noted that Google’s Street View service has also been the subject of privacy-related complaints from multiple countries.

In an emailed response, a Google spokesperson said: “We try very hard to be upfront about the data we collect, and how we use it, as well as to build meaningful controls into our products. Of course we do not get everything 100% right — that is why we acted so quickly on Buzz following the user feedback we received. We have discussed all these issues publicly many times before and have nothing to add to today’s letter.”

The letter — the full text of which is below — was signed by the heads of data protection authorities in Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. The group is scheduled to hold a press conference later today in Washington about the statement, which called on Google “like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services.” The fundamental problem with Buzz is described this way:

Google Mail, or Gmail, had been a private, one-to-one web-based e-mail service, but was abruptly melded with a new social networking service. Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing those users about how this new service would work or providing sufficient information to permit informed consent. These actions violated the fundamental, globally accepted privacy principle that people should be able to control the use of their personal information.

This joint effort by multiple countries is only the latest in a series of attacks Google has faced over Buzz. Not long after the new service was launched in February, the Electronic Privacy Information Center asked the FTC to open an investigation into privacy concerns surrounding Buzz, and that was followed in March by a similar request from a bipartisan group of lawmakers from the House of Representatives. Although Google CEO Eric Schmidt has said that “no one was harmed” by Buzz, project manager Todd Jackson later apologized for the way the product was launched, and the company has made a number of alterations to the way it functions, including a new confirmation screen for users so they can confirm what they wish to share and with whom.

Privacy concerns have also dogged Google in Europe, where Street View has come under fire from European Union regulators as well as privacy authorities in a number of countries such as Germany. Some authorities want the company to provide better notice to citizens of when the Street View car will be filming them, as well as a way for individuals to have themselves removed from the snapshots after they’re taken. Google has also faced serious repercussions in Italy, where three senior Google executives were found guilty in February of breaching Italian privacy regulations as a result of a video that was uploaded to YouTube.

The privacy regulators who released the letter today were meeting in Washington for the annual global summit of the International Association of Privacy Professionals.

Update: On a related note, Google today launched what it is calling a “government requests” tool, which shows where and when the company has been asked by the governments or authorities in various countries around the world to remove data or (in some cases) to provide information about users. Google says the tool is designed to provide “greater transparency” around these kinds of requests, which it notes in some cases are perfectly legitimate.

The full text of the letter to Google follows:

April 19, 2010

Mr. Eric Schmidt
 Chairman of the Board and
 Chief Executive Officer
 Google Inc. 
Mountain View, CA 
USA 94043

Dear Mr. Schmidt:

Google is an innovative company that has changed how people around the world use the Internet. We recognize your company’s many accomplishments and its dramatic impact on our information economy. As data protection regulators mandated to protect privacy rights, we also applaud your participation in discussions in many jurisdictions about new approaches to data protection.

However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws. Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services.

The privacy problems associated with your initial global rollout of Google Buzz on February 9, 2010 were serious and ought to have been readily apparent to you.

In essence, you took Google Mail (Gmail), a private, one-to-one web-based e-mail service, and converted it into a social networking service, raising concern among users that their personal information was being disclosed. Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions. This violated the fundamental principle that individuals should be able to control the use of their personal information.

Users instantly recognized the threat to their privacy and the security of their personal information, and were understandably outraged. To your credit, Google apologized and moved quickly to stem the damage.

While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned about how a product with such significant privacy issues was launched in the first place. We would have expected a company of your stature to set a better example. Launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured.

We recognize that Google is not the only online company with a history of introducing services without due regard for the privacy of its users. As a leader in the online world, we hope that your company will set an example for others to follow.

We therefore call on you, like all organisations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;

• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;

• creating privacy-protective default settings;

• ensuring that privacy control settings are prominent and easy to use;

• ensuring that all personal data is adequately protected, and

• giving people simple procedures for deleting their accounts and honouring their requests in a timely way.

In addition to respecting these broad principles, we also expect all organisations to comply with relevant data protection and privacy laws. These laws apply online, just as they do in the physical world. As well, we encourage organisations to engage with data protection authorities when developing services with significant implications for privacy.

As your users made clear to you in the hours and days after the launch of Google Buzz, privacy is a fundamental right that people value deeply.

As regulators responsible for promoting and overseeing compliance with data protection and privacy laws, we hope that you will learn from this experience as you design and develop new products and services.

We would like to receive a response indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products.

Sincerely,

Original signed by
Jennifer Stoddart Privacy Commissioner of Canada

Original signed by
Alex Türk
 Chairman, Commission Nationale de l’Informatique et des Libertés (France)

Original signed by
Peter Schaar
 Commissioner, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany)

Original signed by
Billy Hawkes 
Data Protection Commissioner of Ireland

Original signed by
Yoram Hacohen 
Head of the Israeli Law, Information and Technology Authority

Original signed by
Francesco Pizzetti
 Garante per la protezione dei dati personali (Italy)

Original signed by
Jacob Kohnstamm
 Chairman, College Bescherming Persoonsgegevens (Netherlands)
Chairman, Article 29 Working Party

Original signed by
Marie Shroff 
Privacy Commissioner, New Zealand

Original signed by
Artemi Rallo Lombarte
 Director, Agencia Española de Protección de Datos (Spain)

Original signed by
Christopher Graham
 Information Commissioner and Chief Executive (United Kingdom)

Related content from GigaOM Pro (sub req’d):

Why New Net Companies Must Shoulder More Responsibility

Post and thumbnail photos courtesy of Flickr user Blyzz

You’re subscribed! If you like, you can update your settings

  1. Google Slammed by Privacy Authorities Over Buzz (Mathew Ingram/GigaOM) « My Blog Tuesday, April 20, 2010

    [...] Ingram / GigaOM: Google Slammed by Privacy Authorities Over Buzz  —  Privacy authorities from ten countries this morning released a joint letter at [...]

  2. Google Slammed by Privacy Authorities Over Buzz Tuesday, April 20, 2010

    [...] Read some more here. [...]

  3. The letter loses all credibility with this totally inaccurate statement: “It is unacceptable to roll out a product that unilaterally renders personal information public”.

    Google Buzz never ever “unilaterally” made personal information public. In fact, it never made personal information public. Period. The only way any information could be made public on Buzz (since its launch till now) was for a user to explicitly choose to make some information public.

  4. Congress Proposes Sweeping Internet Privacy Bill Tuesday, May 4, 2010

    [...] privacy has become an ongoing brush fire that flares up almost weekly. Google has been slammed by privacy authorities from countries around the world for its practices, and Facebook has come under scrutiny from privacy groups and a [...]

  5. Google Buzz Adds ‘Reshare’ Feature As Part of Weekly Rollout Thursday, May 27, 2010

    [...] also said that the feature most users complained about the most when Buzz launched — the auto-following of email contacts — was an attempt to make it easier for new users to find people worth following, which he [...]

  6. Study Web Giants Today for Smart Grid Privacy Tips Tomorrow Friday, May 28, 2010

    [...] privacy mechanisms. Google, too, has been struggling with privacy, first with the well-publicized Buzz uproar and then when it was discovered that its fleet of Street View vehicles in Germany was capturing [...]

  7. Privacy As a Competitive Advantage in Mobile Monday, May 31, 2010

    [...] 9:00am PDT No Comments        0 Over the past few months, the debate over privacy and its role in the continued evolution of information technology has been reinvigorated. To some [...]

  8. Privacy is Hard Because People Change Their Minds Friday, August 27, 2010

    [...] like Google and Facebook, it’s privacy. Google tries to offer a new service with Buzz, and triggers a series of privacy land mines; Facebook tries to offer new services and runs afoul of privacy concerns as well, then it changes [...]

  9. Facebook iPhone Contact Sync Feature is Latest Fear Target: Tech News « Wednesday, October 6, 2010

    [...] to just how big a target Facebook has become. The company has grown in size to the point that, like Google, it can’t do much without prompting warnings from critics. With more than 500 million users, [...]

  10. Kik’s Viral Growth Comes With an Apology: Tech News « Tuesday, November 9, 2010

    [...] people’s Buzz contacts with everyone from their email address book — something that caused a huge outcry from privacy advocates as well as a lawsuit that Google recently settled. Livingston says that Kik doesn’t make [...]

Comments have been disabled for this post