Google runs into FTC Buzz-saw

As part of its settlement with the FTC, Google must subject itself to regular independent privacy audits for the next 20 years
As part of its settlement with the FTC, Google must subject itself to regular independent privacy audits for the next 20 years

The FTC charged Google with deceptive privacy practices and violating its own privacy policy regarding the rollout of Google’s Buzz social network in 2010.

Google agreed to a proposed settlement with the FTC under which the agency barred Google from future privacy misrepresentations, required the company to implement a comprehensive privacy program, and called for regular independent privacy audits for the next 20 years.

The FTC said that this was the first time the agency had required a company to take such actions as part of a settlement order.

According to the FTC complaint, Google led Gmail users to believe that they could opt-out of joining the Buzz social network, but the options for declining or leaving the network were “ineffective.”

In addition, for Gmail users who joined the Buzz network, the controls for limiting the sharing of personal information were confusing and difficult to find, according to the complaint.

At the time of the Buzz launch, Google’s privacy policy stated, “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” The FTC charged that Google violated this policy by using information provided by Gmail users for the Buzz network without obtaining their permission in advance.

The FTC complaint also alleged that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers’ frequent email contacts would become public by default.

In addition, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The complaint said that Google’s assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected.

On Google’s official blog, Alma Whitten, Google’s director of privacy, product and engineering, admitted that the launch of Buzz “fell short of our usual standards for transparency and user control.” Whitten said that Google worked with the FTC to provide more detail about “what went wrong” with the Buzz launch and how this type of thing could be prevented in the future.

“We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward”, Whitten concluded.

What’s Hot on Infosecurity Magazine?