Google Buzz Privacy Flaws: Behavioral Side

CASE STUDY

Clay Collin, Mary Peterson, Paula Seligson, Nick Shchetko

Course: INLS 490.151 “Privacy by Design”

The University of North Carolina at Chapel Hill

2013 2 Case 1: Google Buzz (Behavior)

EXECUTIVE SUMMARY

When Google Inc. launched its social network site (SNS) Buzz, the company integrated it with its immensely popular Gmail email system. Suddenly, the private space of Gmail became part of the public space of Buzz, when the company automatically compiled and made public the lists of frequent email and chat contacts.

Email is often considered a private space – it requires a username and password to access and the content of each message is generally known only between the sender and the recipient. People behave with an expectation of privacy. If the contents of these emails, ranging from the actual message to the timestamp to the identities of the sender/receive, are made public, the individual will use the service differently.

The public backlash against Buzz was immediate and forced Google to revisit and redesign Buzz on the fly. Despite the quick response, the company had to settle a class-action lawsuit and went through an enforcement settlement with the US Federal Trade Commission.

Google Buzz was closed in late 2011 so the company could focus on its fully-fledged SNS

Google+.

Google didn’t consider the behavior of its users in a private versus public system, which resulted in the backlash and was the fatal flaw of Buzz.

3 Case 1: Google Buzz (Behavior)

INTRODUCTION

In February 2010, Google introduced Buzz (Jackson, 2010), a new social network based on integrating Google’s other products, including Gmail. The service aimed to capture some of its audience from popular SNS platforms such as Facebook and Twitter. Buzz took off quickly, securing more than 9 million posts and comments in about 56 hours (Parr, 2010). However, the young service did not offer features outstanding enough to successfully keep up with its older competitors. But the integration of Gmail led to private information being publicly displayed through Buzz, and Google was quickly hammered over the privacy flaws in Buzz.

Google automatically compiled the list of followers for each Buzz user based on the frequency of email contacts or chats between users (Jackson, 2010). The list of followers was made publicly available on a user’s profile page by default for Buzz users, therefore revealing who each user contacted the most often. This was incredibly revealing information because users previously had a complete expectation of privacy that their emails were private. These actions violated contextual integrity norms (Nissenbaum, 2010), both inappropriately compiling the sensitive information about email contacts and then distributing to public. Additionally,

Buzz’s opt-out model was difficult to use and made it hard for people take information off of their public profile, especially if they did not sign up for a Google profile beforehand (Carlson,

2010).

Google responded immediately and adjusted the profile, making it easier to hide the automatically created followers list. After a few days, Google stopped creating these lists and instead started to suggest potential followers (Frommer, 2010). However, the followers list was still public by default.

Additionally, users were concerned that the mobile version of Buzz automatically added the location the user was posting from (Magid, 2010). 4 Case 1: Google Buzz (Behavior)

Google then found itself facing a class-action lawsuit as well as an FTC complaint from the D.C.-based non-profit, Electronic Privacy Information Center. Both parties accused Google

Buzz of violating users’ privacy. The cases were ultimately settled (Whitten, 2011; WebCite) and Google agreed to revamp its approach to privacy and to fund efforts aimed at raising privacy-awareness.

Buzz was discontinued in late 2011, but the privacy issues Google and its users faced still linger on across different products and services.

Google faces especially strong problems in terms of user behavior because of its wide range of services: how can a user understand privacy boundaries across their entire Google account if each product involves a different set of privacy rules?

ANALYSIS

We believe that Buzz’s fatal error was making aspects of a private system public by default. Users behave differently depending on their expectations of privacy: email is considered private while an SNS is considered semi-public.

Email - Typical User Behavior and Privacy Expectations

Email serves a variety of functions based around personal communication. In terms of

Personal Information Management, email is the primary way we manage tasks, archive personal information, and keep up with contacts (Whittaker, 2006), all of which can provide revealing information about a person’s day-to-day life. As an archive, individual emails are essentially a ‘paper trail’ tracking a user’s ideas and actions. A list of contacts can provide revealing facts, such as the negotiations of a job offer or the identities of individuals in a romantic relationship. Additionally, people are dependent on the reliability of their email: 5 Case 1: Google Buzz (Behavior) failing to respond quickly or adequately could delay or affect deadlines. Email also suffers from a lack of context. Things that are user generated often possess real value to the creator but a person viewing the emails without that context could make erroneous conclusions (Whittaker,

2006).

Not only do users have an expectation of privacy in their email, but users actually often overestimate their email privacy. For example, typing in a password to access email gives a sense of security that can be false if the technology does not sufficiently encrypt the emails’ content during data transfer. Some users also believe that deleting an email makes the content disappear forever, which is not necessarily true. Additionally, unclear interfaces can lead the user to believe that the information is private (Weisband, 1995). Management policies and social interactions may also influence this perception. The public perception of the company providing the email might cause the user to feel secure. Since email is text based, people lack the social cues that hinder them from expressing certain things in public. With this psychological security, people may feel more encouraged users to disclose more private information that they otherwise would not share (Weisband, 1995). When creating an email system, designers should keep all this in mind in order to not take advantage of the user’s misconceived security.

SNS - Typical User Behavior and Privacy Expectations

A social network site (SNS), for the purposes of this paper, is a “web-based services that allow individuals to construct a public or semi-public profile within a bounded system, articulate a list of other users with whom they share a connection, and view and traverse their list of connections and those made by others within the system” (boyd and Ellison 2007). While the terminology and some features used in SNS vary across services, every SNS features user- 6 Case 1: Google Buzz (Behavior) generated profiles, user-curated network lists, private messaging, and public commenting capabilities (boyd & Ellison, 2007). The user-curated network lists tend to be bidirectional, meaning that a person requests a connection to another user and the other user must approve that request to complete the connection (boyd & Ellison, 2007). Privacy settings, which vary by user and SNS, allow users to view, interact, and share with anyone within their network, which can be considered a bounded community.

People tend to use SNS to reconnect with and get to better know people they already know, as opposed to networking or contacting strangers. Aptly named, SNS are tools for socialization (Guy, et al. 2008). They are used to communicate and interact with large groups of people. People tend to fill their networks with social contacts that are members of their peer group, friends, family, close work colleagues, and old acquaintances. Each of these groups represent different social spheres which, by means of the architecture of SNS, can be applied broadly and used to define each person in the same manner regardless of the relationship. This phenomenon is called “context collapse.”

This combination of social spheres can cause tension and problems as a user attempts to navigate what might be tricky social waters by communicating via SNS to their friends when a parent, employer or other authority figure might also be a member of the SNS (Binder, Sowes

& Sutcliffe, 2009). Teenagers in particular have developed several methods to deal with this sort of tension by posting ambiguous status messages or using language or references only certain people would understand (boyd & Marwick, 2011). Other strategies to cope with this context collapse can include having several accounts or not posting anything that might offend anyone in the whole network (Vitak et. al, 2012). In order to employ these strategies, a user needs to be aware of the population of their networks. 7 Case 1: Google Buzz (Behavior)

The very nature of SNS and the possibility of context collapse means that users are aware of the constraints of the system and its multiple social spheres and behave accordingly.

Incongruity of Email and SNS Models for Buzz

While usage of social network sites and email both accomplish the broad task of communication with others, the intended recipients of messages and content of messages differ greatly. As previously mentioned, there is an expectation of private communication with a specific recipient(s) when using email and an expectation of semi-public sharing to a curated group of contacts when using an SNS.

The nomenclature used for email and SNS differ in a way that impacts user expectation.

In email a person has an address book or contact list, whereas in SNS they have friends. Users hit “Send” on email (that implies direct transaction) and “Share”/”Post” (that implies one-to- many transaction) on SNS to communicate (Grippa et al., 2006 & Guy et al., 2008).

Given the different uses and user expectations of each medium, it is clear that while there is some overlap, a user’s SNS friends can vary wildly from the contacts in their email address book (Helft, 2010). A study that interviewed 348 IBM employees about who to contact via what method showed that people made different choices depending on the medium. One interviewee said that his friends would be offended if he contacted them via email and that he considered email for formal communications. Another employee said that email is only for work and is incredibly impersonal (Guy et al., 2008). While these interviews occurred within a closed community (IBM) and dealt with email and SNS only available to IBM employees, it can be inferred from these interviews that people attempt to avoid more context collapse by communicating socially via SNS and for work purposes via email. 8 Case 1: Google Buzz (Behavior)

As email does not accurately reflect a user’s social network, it seems as if Google Buzz was destined to fail. Prepopulating Buzz with frequent email contacts did not create an SNS but a public address books that mixed social spheres that users never had to contemplate before.

Beyond the context collapse of making a social network from a user’s most frequent email contacts, Google violated users’ expectations of privacy by making this list public.

Google beta tested Buzz on 20,000 internal employees, but these people were likely to be relatively tech-savvy and rely on Gmail (the vehicle for Buzz) for professional work. In other words, Buzz was tested in a bounded network that had a specific professional purpose so people didn’t run into a clash of professional and personal contacts that general users later did

(Vascellaro, 2010).

Buzz’s Main Privacy Concerns Summarized

Action: Buzz users’ most frequent Gmail contacts became publicly available on their Buzz profiles by default.

Why it was a problem: People behave differently depending on the expectation of privacy. The exposure of users’ email contacts was a serious breach of privacy.

Action: Google failed to sufficiently notify users that information that was once considered private in Gmail would become public via Buzz.

Why it was a problem: Users were blindsided by this change and couldn’t prevent the private information from becoming public.

Action: Users could not easily disable the above feature. 9 Case 1: Google Buzz (Behavior)

Why it was a problem: This kept users from reclaiming their personal data.

SUGGESTIONS

While Google Buzz was a failure in the wider population, some of its key features seem compatible with a closed internal system. Therefore we suggest that Buzz should be packaged as an add-on to Google’s enterprise email system.

When colleagues work together on a project, it can be helpful to break down some of the formality that exists around email. Buzz could occupy a middle position between the formality of email communications and the social aspect of SNS communications. This could strengthen workers’ weak-tie networks by making collaboration easier and less formal, thus fostering creativity and productivity.

Pixar famously structures their offices in a way to maximize weak-tie by orchestrating chance encounters with people and scattering people form different departments around the complex.

They credit these relationships for some of their biggest successes (Hayes, 2012).

Buzz can help accomplish this digitally by allowing people to communicate in an informal way with strangers as well as request introductions to strangers through mutual contacts. By allowing for informal communications, Buzz applies a social lubricant to these situations and attempts to create social ties where none existed before. Context collapse in a closed network can balance both the needs of the user (by limiting participation to a narrow segment of the user’s life, like colleagues in the same company) with the needs of the workplace (fostering as much communication and collaboration as possible between employees) (Vitak, 2012). 10 Case 1: Google Buzz (Behavior)

Buzz was originally tested internally, and is still used to great success internally (E. Benjamin, personal communication, January 17, 2013). In this context, Buzz can still be a successful product by building morale through closer interpersonal connections, strengthening weak-tie networks, and allowing people to communicate quickly and informally.

CONCLUSION

When creating Buzz, Google overlooked users’ privacy expectations for Gmail, which led to a flawed product in terms of privacy controls and functional design (Carlson, 2010). Though the issues were promptly patched, they fueled large-scale dissent that marred Buzz from the start. The dissent stemmed from the fact that people behave differently with email as opposed to SNS due to different privacy expectations.

The company should have conducted the pre-launch testing more extensively and should have included testing with some third-party privacy consultants, spotting the flaws and fixing them have before rolling out Buzz to millions of Gmail users.

However, while Buzz was a failure, it was also an important learning experience. Google has made huge privacy improvements in Google+ (Oswald, 2011), where almost no significant privacy complaints have been reported so far.

This case shows the importance of considering user behavior and where that behavior originates - in this case, users’ expectations of privacy. 11 Case 1: Google Buzz (Behavior)

Binder, J., Howes, A., & Sutcliffe, A. (2009). The problem of conflicting social spheres: Effects of network structure on experienced tension in social network sites. Proceedings of the SIGCHI

Conference on Human Factors in Computing Systems (pp. 965–974). Boston: ACM Press. boyd, d. & Ellison, N. (2007). Social Network Sites: Definition, History, and Scholarship. Journal of Computer Mediated Communication, 13(1), 210–230. boyd, danah and Marwick, Alice E. (2011) Social Privacy in Networked Publics: Teens’ Attitudes,

Practices, and Strategies. Paper presented at A Decade in Internet Time: Symposium on the

Dynamics of the Internet and Society, Oxford England

Carlson, N. (2010). WARNING: Google Buzz Has A Huge Privacy Flaw. Retrieved 27 Jan. 2013 from http://www.businessinsider.com/warning-google-buzz-has-a-huge-privacy-flaw-2010-2

Google Blog

Grippa F., Zilli A., Laubacher R., and Gloor P. (2006). E-mail may not reflect the social network.

Paper presented at International Sunbelt Social Network Conference, Vancouver, Canada.

Guy, I., Jacovi, M., Meshulam, N., Ronen, I., Shahar, E., (2008). Public vs. private: comparing public social network information with email. Conference on Computer supported cooperative work (393-402). New York: ACM Press.

Frommer, D. (2010). Google Making More Changes To Buzz After Huge Privacy Outcry.

Retrieved 27 Jan. 2013 from: http://www.businessinsider.com/google-making-more-changes- to-buzz-after-privacy-outcry-2010-2

Hayes, C. (2012). Twilight of the elites: America after meritocracy. New York: Random House.

Helft, M. (2010, February 13). Critics Say Google Invades Privacy With New Service. The New York Times. Retrieved 25 Jan. 2013 from: http://www.nytimes.com/2010/02/13/technology/internet/13google.html?_r=0

Jackson, T. (2010) Introducing Google Buzz. Retrieved 27 Jan. 2013 from http://googleblog.blogspot.com/2010/02/introducing-google-buzz.html 12 Case 1: Google Buzz (Behavior)

Magid, L. (2010) Google Buzz Raises Privacy and Safety Concerns. Retrieved 27 Jan. 2013 from http://www.huffingtonpost.com/larry-magid/googles-buzz-raises-some_b_455711.html

Nissenbaum, H. (2004). Privacy as contextual integrity. WASHINGTON LAW REVIEW, 79(1), 119-

157.

Oswald, E. (2011). Google+ Privacy: A Closer Look. Retrieved 27 Jan. 2013 from http://www.pcworld.com/article/235348/google_plus_privacy_concerns.html

Parr, B. (2010). Google Buzz Surpasses 9 Million Posts and Comments. Retrieved 27 Jan. 2013 from http://mashable.com/2010/02/11/google-buzz-9-million/

Vascellaro, J. E. (2010, Feb 15). Google mulls further changes to buzz. Wall Street Journal

(Online). Retrieved from http://search.proquest.com/docview/237953879?accountid=14244

Vitak, J., Lampe, C., Gray, R., & Ellison, N. (2012). “Why Won’t You Be My Facebook Friend?”:

Strategies for Managing Context Collapse in the Workplace. iConference ‘12 (pp. 555–557). New

York: ACM Press

Vitak, J. (2012). The Impact of Context Collapse and Privacy on Social Network Site Disclosures.

Journal of Broadcasting & Electronic Media. 56:4, 451-470.

WebCite (n.d.) www.BuzzClassAction.com. Retrieved 27 Jan. 2013 from http://www.webcitation.org/5tyF08T40

Weisband, S.P., & Reinig, B. A. (1995). Managing user perceptions of email privacy.

Communications of the ACM, 38(12), 40-47.

Whittaker, S., Belloti, V., and Gwizdka, J. (2006). Email in personal information management.

Communications of the ACM, 49(1): 68-73.

Whitten., A. (2011). An update on Buzz. Retrieved 27 Jan. 2013 from http://googleblog.blogspot.com/2011/03/update-on-buzz.html