Dan's New Blog

And it’s not Facebook. It’s Google’s new Google Buzz, which is a Facebook/Twitter hybrid product. It’s supposed to be plug-and-play: you set up your profile and Google determines your social circle based upon whom you Gmail the most. But it’s got some privacy issues, viz.:

(1) Nicholas Carlson at Business Insider is one (of many) who takes Google to task for revealing Buzz users’ closest contacts to the world:

“But we have a message for the brilliant people behind Google Buzz (and the rest of Google’s products): the rest of the world is NOT like you. These privacy concerns aren’t for the incredibly computer savvy, the patient beta testers, or Twitter and Facebook power users. Our concerns are for the people who, when encountering a new service, click ‘save and continue’ until it is completely set-up and functional, reading as little text in various dialogue boxes as they can. These people are the people we call the ‘normals’. Some of these ‘normals’ are physicians or mental health professionals who have patients they email with. Some of these people are journalists (ahem!) dealing with anonymous sources. Some of these people are spouses who are finding a safe way out of bad marriages with the help of someone their spouse doesn’t know about. Some of them are junior staffers, secretly arranging to get a 50% raise going to a new company to become a manager for the first time.”

Google has made some changes to Buzz to address these issues, but again, “normals” probably won’t take advantage of them.

UPDATE, February 14: Google has made further changes. Buzz now suggests people to follow instead of auto-following your closest contacts. You can also opt-out of publicly displaying your contacts.

(2) Erick Schonfeld of TechCrunch says that Buzz inadvertantly exposes private email addresses:

“Google Buzz borrows the @reply convention from Twitter so that if you want to reply to someone or direct a comment to them you simply put the @ sign in front of their name. Google autosuggests names from your contact list as you start typing. Normally, this doesn’t cause any problems if you select the Gmail account or chat name associated with that person’s public profile. It ends up posting their name, and not their email address. But if you select a name or account that is not public, Buzz will fill in with their private email. For example, I wanted to direct a comment at TechCrunch writer MG Siegler, so I typed in ‘@mg’ and up came three of his different emails. I picked his TechCrunch email, not realizing that his public profile is linked to a different Gmail account. What this means is that the 231 people following me on Buzz can all see MG’s private email address in my comment even if they had no direct connection to him before.”

Google says that it will be “very obvious that the email address is publicly visible, and you can always edit and/or delete that post.” Schonfeld says that’s expecting too much from the average user, and I agree.

UPDATE, February 14: Google now shows asterisks instead of private email addresses.

The common thread through these 2 problems is that Google puts the burden on the basic user of figuring out the privacy implications of everything they do on Buzz. It’s like they’ve never heard of people accidentally CCing the whole company on a private email.