Robin Wilton

A member of the Gartner Blog Network

Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Coverage Areas:

US Federal Trade Commission takes action over Google Buzz

by Robin Wilton  |  March 31, 2011  |  Comments Off

The US Federal Trade Commission (FTC) has announced (March 30th) the details of a settlement order with Google over alleged privacy violations arising from the launch of the Buzz service. I wasn’t actually a Gartner analyst when Buzz was launched, but by a strange co-incidence I was attending a European conference on Trust in the Information Society – at which a speaker that morning had been Alma Whitten, since appointed as Google’s Director of Privacy. Alma actually did a good job on stage that day, but she can have had little idea of the hornet’s nest which was starting to buzz [sorry...] as a result of her employer’s most recent (at the time) foray into networked interaction.

Back at the time (11th Feb 2010, to be exact) I blogged my initial reactions to Buzz here. I have included some subsequent blog posts for completeness, but the 11th Feb entry is the one in question. What most struck and irritated me at the time was that even though I said “no thanks, just take me to my inbox”, Google went ahead and turned Buzz on anyway. This opt-in – not only by default, but also in the face of an explicit indication that I did not want it – seemed to me to violate my immediate preferences and potentially my subsequent privacy.

The FTC agrees. This specific point is one of the elements of today’s enforcement notice against Google. They further find that, as a consequence of the implicit opt-in, Google was using personal information for purposes other than those stated at the time of collection, and therefore was failing to meet its obligations under the EU/US Safe Harbour agreement.

The FTC also says that Google did not inform users adequately about the extent to which they were enrolled in Buzz, the effect that would have in terms of exposing personal information to others, or the controls for limiting such exposure.

The Buzz launch was one of the examples my colleague Ian Glazer and I analysed last year in our report on “Changing a Privacy Policy” (Gartner subscription required). There are resonances with that report throughout the FTC’s settlement order. All I want to do briefly here is draw out three things which lurk under the innocent-looking phrase “Privacy Policy”:

  1. There’s a difference between an organisation’s privacy policy, and the privacy policy statement which it publishes. As you have probably noticed if you have ever troubled to read one, a privacy policy statement is often a series of disclaimers designed to explain which of your privacy rights you waive when you interact with the organisation in question. A good privacy policy explains how the user’s interests are protected, not just the organisation’s.
  2. The organisation’s privacy policy is the set of principles and processes it applies internally to the management of personal data. There is often a mismatch between those disciplines and what the privacy policy statement says. A good privacy policy establishes and maintains a robust link between the two.
  3. Finally, as the FTC settlement order indicates: whatever your privacy policy, and whatever you say in your privacy policy statement, it is also crucial that you inform the user clearly of their status (are they enrolled/opted-in or not, and if so, to what?), the tools and options available to them (what privacy-related settings are available and where are they?), and the effect of exercising those settings.

Although Google are the subject of the current FTC ruling, they were not the only example we considered in our paper. The three points set out above do not represent an unattainably high bar, but the research so far suggests that many organisations still have plenty of scope for improvement. Let’s hope that the FTC’s action encourages them to try.

Comments Off

Category: Uncategorized     Tags: