This article is more than 1 year old
Google gets biennial privacy audit after Buzz blunder
Mountain View Chocolate Factory in settlement with FTC
Google has agreed with the US Federal Trade Commission (FTC) to undergo regular privacy audits for the next 20 years, after bolting its ill-conceived Buzz social network on to Gmail in early 2010 without first seeking the consent of its users.
"When companies make privacy pledges, they need to honour them," said FTC chairman Jon Leibowitz.
"This is a tough settlement that ensures that Google will honour its commitments to consumers and build strong privacy protections into all of its operations."
Under the proposed settlement, as well as the audits every two years Mountain View is also required to implement a "comprehensive privacy program". Additionally, Google is barred from "future privacy misrepresentations".
The FTC complaint charged Google with violating its privacy policies by using information provided for its Gmail service in the company's Buzz social network.
"Today, we've reached an agreement with the FTC to address their concerns. We'll receive an independent review of our privacy procedures once every two years, and we'll ask users to give us affirmative consent before we change how we share their personal information," said Google privacy director Alma Whitten.
"We'd like to apologise again for the mistakes we made with Buzz. While today's announcement thankfully put this incident behind us, we are 100 per cent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."
In February 2010 Buzz landed in the mailboxes of Google, and the service had not been tested outside the company. At the time we noted it was an unusual move for a company that once seemed to pride itself on deeply testing a product in beta via Google Labs.
By default, Buzz exposed users' most frequent Gmail contacts to the public internet. You did have the option of hiding the list from the public view, but many complained that the checkbox that let you do so was not prominently displayed. Within days, Google agreed to move the checkbox to a more prominent position, and it rejiggered the way it handles user contacts. But this didn't stop complaints from privacy advocates and a spate of lawsuits.
The backlash was immediate, with many complaining that an online email service should remain entirely separate from Google's social networking desires.
The Electronic Privacy Information Center (EPIC), which is a respected US public advocacy outfit, was quick to file a complaint with the FTC over Google Buzz.
In its complaint, EPIC said at the time that the service violated user expectations, diminished user privacy, and contradicted Google's privacy policy.
The group even questioned whether Buzz violated federal wiretap law. The US Electronic Communications Privacy Act prevents operators of "electronic communication" services from disclosing certain subscriber information without consent – including "addressing" information – and the privacy watchdog believed this "may" have applied to Buzz.
In its statement, the FTC made no mention of those allegations today, but it did allege "violations of the substantive privacy requirements of the US-EU Safe Harbor Framework."
The proposed settlement (PDF) now awaits acceptance by the Commission. Meanwhile, the public can wade in here.
The terms of the settlement will apply to Google worldwide, as Google's infrastructure operates worldwide. ®
Update: This story has been updated to better characterise the original release of Buzz and to point out that the settlement will apply worldwide.