OPINION: Buzz privacy can

Well, Google has egg on its face over privacy issues stemming from the launch of its Buzz social networking service. How serious is the problem? Just “housekeeping,” according to Google, where the company line, given by Google Canada spokesperson Wendy Rozeluk, is: “We’ll be making significant (Buzz) product improvements over the next few days based on user feedback. The user always comes first.”

This comes after “user feedback” (more like “user backlash”) prompted Google to disable the highly criticized Buzz auto-follow function and make privacy controls and options within Buzz more visible.

Buzz product manager Todd Jackson tried to explain the situation as new product growing pains.

“We’ve been testing Buzz internally at Google for a while,” Jackson said. “Of course, getting feedback from 20,000 Googlers isn’t quite the same as letting Gmail users play with Buzz in the wild.”

Okay, let’s get this straight. Google depends on its users to vet the adequacy of its privacy protection and controls? Because ultimately that’s what Google, after testing the service internally only, and okaying its release without real-world testing or consultation with the Canadian Privacy Commissioner’s Office, is telling us: “WE tested it, WE felt it was okay. But after the fact, if users or the Privacy Commissioner tell us it isn’t, hey, don’t worry, we’ll fix it fast because the user always comes first.”

Worryingly, Google responded to questions from the U.S. trade press about its lack of a Chief Privacy Officer, or indeed any top executive charged with privacy, by saying that “rather than having a single, isolated privacy department, we embed the importance of privacy into our products and systems from engineers through executives, guided by trained privacy professionals.”

I say worryingly, because what’s being exposed here is a lack of privacy discipline and process within Google. This isn’t a case of mistakes slipping through the system, it’s a case of not having an adequate system to begin with. Google’s “embedded importance of privacy from engineers through executives and trained privacy professionals” approved what the company was doing with Buzz. And with all the same people and “embedded importance of privacy” still there, there’s obviously nothing in terms of formal policy baked into product development at Google to prevent something like this from happening again. Google really just doesn’t get it.

In the spirit of offering advice rather than just criticism, I believe Google can quite easily start itself on the road to “getting it” by implementing a four-component “privacy prime directive.”
1) Consult your users and applicable privacy bodies/organizations (e.g. don’t just dog-food it, test with real-world users)
2) Give notice to users about anything that could affect their privacy
3) Require users’ consent for anything that could affect their privacy
4) Bake (1), (2) and (3) into all product and service development as part of policy and the development process

Privacy isn’t necessarily something that’s hard to avoid getting into trouble with your users over — if you’re serious about it. Like all things in IT, when things are serious, policy starts getting laid down. So I say to Google, instead of telling us about your “embedded importance of privacy,” show us some policy and maybe we’ll all start believing this won’t happen again.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now