Privacy implications about the newly launched Google Buzz social networking site have been revealed.
It was launched this week to be part of the Gmail web mail service, with Todd Jackson, product manager for Gmail and Google Buzz claiming that ‘Google Buzz is a new way to start conversations about the things you find interesting'.
He said: “It's built right into Gmail, so you don't have to peck out an entirely new set of friends from scratch — it just works. If you think about it, there's always been a big social network underlying Gmail. Buzz brings this network to the surface by automatically setting you up to follow the people you email and chat with the most.
“We focused on building an easy-to-use sharing experience that richly integrates photos, videos and links, and makes it easy to share publicly or privately (so you don't have to use different tools to share with different audiences). Plus, Buzz integrates tightly with your existing Gmail inbox, so you're sure to see the stuff that matters most as it happens in real time.”
However blogger Suw Charman-Anderson said that she had accepted an invitation to try it out, but fairly rapidly started to think that perhaps it was a bad idea as it sits under Gmail as a menu item under the inbox, and also because of ‘some serious privacy implications that Google appears to either have ignored or not thought about'.
Focussing on the privacy issues, Charman-Anderson claimed that ‘social stuff seems to be a bit beyond [Google]', as ‘Google Buzz lays bare Google's social weaknesses, illustrating the lack of thought given to potential social problems caused by their design and engineering decisions'.
She said that the first flaw is that it exposes your most emailed contacts, as when you first go into Google Buzz it automatically sets you up with followers and people to follow.
She said: “This is a significant problem. I use my Gmail account for business and personal email, so many of my most-emailed people are not my friends but my clients. It's not appropriate for Google to expose my clients like that. I maintain a client list on my site, but that's at my discretion and doesn't give away individual names and email addresses. Google Buzz could.
“My email contacts list is not a social graph. It is not a group of people I have chosen to follow, but is instead full of people with whom I have a (sometimes very tenuous) professional relationship, as well as my family and some of my friends. Interestingly, my best friends don't email me very often, so they do not show up as a part of my Buzz following list.”
The next flaw was with its poor default settings and the lack of a central control panel as ‘you can guarantee that most people will accept the default settings as they are, without realising how much information that they are exposing to the world'.
She said: “When you first join up to Google Buzz, you get a screen that shows you the people you're automatically following, and who is following you. It doesn't make clear that this information is visible to others, nor is it clear how to change the settings. If you go to your normal Google settings (at least for me) there is no ‘Buzz' tab where I can manage all my privacy settings. Instead you have to ferret about in the interface in order to find the different privacy settings.
“This is just not good enough. Right now, I can't even find half the settings that I saw earlier. I found them through clicking on all the links I could see until I got to the page I wanted. This is the sort of usability mistake that Google should not be making.”
Further privacy flaws were in the ability of people to hide themselves from you – with an opportunity for ex-boyfriends to stalk their ex-girlfriends, bosses to spy on their employees or random internet trolls watching their victims.
Also Buzz automatically links you to other Google properties such as Picasa and Google Reader, while Mobile Buzz can publish your precise location, but gives no option to make it fuzzy.
In conclusion, Charman-Anderson said: “I haven't even begun with the usability problems Buzz has. How poorly considered the interface is. How annoying it is when your Buzz stream is flooded with someone's Google Reader output. But I do have a cure: go to the bottom of your screen and click ‘Turn off Buzz'. That should pretty much solve the problem. Google can get back to me when they've hired someone who actually understands social functionality and, y'know, people, and has fixed the awful usability and privacy problems.”
Mike Geide, senior security researcher at Zscaler, agreed with the privacy concerns, and also claimed that there were ‘a few other items that Google Buzz brings to the table for an attacker'.
He said: “One item in particular is email validation. I clicked on one of my co-workers who was following me from his default setup for his Buzz profile. I was able to then see the people that he is following and those following him (again, default setting). The people in his social network that I had emailed in the past from my Gmail account have their email address exposed, those that I had not emailed in the past did not have this exposed.”
He said that this would likely work and scale for the spammer by creating an automated Google Buzz bot or worm to build a list of followers and spider out to the followers of followers and so forth in order to harvest Gmail names/aliases to guess against and build an email spam list.
“The email validation not only validates that the email account is live, but validates that it is linked to the social network visible in Buzz. In other words, knowledge of that particular user's social network could also be used in an automated but more targeted spam campaign,” said Geide.