In my recent entry The Buzzkill of Google Buzz, I described how Google used their popular free email program, Gmail, to populate and spread an attempt at building a new social network overnight called “Google Buzz.” They did this by automatically adding people to your network from your contacts list (which is automatically built from anyone you email regularly).
The problem was that this exposed your contacts to one another, initially including even their email addresses (which you didn’t realize nor intend when you agreed to Google Buzz that first day it launched). And Google never asked your permission to add these people to your Buzz network.
It also shared your Google Reader documents, apparently. (I don’t use Google Reader, so I wasn’t aware of this component of the privacy invasion until later. Which only goes to show you how complex the Google network of interconnected services can come back to haunt you later on, in ways you never imagined.)
This creates all sorts of privacy problems not just for professionals, but for ordinary folks too. Imagine a new boyfriend learning that you correspond with someone from “aa.org.” Information you were going to share in due time, but now suddenly exposed.
In the comments to that post, an interesting discussion ensued which I encourage you to read. It lays out all of the problems with what happened, the ramifications, and why professionals should never rely on a free email service for any kind of professional activity.
It got me to wondering about why people flock to free email services like Hotmail, Yahoo mail and Gmail, when they almost always have an email account provided by their Internet service provider that is likely less susceptible to these kinds of issues.
I can sum it up in three words — ease of use.
Humans inherently will take the path of least resistance when it comes to getting tasks done. If the goal is the same and the risks are nearly always hypothetical, I suspect that people will opt for the easier manner to get to the goal, rather than the more complicated, yet less risky method.
People use free webmail services because they are easy to use and widely accessible. While traveling in Europe, I found webmail far more accessible and easier at the multitude of Internet cafes than trying to get out my own laptop, boot it up, access my email program, only to find the cafe is blocking a port in its firewall needed to get to my email. While I’m certain there are workarounds or other options I can explore, how much more time and effort will I have to expend researching and implementing them? In a foreign country. While on vacation. I spent an hour the other week troubleshooting a Mac/email connection problem for a user that should’ve worked, but just wasn’t. An hour. It may not seem like that much to you, but you add up enough of those hours working on such issues throughout your lifetime for hundreds of users (as I have), and it starts to take its toll. (It also clearly demonstrates that setting up email accounts through email programs isn’t always as easy as it should be.)
Meanwhile, Gmail (or Hotmail or Yahoo mail) is beckoning to me and is literally one click away. Its SSL connection makes me feel even safer (although it may have little actual impact on my Internet safety). People use these kinds of services so much because they’re dead simple and accessible almost anywhere at any time. And of course, they’re free.
Human factors research is the exploration of how people interact with the world around them, usually centered on technology or their environment. There are two especially good chapters (Dontamsetti & Narayanan, 2009; West et al., 2009) that anyone who designs technology systems that people interact with should read. These chapters describe why people make poor security decisions in specific scenarios. I would argue that humans are not intrinsically security-minded when it comes to information. It is something we have to be taught and learn (sometimes through an excruciating trial-and-error process).
This has ramifications for system designers and product managers. You’re not just designing a new information product. You’re designing a product or system that will be used by people in a wide range of casual uses and professions under dozens of use-case scenarios. People love your free product, but with such heavy use comes some basic responsibility to not take advantage of (or in marketing-speak, “leverage”) the relationship with your users.
But I suspect smart companies like Google know all of this. As a commenter insightfully pointed out, the reason they specifically rolled out Google Buzz in the manner they did was likely to instantly turn on a social network that could compete with Facebook. Google sacrificed a little user trust on the altar of product marketing. Even after their mea culpa changes, everyone who logged in that first day had to specifically opt-out, and undo all of the automatic following Google already created. Even now, the introduction to Buzz emphasizes the sharing nature of the service and requires watching a video to understand the details of the service.
It’s only when you design a product that has both ease-of-use and security do you get the best of both worlds. Services like Hushmail or s-mail are worth checking out, as they offer web-based email in a more secure environment (that yes, you may have to pay for). (But be aware, even these services can still share your email with government agencies with a subpoena.) Take nothing for granted in the online world. If Microsoft, Google or some other large company decided to purchase one of these services, their security could be compromised in an instant, faster than you can say, “product marketing.”
Ease of use is a powerful feature, and one often overlooked as the reason behind people’s security choices. It’s not going away anytime soon, either. The two are not mutually exclusive, but they occurrence together cannot place a burden upon the user in order to use, or else people will simply fall back upon their old reliable, and less secure, standby — free webmail.
For more on this topic from a therapist’s perspective: Google Buzz Alarms a Psychotherapist
References:
Dontamsetti, M. & Narayanan, A. (2009). Impact of the human element on information security. In: Social and human elements of information security: Emerging trends and countermeasures. Gupta, Manish (Ed.); Sharman, Raj (Ed.); Hershey, PA, US: Information Science Reference/IGI Global, 27-42.
West, R., Mayhorn, C., Hardee, J., & Mendel, J. (2009). The weakest link: A psychological perspective on why users make poor security decisions. In: Social and human elements of information security: Emerging trends and countermeasures. Gupta, Manish (Ed.); Sharman, Raj (Ed.); Hershey, PA, US: Information Science Reference/IGI Global, 43-60.
7 comments
actually the reason why I use Free email providers is that I have used the same 2 main email addresses for YEARS one for spam and one for alerts I actually want to receive.
of course my immediate family members are all given my spam address for their forwards if its urgent they call me anyway….
but I have changed ISP’s numerous times over those years….I did originally begin by using my ISP provided account and you quickly realise it can make changing ISP’s a NIGHTMARE and almost a deterrent to changing if they increase price change features of the service to such an extent that it no longer suits your purposes or you move house…in which case you cannot always remain with the same provider
ease of use is good, DocJohn. And I don’t believe you are being sarcastic when you suggest it trumps privacy.
What most people say most of the time over the internet does not require a high level of privacy, even professionals.
And I do not believe you were raising a red herring in your internet cafe example although I would not consider data passing over the transom of a network in a foreign country protected were it pop or web based. local laws in some countries are also peculiar as i do not recall, as an example, whether it is still true that in germany referral links on a web can incur legal liabilities if bad things happen at some one else’s sight.
great hay was made about an american liberal who rented a house to bomb makers in peru and was subsequently jailed. i might expect that in a country with maoist terrorists, certain ports are disabled in internet cafes are a disabled for a reason of legislative or political nature. what is convenient for you is also easier for the govt to scan there and here.
a lawyer doing research for an accident case does not require secrecy to do his job while a lawyer involved in mergers and acquisitions must be secret so one can use the internet a certain way while another cannot. i do not think the sec would look kindly on your internet cafe argument in either case.
btw no one needs to log in to google reader but it is useful if you use their rss feeds.
i will slyly add you did not mention the 800 pound gorilla in the room. twitter. google buzz was designed to compete with twitter a social network with little privacy. and you do tweet, docjohn. and i follow your tweets as do many here. all of us know that your tweet followers list can be harvested by marketers at any time but we chose to discuss googles only. ahem.
my name is harvested on facebook all the damn time. i have friends in show business in new york who do stand up comedy and writing. other comedians want to put me on their lists and try to steal names to garner bigger audiences at their venue. in a google related point, most comedians will never ever put their own work on you tube not because of privacy but because google will use their marketing skills to recommend that their audience and client base will go elsewhere to something similar. free costs too much money to many people in business. you pay for convenience docjohn. and i don’t think that’s such a big deal especially when one considers that the internet involves countries where some people don’t have credit cards or even personal bank checks so that if everything were directly monetized a lot of the world will be outcast. that’s why the internet is relevant and a game changer i hope we recognize that what some here think is a flaw is actually a good thing.
I have 8 email accounts–2 ISP, 3 Yahoo, 1 GMail, and 2 from employers. I even tried Google Wave, which is a little silly. Gmail automatically adds anyone I email to my contacts, so I clean out my contacts list regularly. I chose not to participate in Google Buzz; I lasted in Facebook for about a month–now, if I need to contact someone who has a Facebook page, I use my daughter’s account. As an educator, I’ve known for years that my work email can be considered a public record and accessed by anyone. I suppose that I treat all email the same way–with a lot of skepticism. I left most of my email lists because I prefer RSS feeds and comments.
i just read an interesting blog entry from a retailer about psychological/marketing study of consumers who use social networking to follow merchants. this really explains the prize in the buzz story for me.
http://blog.jr.com/social-media-and-customer-loyalty-merits-roi/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RealNewYorkersKnow+%28blog.jr.com%29
This is the first I heard of this so I’m glad I found this article. I was actually going to use Google’s personal health record feature to store and track all my medical information.
Just changed my mind!
Maybe you shouldn’t be so LAZY then. Take RESPONSIBILITY for yourself. You are expecting security and functionality from somebody who is offering a FREE service.
Your example of somebody finding out your are communicating with someone from aa.org is ridiculous because what if someone saw you walk out of an AA meeting? Should we hold the AA group responsible for lack of security? No, and to do so would be stupid so why hold these PUBLIC email services to a different standard.
If security is important to you then host your own email otherwise quit whining.
Do you not use outlook? or some other email client. That would solve your ease of use problem because the email can easily be grabbed by your client of choice and brought to your desktop with no need to even open a browser.
With Adwords in a death spiral and this being Google’s only meaningful revenue stream…
I can’t wait to see the firestorm when Google starts selling all of their human activity data to the highest bidder.
If they won’t fly, then look for the the American taxpayers to be asked to bail them out. The vast majority are fast asleep, so they won’t mind being looted yet again.
After all, we live in a planned economy and the plan is, and has always been, to make sure these multi-national corporations survive no matter what it takes.
Comments are closed.