Google Buzz is a new social networking tool that Google unleashed upon its unsuspecting Gmail users last week. I say “unsuspecting” because suddenly, without warning or notice, this new “feature” appears to Gmail users as a part of their email program. This was an unprecedented way to launch a product — in disguise right in the middle of another product.
Google, despite generating billions of dollars in revenue every year and employing the supposedly brightest minds in the industry, didn’t foresee the backlash that would occur. Apparently, despite its ridiculous hiring process and wading through oceans of money, Google can’t hire people who understand privacy.
But this isn’t the first time Google has had a lack of empathy or understanding about privacy issues. This is the same company that for months argued it simply could not make its privacy policy a link on its homepage, because it would somehow denigrate the user experience. (Meanwhile, they’re fine with adding an odd fade-in effect on the same homepage, as an “enhancement” to the user experience.) Google finally relented, but it felt like a battle that shouldn’t have needed to be fought in the first place — why wouldn’t you make your privacy policy easy to find and read?
So here’s the problem that Google Buzz created — suddenly, people were connected with one another in ways they never intended. And Google didn’t care.
Google Buzz suddenly — and without warning — exposed people’s email addresses that you corresponded with, not just to you, but to all the other people in your Google-created social network.
So anyone who uses Google’s email service for confidential or private correspondence suddenly had the fact that they were even corresponding with Person X or Person Z exposed to everyone. If even for a short time, the extent of this violation of individual’s privacy and trust is both astounding and astonishing.
This has an even greater significance for the millions of health and mental health professionals who use Google’s Gmail service not only for personal correspondence, but also for professional emails to their patients. Suddenly patients could “see” one another, and the fact that a therapist or doctor was even corresponding with their patients was exposed to the world.
In one swift move, Google blew away the confidentiality and privacy of hundreds of thousands of patients. Google — including Google Health, which apparently was never consulted about this move — should be ashamed of itself. And didn’t even seem to notice or care that first day it was launched.
Health data and mental health data exist in more than just formal record keeping services and software. It exists in millions of relationships around the world. Relationships carried out increasingly on social networks like Facebook, and of course in email services we always thought were private and secure. Facebook did the same thing back December when they — also without warning to their users — changed the default sharing options for the data you had shared with them. Suddenly thousands of therapists’ and doctors’ private and personal data was shared and available for all of their patients to see. Talk about boundary issues.
In an effort to make a marketing splash with its new social network, Google Buzz, Google has demonstrated it has little respect for the privacy and confidentiality of its customers. Because of this, Google can not be trusted for any kind of health or mental health related records.
Psych Central recommends that patients and professionals not use any Google services related to their mental health or health care, including Gmail and Google Health. Use alternative data and communication services — especially those created just for confidential and private communications (e.g., Hushmail, s-mail, or a specialized service provider like our partner, LivePerson.com).
Only time will tell whether Google will eventually “get it” with regards to the sanctity of patient confidentiality and data. But for now, their actions speak very clearly.
18 comments
Well it was a little worse then that even.. apparently people’s google reader stuff became public, which was apparently a problem for lawyers.. there where cases where people had stalkers, or abusive x’s.. where people’s stuff became public..
I guess the google response is that this was developed and tested in house.. and the kinds of folks working inside Google are.. well they don’t have the same sorts of issues as the rest of the world I guess.
The other thing.. is I don’t think Google really appreciates the power and size it wields with respect to why people freak out over them.. if they were a smaller company this and other issues probably wouldn’t be as big of a deal… or it certainly wouldn’t create as big of a back lash.
So while I think these are serious issues.. I guess I’m somewhat more sympathetic to Google
It is possible to disable Google Buzz. Go into the Buzz section. Click on “My Google Profile”. Scroll to the bottom to “Delete profile and disable Google Buzz completely – This will disable Google Buzz integration in Gmail and delete your Google profile and Buzz posts. It will also disconnect any connected sites and unfollow you from anyone you are following.”
The ability to protect your privacy is still there. However, I do agree that it was wrong of Google to spring this on everyone the way they did.
As far as I know, Google never exposed email addresses to people who didn’t already know them. Do you have evidence of that?
There were some privacy issues initially, but these had to do with others knowing who you were in contact with and being able to follow their public buzz updates, not giving out email addresses.
It sounds like most of those privacy issues have now been addressed, making what were opt-out features opt-in features. See this post for details:
http://www.businessinsider.com/how-google-went-into-code-red-and-saved-google-buzz-2010-2
That said, I’ve turned Buzz off. It’s just not a very good social networking service. The whole thing seems very rough around the edges, and isn’t nearly as useful as services like Twitter and Facebook.
Matt Searles — Good points all. The real question is how can they not have a “privacy impact” meeting about new products such as this? And if they do have such a meeting, how can it not have representatives from different professions on it, or even different product groups? I imagine if they had a lawyer, a doctor, etc. in such a meeting, they would have immediately recognized the significant risks involved.
As I said, it’s completely astounding how a company so rich in resources can be so blind and dumb at the same time. It seriously decreases my trust of the company as a whole.
ComicSiren – Thanks for the instructions, which we failed to include in the article. I highly recommend everyone visit their buzz profile page. There’s also a tiny link all the way at the bottom of your Gmail inbox page that says “turn off buzz.” Click on it and it turns buzz off completely. This, of course, should’ve been the default for everyone.
Indeed, Google’s Buzz, as it currently exists, should “buzz off.” This is also reason not to use unencrypted email even for housekeeping issues like cancelling or scheduling appointments. People in your Buzz network might be able to connect the dots and figure out who your clients are…
DeeAnna
Actually when I logged in I was asked to join or not join. Perhaps, you should have read that more carefully instead of just clicking through to your email.
Second, why anybody who calls themselves a professional would use a public email service such as gmail or yahoo for their clients is beyond me.
Sorry John, it seems to me that this is a political issue that you are trying to make into a mental health issue so you can complain.
I have used gmail since it’s inception and have had very little to complain about compared to yahoo that I had used previously. Google is no more evil than any other large corporation…how much what hear about these things is actually and how much of it is propaganda?
With this railing against google I have to question whether you aren’t being sponsored by a rival of google…
Any email service that mental health professionals or health professionals use ought to be HIPAA compliant. If it is HIPAA compliant then it would not be possible to violate that using Google Buzz. If things were exposed, then those doctors, and their IT department/providers, should be scrutinized for gross HIPAA violations.
Kenneth,
Why do you believe that “professionals” shouldn’t use services like Google or Yahoo for email? Is it just a matter of appearances? I can use Google to provide domain-name email services, so my address looks like “[email protected]” but it’s still hosted by Google. Would that be acceptable? Or do you think big companies like Google simply can’t provide secure, private email? If so, why would a smaller ISP or self-hosted email service be better? Don’t they suffer from the same vulnerabilities, or possibly more because they don’t have security experts on staff?
Personally I think we’re beyond the point where a gmail address seems “unprofessional,” but perhaps that’s not the case to the average person, who might feel a more “professional” domain name would be more secure. At least with a gmail address, you know who’s providing the service. With email coming from a domain like, say, mybusinessname.com, there’s actually no way to know who provides their email service and whether it’s secure.
I’ve been fairly impressed with the way Google is handling the privacy issues with Buzz, even if I don’t think the service is useful for me.
I think you have to ask yourself why Google did this.
There is no question key Google staff were aware of these privacy issues as evidenced by one of the team admitting it on one of Leo Laportes podcasts. So why annoy everyone like they did and then make quick changes to fix it?
I think the answer is simple. Google wanted badly to have its own social network that was really popular. Something that could eventually take on Facebook and Twitter. As any company has found out over the past few years, actually creating a successful network like that today is almost impossible. Google saw a way of creating a network against peoples will, relying on all the connections they knew about from gmail and other Google services.
So from day one, over a hundred million people were part of Buzz. And not just a username, a name with connections to other people already made for them. So not only is the userbase already huge, the interconnections within it are rich and more akin to a social network that’s been successful for some time.
You’ll notice that all the changes Google made after the wave of complaints were not retroactive. They only apply to new users, so that huge network is still there and Google can now build on that.
I don’t think you can put a price on this kind of early success. It was obviously a calculated risk but one with great gains and really with quick changes to the service, not really very far reaching bad feeling.
This should be the last wake up call needed for anyone considering using Google, wanting any part of what they do within their services to remain private.
Dave,
Because places like Google and Yahoo are more likely to be attacked because they are so known, so you are more likely to be caught up in general attacks. In order for someone to attack you on a personal server the attack would have to be more specific and personal. Also, because Google and Yahoo services have such a wide variety of products and customers their security policies cannot be specific enough to protect you but in a self hosted situation you can lock things down to only the services you need and configure them in a non standard way to further discourage a would be attacker.
haha I really like the title of your post. It’s only been what….one plus week and FCC is on them already. When they had the soft launch, I already had a feeling this thing is set for doom.
Dear John,
Glad to see someone else blogging about this in terms of its impact on therapy clients and therapists. I posted my own blog post last night and have been managing the fallout. I also switched to hushmail and felt that this event was a big wakeup call.
Best,
Keely
I am always excited to visit this blog in the evenings.Please churning hold the contents. It is very entertaining.,
Kenneth Lynch — Whether it’s ideal or not, thousands of professionals (perhaps tens of thousands) use public email accounts for the same reasons everybody else uses them — they’re easy to use, readily accessible, and “just work.” We do host our own email services on our own servers (that we also solely maintain), but the amount of support needed for such services is beyond some professionals’ capabilities or expertise. What’s easier? Browsing to an URL in your web browser, or configuring SMTP port and TLS settings in your email client?
I’d also have to agree with Dave Munger’s point that individual email services/servers are no more secure, by default, than a Gmail or Hotmail account. It takes a fair amount of work to secure them, and keep them secured. Some Web hosting providers do a great job with this. Others could care less. So while you may think you’re better off with your own email server, it may be more perception than reality.
And frankly, this was far worse than any hacker’s attack against a personal email account (which is, by far, usually just used to send out spam). This was a knowing act by the largest consumer Internet service provider that put its own corporate interests way ahead of its users (I expect this to some degree, but not to the extent they did so in this instance). I’m not naive about these things, but when you built your company on the slogan “Do no evil,” you’re bound to be held to that standard way down the road.
The best part about this incident is that it demonstrates — as techpops noted — where Google’s interests are. So from here on out, we have nobody to blame but ourselves if we stay with Google for these kinds of services. It’s a definite wakeup call for anyone who is using any Google service for any secure data.
(And for the record, Psych Central is an otherwise happy customer of Google’s — not one of its competitors — multitude of services. We have used them throughout the site for years, but it may be time to revisit that decision.)
look, this is a misplaced argument because google gmail is a free service that was monetized by scanning your mail and inserting ads based on your messages. unless you choose to use public key encryption and proxy severs and ssh tunneling then the idea of privacy at any free site is bogus. true privacy is a service and you pay for it.
the lawyer at google reader argument is also a red herring because most of what lawyers do which requires confidentiality should not be done that way. serious lawyers handling confidential matters should and do use private services like lexis/nexis and those who cannot afford to do so hire young assistants who are still in law school because these companies provide services to these students at law school libraries for free.
so a giant advertising agency made a marketing mistake, fixed it and apologized. wow.
there are plenty of private places where you can buy email accounts which are professionally protected against spam with filtering, viruses with scanning and hacker espionage. and no one even needs to know you are using them because you might wish to use a poste restante forwarding service (like pobox.com) and switch between services where your mail actually goes depending on service provider issues. you might even create different identities at a po box for different clients and accounts which forward to different or the same mail box depending on the ethical issues involved with serving competitors in the same field and who in your organization is helping them. and this should not be googles concern or business unless you pay this advertising agency to do that.
i don’t want to kiss googles large corporate tush but i think they are more responsible than most companies about the issues of openness and public access to info which concern them. not the issue of secrecy though. they are vigilant and uncovered the chinese conspiracy to cyber attack america that whizzed by the government of the usa. so ironically google has made us safer in contrast to the timbre of this discussion.
incidentally i have an ancillary gmail account as a fall back. and i encourage others to get a free gmail account in their name merely as a security precaution because that account is free real estate and you don’t want some one else to mischievously take an account in your name and spoof you for their own financial or strategic designs.
and btw, i access my gmail without ever visiting the gmail site where info about me would be collected because it can be used as a pop server too, not merely a web client. my outgoing mail is routed somewhere else generally but i do receive mail there from google groups relating to software which i own.
so google does not have a contact list of my correspondents to sell to any one as a marketing exercise or accidentally disclose.
and i will briefly mention that there is no implied privacy when dealing with large companies because i have learned this the hard way. i cannot begin to tell you horror stories about receiving wake up faxes at 2 or 3 in the morning on my home phone in my bedroom because some cash strapped employee at a socially conscious company sold the fax back list at work to some outside marketer for thirty cents a name and number.
any free I&R service which is not a registered charity has no ethical problems doing that. i once worked as a volunteer for years at an I&R charity supported by the phone company and united way in new york state. religious agencies would not condone or help us because we can answer the phone in any language and not only tell you where to find a spanish speaking therapist but also where to find an abortion clinic.
can you reasonably expect that google can offer confidentiality to such information and referral searches because i don not. google is not a health care provider and is not legally obliged to do so.
the point of this long screed, to sum up, is that while we all benefit from the internet we CANNOT look to its agencies as some sort of father figure which has a privileged or fiduciary obligation to us. particularly when a ‘free service’ is offered. i hope this is a lesson learned. and i am glad google and the internet is there because it levels the playing field for a lot of needy people. please don’t advocate legislation which will damage information access for many people who do not have the responsibilities of doctors and lawyers.
314159pi – You actually kind of made the point when you said there is no implied privacy, and then went on to describe how you learned that lesson.
The fact is, there is an implied privacy that most folks take for granted. It is until they get burned in some way by one of these services that the privacy implied does not exist in the manner they had thought.
This is no dig at Google specifically, because I think it’s hurt other companies as well (such as Facebook and Microsoft).
Technology mashups are fundamentally cool and interesting. But they should never be foisted upon your users without significant outside testing and an opt-in experience (not opt-out, as this originally was).
I have to admit that the idea of organising people into groups I find very compelling. Right at the moment I don’t share my facebook page with business contacts. I suspect many others have the same issues that a facebook page is about your social life and you quite possibly don’t want to mix that with your business life. I think there may be a cultural aspect to this as well. In the US I think there is less of a divide between private and business life, here in the UK I think we tend to have a firmer divide. Whether that’s a good or bad thing who’s to say but it does impact how we view applications like Facebook from a business standpoint.
I’m going to be signing up for a Google+ account because I think this is a bold experiment from Google and I’m fascinated to see how it turns out.
Best regards,
Comments are closed.