How Google Buzz lowers the bar for privacy, security

February 16th, 2010

More bad buzz about Google Buzz seems certain to play out in coming weeks. That’s because privacy and security can’t be separated. And despite two rounds of privacy-setting revisions, the search giant’s  new social network, in its current configuration,  markedly lowers privacy and security.

Coming on the heels of  Facebook’s controversial privacy-setting revamp,  the launch of  Buzz has enervated privacy advocates and cybersecurity experts. They’ve long been voicing  concerns about how tech giants seem bent on  lowering the bar for defacto privacy and security, motivated by profit.

” Facebook and Google understand that social media marketing and advertising will be key to generating substantial revenues,” says Jeff Chester, executive director of the Center for Digital Democracy.  “They are driving the default settings for  social data collection and use.  Privacy advocates need to get regulators in the United States and Europe to take a tough stand.”

The Electronic Privacy Information Center has been doing just that.  EPIC today, 16Feb2010, filed this  formal complaint about Buzz with the  Federal Trade Commission. EPIC contends Buzz  violates user privacy expectations, diminishes user privacy, contradicts Google’s own privacy policy, and may also violate federal wiretap laws. Last December, EPIC filed this similar  complaint, signed by eight other privacy and consumer groups, asking the FTC to investigate Facebook’s revamped privacy settings.

“Both companies have broken promises to their users about how personal information would be used,” says says Marc Rotenberg, executive director. “They did so in ways that were misleading, unfair, and deceptive. These are serious concerns for any user of these services.”

Algorithmically-growing community

You may recall that Facebook last December revamped its privacy settings. The company maintains that the revisions mainly gave users more flexiblity. But the changes also made it easier for Facebook to expand the volume of user-generated content it is able to feed into real-time search results, a hot new functionality on Google, Microsoft Bing and Yahoo Search.

Then last Tuesday, Google piggy-backed Buzz — a hybrid social network that’s part Facebook, part Twitter — onto the Gmail accounts of the 176 million users of its free online email service. To instantly establish a community of Buzz users interacting with each other,  Google used an algorithm that selects up to 50 of your Gmail contacts and designates them as your Buzz followers; Google assumes these folks will be interested in any Buzz microblogs you might post. So it  makes this pre-designated list of your followers, as well as the list of people it has designated you to follow, available Internet-wide.

One woman complained that this configuration allowed her abusive ex-husband and his friends to begin following private comments she had been sharing with her boyfriend on Google Reader, a free Web content aggregation service also hooked into Buzz.

Initially, Buzz users had to navigate  several confusing steps to disable this “auto-follow” feature. Responding to complaints, Google last Thursday made it easier to turn off auto-follow. Then on Saturday, with complaints still rolling in, Google made it possible to selectively revise its pre-designated list of followers and reduced the number of steps it takes to turn off Buzz. It also decoupled Buzz from Google Reader and Google Picasa photo albums.

Bending consumer behavior

Still, users who move too quickly through Buzz’s set-up routine risk Internet-wide disclosure of people with whom they heretofore exchanged emails privately, says William McGeveran, a law professor at the University of Minnesota who specializes intellectual property and privacy.

This public outing of your email penpals could include your psychiatrist, your sports bookie or your secret lover. It might also reveal your prospective clients or your bill collectors. “The people you email the most may not be your friends,” says McGeveran. Even after two revisions Buzz “still puts the onus on the individual user to take several steps to get greater privacy,” he says.

CNET tech news blogger Chris Matyszczyk contends that Buzz is the latest example of imperfect technology desgined to bend consumer behavior to suit the business goals of tech giants.

“It is in the financial interests of Facebook and Google to have as much information made public as possible,” says Matyszcyk, a creative director who advises major coporations on marketing and content creation. “The gaucheness with which both Facebook and now Google Buzz have gone about such a noble, selfless pursuit of their future is quite staggering.”

Matyszczyk worries that this trend could lead to consumers “losing their humanity,” a notion examined in Jaron Lanier’s new book, You Are Not a Gadget: A Manifesto. Lanier is the computer scientist credited with coining the term “virtual reality.”

“Who could not at least suspect that someone at Google, as Buzz was being created, said, or at least thought, ‘Let’s see how much we can get away with here?’” says Matyszcyk. “It’s not as if they were unaware of Facebook’s constant privacy traumas, which culminated in that ridiculous spectacle of (Facebook CEO) Mark Zuckerberg saying privacy was no longer the social norm.”

Expanding the attack surface

On the security front, Buzz already has begun to expand opportunities for cybercriminals. Hackers who specialize in so-called Blackhat SEO attacks have started corrupting Web links that turn up high in search results for queries about Google Buzz, says Bradley Anstis, vice president of technical strategy at M86 Security.

Click on a corrupted search result and your PC instantly becomes part of a botnet, aligned with thousands of other infected PCs, he says. Botnets are used for spamming, hijacking online bank accounts, spreading pitches for scareware, stealing corporate data and cyber espionage.

“As we’ve seen already, the type of information that was made available, such as the contacts you communicate with most, is alarming,” says Anstis. “We’re pleased to see Google react to this concern, but that doesn’t change the fact that spammers and cyber criminals will follow any social networking service that gains traction.”

Indeed, spam pitching fake pharmaceutical drugs already has begun to move across Buzz postings, says Beth Jones, security researcher at Sophos. Sure to follow are data thieves who can be expected to thoroughly probe the Buzz-Gmail coupling for security weaknesses, she says.

Surfacing virgin accounts

Data thieves are being drawn to Buzz by the scent of tens of millions of valid email addresses being surfaced by Google’s algorithm for expontentially increasing Buzz useage. Such “virgin accounts” are hot commodities in the cyber underground. “The fundamental risk is that your (Gmail account) information can be readily used by cybercriminals,” says Jones.

With a valid email address in hand, cybercriminals can easily guess the accompanying password and begin tapping contact lists in the virgin accounts. Virgin email accounts tend to clear spam filters, making them ideal  to spread spam and infections.

“We see more and more cases where the user accounts are ‘stolen’ because the password has been guessed by cybercriminals,” says Luis Corrons, Technical Director of PandaLabs.  ” Most of the users have a password that is really easy for anyone to guess once the criminal has access to certain data such as the birth date, name of pets, and so on.”

While  it would help if more  consumers were security-aware,  the underlying problem  is that social networks are not taking users’ privacy seriously, says  Corrons.  Consider that Buzz’s algorithmic spreading mechanism generated 9 million posts in 56 hours by  cross-correlating  — and publicly surfacing — tens of millions of virgin email accounts.

“The average user won’t change their settings mainly because they don’t even know about the privacy policy, don’t mind or don’t realize the implications,” he  says . “In my opinion, all the settings should be restrictive by default and leave it up to the user to open them up.”

Google responds

In response to Last Watchdog’s  examination of the  security implications of Buzz, Pavni Diwanji, Google’s engineering director, on 18Feb2010 emailed me this statement:

Use of popular search terms for blackhat SEO purposes is neither new nor specific to Google Buzz, or even Google for that matter. In all cases, we actively work to detect and remove sites that serve malware from our search index, using manual and automated processes. We caution users who might visit suspicious sites with warnings directly in our search results as well as in many modern web browsers.

Google works hard to fight spam, and in fact, Gmail’s anti-spam technology is one of the key reasons why people choose to use Gmail in the first place. We have similar goals for Google Buzz. As a Google Buzz user, you have a lot of control over what you see — you choose who you follow, and if someone is following you whom you consider spammy, you can always block them. If you see spam, you can report it to us, and in many cases that action will remove the spam immediately.

We’re employing a variety of techniques to help combat spam and abuse in Google Buzz, and we’ll continue to improve our methods.

By Byron Acohido