Several major U.S. Internet companies, including Google and Facebook, need to “step up” and better protect consumer privacy or face tougher penalties from the U.S. Federal Trade Commission, a commissioner said Wednesday.
Commissioner Pamela Jones Harbour, who is leaving the FTC next month, ripped into Google for the launch of its Buzz social-networking tool in February, and she complained that many other Internet firms, including Facebook and Microsoft, aren’t encrypting the consumer data that lives in their clouds.
“I am especially concerned that technology companies are learning harmful lessons from each other’s attempts to push the privacy envelop,” she said during an FTC privacy workshop. “Even the most respected and popular online companies, the ones who claim to respect privacy, continue to launch products where the guiding privacy policy seems to be, ‘Throw it up against the wall and see if it sticks.’”
Wednesday’s forum was the third about consumer privacy that the FTC has hosted since December. The agency wants to shape the debate about what are appropriate consumer privacy protections, but it will also take action against companies it believes not lived up to the privacy promises, Harbour said.
“I realize that companies continue to take a testing-the-water approach to privacy because no regulatory agency has sent a clear message that this behavior is unacceptable,” she said. “I would like to see the commission take the position of intolerance toward companies that push the privacy envelop, then backtrack and modify their offerings after facing consumer and regulator backlash.”
Harbour targeted Google in particular for criticism, saying its launch of Buzz in February constituted “irresponsible conduct.” In the original public version of Buzz, the program compiled a list of the Gmail contacts the users most frequently e-mailed or chatted with and automatically started following those people. Those lists were made public, giving strangers access to the contacts of Buzz users.
There was an immediate outcry from Gmail users, and Google made changes to Buzz within a couple of days. But Harbour said Google seems not to have learned from similar privacy controversies with past product launches, including the Google Talk instant-messaging service.
Google users have high expectations of the company, Harbour said. “Google consistently tells the public to ‘just trust us,’” she said. “But based on my observations, I do not believe consumer privacy played any significant role in the release of Buzz.”
A reasonable consumer would conclude that the launch of Buzz was a “material change” their relationship with Google’s Gmail, she said. “When users created Gmail accounts, they signed up for e-mail services,” she said. “Their expectations did not include social networking.”
Consumers should have the “ultimate decision” to sign up for new features, Harbour added.
Google spokesman Brian Richardson, who listened to Harbour’s speech, noted that the company made changes to Buzz’s privacy settings within 48 hours of its launch. “User choice and transparency are top of mind for us,” he said. “When we realized that we had unintentionally made users unhappy, we worked quickly to make immediate changes.”
Google tested Buzz with more than 20,000 employees, but the company now recognizes that its employees and the general public may have different reactions to a product, Richardson added.
“You cannot incubate social products in a Petri dish, or suddenly announce a fully baked product,” he added. “If you look at any company that’s been successful in this space, it’s because they have been able to iterate, refine, listen, stumble, get back up, and dust themselves off.”
Harbour also criticized Facebook for some of the changes it has made in its privacy settings, and she called on social-networking sites, e-mail service providers and other cloud computing vendors to begin encrypting consumer data. Many providers of Web-based services don’t use the SSL (Secure Sockets Layer) cryptographic protocol for most data, she said.
Facebook, Microsoft’s Hotmail service and Flickr don’t use SSL after the initial log-on information is sent, Harbour said. Without SSL, consumer data is put at “significant risk” when people use public wireless networks, she said.
“These vulnerabilities are easily preventable,” she added. “Security needs to be a default in the cloud.”
Security is a top priority for Facebook, said spokesman Andrew Noyes, contacted after Harbour’s speech. “We devote significant resources to helping our users protect their accounts and information,” he said. “We don’t take this for granted, however, and we’re constantly exploring new ways to safeguard the privacy of our users and their communications.”
Facebook is also confident that recent changes in it privacy settings were “transparent, consistent with people’s expectations, and well within the law,” Noyes added. “Specifically, the announcement and education campaign by Facebook around the changes was unprecedented in its scope.”