Do you use Gmail, even for personal mail? Do any of your clients use Gmail?

There was a pretty massive shift in your privacy a couple of days ago. You might not have noticed it. But unless you take a few steps to protect yourself, Google may be sharing some of your confidences with the world.

Here’s what that might mean for you — and four privacy settings that you might want to check today.

Update: On February 12, 2010, I published a new post that gives instructions for actually turning off Google Buzz. If you want to better understand the privacy implications of Buzz and to see some lesser steps you might take, please read on in this post.
Update: On February 13, 2010, Google announced that they would be making the privacy options for Buzz more explicit, including providing a more convenient button to disable buzz. I wrote about the good (and bad) parts of that announcement in this newer post.

Google Buzz: The social network that has assimilated Gmail

Yes, that’s right. Google Buzz is opt-out. When you log into your Gmail account, you’ll be confronted with this announcement:

Buzz welcome screen

But notice: It’s not asking if you want to join or activate Buzz. It’s asking if you want to learn more about it.

Even if you click “No” (or, in California-speak, “Nah, go to my inbox”), you are still enrolled in Buzz. The “Buzz” box still appears in your sidebar. The nice folks at Google just assume you want to be part of their new world where “[i]f you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

Assume for just a moment that this concerns you. Assume, perhaps, that some other people might expect to be able to contact you in confidence — as a lawyer, a blogger, a journalist, or even (gasp) a friend. Assume that part of your professional responsibility is keeping the confidences of others.

This is not your first rodeo, so you click on the “Settings” menu at the top right of your Gmail. You expect to see be offered privacy options for this new Buzz service, but you see that there aren’t any. Although Google has integrated Buzz directly into your Gmail, it has hidden the controls (feeble as they are) somewhere else.

Here’s what this elusive new Buzz item might mean for your privacy. And here’s how to find (and change) a few settings to protect yourself.

Repurposing old data in a way that flouts our expectations of privacy

The problem here isn’t that Google is starting a new social network.1 We all know what social networks are; Google would probably be good at the engineering side of it. (I bet they haven’t even bothered to pick out their own iconic “fail” icon.)

The problem is how. Google has taken a couple of services that had basically clear privacy expectations — specifically, Gmail (private) and Google Profiles (public) — and combined them in a way that discloses previously private information that many people consider confidential.

For Buzz, Google’s engineers now guess at your social network based… wait for it… on who you have emailed most often. Here’s how its privacy policy describes this today:

When you first enter Google Buzz, to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with most. Similarly, we may also suggest to others that they automatically follow you. You can review and edit the list of people you follow and block people from following you.

Having guessed at your social network, the Google engineers then share their findings with the world:

Your name, photo, and the list of people you follow and people following you will be displayed on your Google profile, which is publicly searchable on the Web. You may opt out of displaying the list of people following you and who you’re following on your profile.

If you are following someone who publicly displays their list of followers on their Google profile, then you will appear on that person’s public list. Likewise, if someone is following you and displays the list of people they follow on their profile, then you will appear on that public list.

So, a few days ago your email address book and list of recipients was private information. It would have been downright scandalous if someone had broken into Google and stolen it — even if just for a few dozen targeted accounts of Chinese dissidents.

But today, Google has used that same information to seed a new social network that by default makes these links publicly searchable? Wow.2

Update: If you want a real-world example of what this can mean, you might check out this post from Fugitivus. It has some more colorful language than I would use on this blog, but she’s earned it. The Buzz default settings revealed information about her to an abusive ex-husband. And there’s more. Because she also had an anonymous blog, and had forwarded those blog comments to her gmail account, Buzz also revealed her identity to some of the more frequent abusive commenters there.

Who knew that Google’s next “email killer” product would be aimed at killing trust in their own Gmail service?

Four tips to protect yourself and those who might expect some confidence from you

You do have a few switches to control this Buzzsaw. They’re just not where you expect them to be. And they might not do what you expect, either. There is no true “off” switch.

Here are the four settings I found this morning that seem to make a difference:3

1. When you “turn off” Google Buzz, that doesn’t actually remove your information from search results

You might have seen the article “How to do everything with Google Buzz (including turn it off)”. It’s a nice overview of the service. But, unfortunately, the tip it gives on how to “turn it off” actually just hides the updates so you can’t see them. Buzz is still active on your account, and your information is still shared.4

This setting is hidden in plain sight, down in the footer of the page with such frequently referenced items as your terms of service and their privacy policy. (It’s as if Google wanted to make sure the lawyers would have no excuse not to find this.)

Gmail footer with the 'turn off buzz' option

If you regularly read the fine print on pharmaceutical ads, you might have noticed that this setting appears on a line that begins “Gmail view.” And it turns out that this “turn off buzz” switch does not actually turn off the Buzz service. Instead, it just turns your view of the service off. It hides updates… from yourself.

That’s probably not what you had in mind from an “off” switch. However you flip this switch, your follower/following information remains equally visible on your profile page for the world to see.

I could not find any switch that would actually disenroll me from Buzz. Once assimilated into the Buzz collective, there is no easy way to go back.

2. To stop sharing your own follower/following lists, go to Google Profiles

If you have ever created a Google Profile, your Buzz followers/following list is already displayed there by default to anyone else who is signed into their own Google account — even if they have no connection to you at all.

From your own profile page, you can choose to hide that list.

You have to choose “Edit Profile,” which brings up a whole mess of options, including this new checkbox near the top right:

Profile setting for displaying followers

Toggling this switch off at least does what you expect. It hides your follower/following information from your own profile page.

You might breathe a sigh of relief. People who view your profile will no longer be treated to a list of the people you email most often.

But you are still in the Buzz collective. And your name and smiling face may still appear on the other side of these follower/following connections. You may still be publicly linked to one of your clients, sources, or friend’s profile accounts, whether or not they expect it.

How do you help protect the confidences of others, if protecting confidences is part of your line of work?

3. If you want to help out your clients, you may have to disable your own Google Profile

This is the tip that makes the least logical sense — but that had the biggest positive effect.

Update: I mentioned above that I wrote a new post with updated instructions for actually turning off Google Buzz. My experiments got me pretty close. It turns out to be a mix of deleting your Google profile entirely (not just turning off display of your “full name” or making it private), followed by my step 4 (deleting all connections), followed last by my step 1 (actually hitting “turn off buzz”). You should read that new post if you want to completely disable Buzz. The rest of this post explains some of the lesser steps you might consider, and what effect they seem to have.

After I did steps 1 and 2 above — turning “off” Buzz and disabling the follower/following list from showing in my own profile — I was disturbed to see that I still showed up in some friends’ public profiles.

Why is that? Because the Google Buzz system appears to distinguish between people with a public profile who choose to “share” their full name and those who do not.

Setting for displaying your full name in search

By going back to my own profile settings and toggling this switch to the off position, I managed to remove my name from the list of people who would be publicly displayed on someone else’s profile page.

Not obvious. But it works (for now).5

4. (Bonus!) If you want to really make sure things are nailed down, you have to manually delete the “following” selections Google has made for you by default

I was originally going to stop with step 3, but when demonstrating this to someone else… I found another leak. 6

Although I had done the three tips above, I had not made any changes to the follower/following list that Google created for me automatically. It was hidden, but still there.

I demonstrated these tips to someone who happened to be on my “following” list and… they could still see me. That’s not too terrible. But they could still see me listed on other people’s profiles, too — even profiles with which they were not otherwise linked. So, if they stumbled upon (or sought out) one of those profile pages, they could get information about my connection with that person, even though I had chosen not to share my own connections and even though I had told the system not to make my information publicly searchable. 7

So here’s the final tip for today: Anyone on your “following” list — even if Google put them there automatically — gets access to private information about your other connections.8

Update: I’ve now had a chance to check if your “followers” also get access to this information. It turns out that they do.

That might be a reasonable choice for a social network to make. But not for an email service like Gmail.

So, if it’s your business to respect the confidences of others, you should prune down that list (perhaps to zero).

And, even if you decide to use Buzz in a limited way, you should be very wary of following people just because they might send out a funny update or two. This isn’t Twitter, where the price of following might be a spammy DM. This is the Buzz collective, where you are not in control and your information may not be your own.

  1. Business riddle: Google basically prints money. Facebook famously doesn’t. If Facebook has been unable to make money even at its own enormous scale, why does Google want to get into this business? Is it really worth destroying your enormous franchise value in email and business-related apps to do so? []
  2. If you think about it, Google’s choice to make it just the people you email “most” cuts both ways in privacy terms. Sure, fewer contacts information is exposed. But the selection gives away information about your behavior in regard to those contacts, which might even be more sensitive. Who are you to deny what Google says about you? []
  3. I tried these settings out from a few accounts, checking to see how the system behaves. Some of these options or their effects may change. If you notice a change or something that I just got wrong, please let me know, and I’ll update the post. []
  4. It’s hardly the author’s fault. Google is the one who called this an “off” button instead of a “hide” button. In trying to attack Facebook, Google seems to have also followed the same strategy of fragmenting and hiding user privacy controls. []
  5. Of course, this doesn’t really give me more privacy. I still have a public Google profile (and I don’t see an obvious way to delete that) — it just appears under my Google account name instead. And it probably doesn’t take a cluster of NSA computers to figure out the connection between your account name and your real name. If you chose an account name like I did, it probably just takes a space bar, a period key, or maybe an underscore. []
  6. I suspect there are more. Please let me know, and especially let me know if you find solutions. []
  7. Curiously, they could also see my “full name” on my profile page, even though I had told the profile service not to display it. This may just be a bug. It may be a feature. Or Google might not have decided yet what to call it. []
  8. Your “followers” do, too. What I saw was based on people I was still “following.” I didn’t test if people merely on a “follower” list also get access to more information. It doesn’t seem like they should, but then again, it doesn’t seem like those on the “following” list should, either. []