Exclusive: Google's latest Buzz privacy changes enable possible new exploit

Banner: Test Results

Today, Google Gmail customers are seeing a promised round of software changes whose purpose is to make Google Buzz users more aware of their privacy options, and to give them a more obvious way to back out of Buzz. These changes come a mere nine days after the social networking product's rollout as an element of Gmail, although some have already claimed personal damage, and have already begun legal action.

Before we went to that extreme, Betanews tested the Buzz changes on accounts where Buzz was already set up. There we noticed the promised Buzz tab has been added to Gmail settings, where as we expected, the user is given the option to withdraw the lists of other Buzz users she's following from her public Google profile. This is effectively a copy of the option from Buzz setup that Google only made prominent after its first round of changes at this time last week.

Though the initial problem with new users inadvertently sharing the identities of frequent Gmail contacts with others appears to have been addressed, it was in testing the efficacy of the new option for turning Buzz off that we discovered another potentially serious problem, which can begin with social spoofing, and can lead to the ability to follow other users with complete stealth.

First, we noticed one little quirk: Beside Show the list of people I'm following and the list of people following me on my public Google profile, there's a link labeled Learn more. It takes the user to a page we've seen before on Google's help system. But if you click this hyperlink, you also select the Show the list... option, even if it had been previously set to Do not show these lists on my public Google profile. This is something that users will have to remain cautious of before clicking on Save Changes.

Clicking on the clearly labeled Disable Google Buzz link brings up the Delete your profile dialog box (shown below), which explains the ramifications of exiting the social network. We noted that when the user clicks on this link, even though she has an opportunity to back out at this point, the Buzz link and its associated window are removed at that moment from the Gmail sidebar (but not from the Settings tab). Clicking on No, I changed my mind takes the user to the familiar Edit your profile dialog; but even then, Buzz is disabled.

But disabling Buzz does not mean deleting one's Google profile. From here, the user is given the option to wipe her profile clean. As the explanation reads, "Your personal profile information will be permanently removed from our system."
Based on that explanation, it seems curious that Google would add another option, Also unfollow me from anyone I am following in Buzz, Google Reader, and other Google products. You would think that not having a Google profile means you're not following anyone in Buzz. As we would discover, that's wrong.

As a test, we first clicked on No, I changed my mind. But Gmail did not respond as we expected; it did not re-enable Buzz in Gmail. As it turns out, the disablement part already happened; the "change my mind" part refers to the deletion of one's Google profile. This may lead to some confusion among users of Google Reader and Picasa, where profiles are also prominent; they may never have had an interest in deleting their profiles on those services anyway, just in Buzz.

Next, we noted that once the user has disabled Buzz and signed out of Gmail, she will not be given the traditional invitation to join Buzz. So Google will not continue to advertise a service the user has apparently rejected. However, even if the user visits http://buzz.google.com to restart the service, she'll find she's taken to Gmail where Buzz remains disabled.

But the Buzz tab still appears in Gmail settings, where she has the option of clicking on Show Google Buzz in Gmail and restoring it to the Gmail sidebar. If the user has not deleted her profile (if she "changed her mind" earlier), then Buzz will re-appear as though nothing had changed at all. Followers remain followers, and members who were followed before, are followed again.

Next, we tried the more destructive option: disabling Buzz and deleting the public profile, with the Also unfollow me... option checked. Google responded by taking us to the Accounts page, where we were told we didn't have a public profile yet and were given the option to create one. That makes sense, because one reason a person might want to delete his profile is to start over with a new one.

What's interesting here, though, is that the information in the Google Account we used for this test continues to include my picture, which one might think was a profile element. If the user goes to the page for the profile she thought was deleted, she'll find a page with her picture on it...which might have her thinking she still does have a Google profile. Is it true that Google really deleted the profile information as it said it would? To figure this out, we tried re-entering Buzz.

Even when a user who's discontinued Buzz once before enters Buzz through its own dedicated URL, she's taken to Gmail where Buzz remains disabled. Though there are no explicit instructions here, we discovered the user can re-enable the service using the Buzz tab. However, she won't be led by the hand in the creation of a new profile -- there's no auto-suggesting, no auto-following, no auto-anything. Buzz starts out with a blank slate. Arguably, that's the most secure state it can start out in, blank -- and perhaps Google wouldn't have been the subject of such criticism if it had started out presenting a blank slate to begin with.

But what we were surprised to discover was this: When using a Gmail account to re-enroll in Buzz after having exited the service once already, Buzz does not automatically set up any Google profile at all. This despite the fact that our new Buzz service picks up the list of followers we generated the first time -- not the list of people being followed, that's gone. The list of people following a once-deleted Buzz user does remain and is restored once the user re-enters Buzz. This is probably because that list is compiled "live" from the active profiles of non-deleted Buzz users, so it can be reconstructed.

A person without a public profile shows up in Buzz as a person without a public profile, at least at first.


This made us wonder: If a user follows someone else using her old Buzz account, then disabled Buzz, and re-enabled it later, is the user still following that other person? No. Does the other person get notified? No, not directly. Can the followed person go into his Buzz list and discover that person is no longer following? Yes, just as though the following person were still inactive in Buzz. If the following user re-enrolls the followed user, is the followed user told? No, but the followed user can see the picture and ID of the following user in his list, assuming he's looking for it.

Next: Following somebody who thinks she's blocked you...

© 1998-2014 BetaNews, Inc. All Rights Reserved. Privacy Policy.