Google have been in the news again with violations of their users' privacy, following the launch of their social networking tool Buzz. The first I saw of this was, unexpectedly, on one of the feminist blogs I read, Fugitivus by Harriet Jacobs.

Buzz connects other applications in the Google network to make it easier to share content online. To enhance the impact of the launch, Google created contact lists for Buzz based on the most frequent contacts from users' Gmail address books. As Harriet explained, her "most frequent contacts" included her abusive ex-husband. She hadn't been in touch with him since the split. He used to be one of her most frequent contacts, but since she hasn't used Google to contact many people since then (because, ironically, she was concerned about her privacy), he hasn't had anyone knock him down the list since they split. If you are currently in a relationship, and it ended now, how long would it take for that person to cease to be one of your most frequent contacts?

The automated settings which Buzz launched with granted these most frequent contacts access to any content posted to Google Reader. In other words, Google automatically changed the security settings on users' content, much of which was protected, to include a wider group of people. Without consulting them.

In an attempt at damage limitation, Harriet has set her Wordpress blog to private, as you will have noticed if you clicked the link above. However, Google has cached a copy of her blog, including her post about this issue, on their search engine.

In the wake of the ensuing outcry, Google have swiftly backtracked. Buzz now offers a list of "suggested contacts", and each user has to approve adding them. Which is, of course, what they should have done originally. Because they didn't, a lot of people have had their privacy invaded by Google's choices, firstly to automate the 'followers list' settings at launch, and secondly to change security settings on content to grant access to the people in those lists.

As if that wasn't enough, those same followers/following lists (whether generated automatically or configured by you) are publically viewable by default. The privacy failings of Buzz constitute a multi-faceted opt-in/opt-out misjudgement on Google's part. In order to maximise the take-up of their new service as it launched, Google opted Buzz users in, by default, to:

• the service,
• a set of contacts,
• sharing their contacts publically,
• sharing content with their contacts,
• Buzz notifications sent to their Gmail inbox

All these features should have been turned off by default, leaving users to opt-in, instead of requiring people to opt-out after the damage was already done.

Users have reported other non-secure aspects of Buzz. Buzz uses Google Profiles, which encourages you to turn your Gmail address into a public username - which means anyone can reverse this process to turn your Google username into your Gmail address. Many people using social media prefer to keep their email address more private than their online usernames. In addition, when posting to Buzz for the first time from a mobile phone, it offers a GPS-based "share location" option - with the "remember this preference" checkbox selected by default. Any user who chooses to share their location the first time (perhaps in a hurry, or thinking this would reveal only their country or city) has thus opted to publish their exact physical address - including property number, street name and postcode - on every comment or post they make on Buzz until the setting is changed.

As bp001 said on Hacker News:

"Google had the decision to jump-start their social network in a big way at a cost of annoying maybe 1 in 100 gmail users who are conscious about this sort of thing. Seems like an obvious decision to a for-profit company.

It raises questions in my mind about what data I am providing to Google and what unforeseen ways they may decide to use that data at some future point."

One of the reasons this privacy violation affected people so badly is the number of different applications tied into Buzz - a list including Gmail, Google Profile, Google Reader and Google Talk.

Interestingly, one of the services not tied in to Buzz is the Google Location Service, which is connected to Google Maps. Google Location was rolled out very carefully, wholly opt-in from the start - and even when a user has opted in, the service sends them regular reminders that that are sharing their physical location, and checking they want to continue doing so. This is clearly an example of best practice on Google's part. Why has the same care not been extended to Buzz?

One of the ways Google develops innovative new products is, famously, to put a team of strong developers together, give them a budget and a timeframe, and leave them to it. Google Maps was developed under just these conditions - and the same team later went on to create Google Wave. The advantage of this strategy is that it offers programmers a lot of freedom and space to be creative. However, it seems likely that the independence of each development team may be a factor in the variety of attitudes new Google services have to privacy. People could rightly expect a company whose motto is "Don't be evil" to be paying more attention to this kind of issue.

One assumes that the products are centrally assessed before launch - but however quality assessment is undertaken, the privacy failures of Google Buzz demonstrate that there are clearly flaws in the system. Some have suggested that this failure arose from only testing the service internally, as work contacts are of a different (and inevitably less diverse) nature to personal contacts when it comes to security.

As Google have scaled up and extended the reach of their services, users' data has converged in a way they perhaps didn't foresee. As a company, they need to re-think their approach to user privacy, particularly with new services that access data from multiple existing applications. They need to scale up their security model so that it encompasses the vast breadth of user data for which they are now responsible. They need to realise that people have different data-sharing and different privacy requirements in different areas of their lives, and often even different identities - separate online personas for work and personal life are common outside of the Google offices, but it seems this kind of distinction isn't being recognised by those on the inside.