By Scott M. Fulton, III, Betanews
Today, Google Gmail customers are seeing a promised round of software changes whose purpose is to make Google Buzz users more aware of their privacy options, and to give them a more obvious way to back out of Buzz. These changes come a mere nine days after the social networking product's rollout as an element of Gmail, although some have already claimed personal damage, and have already begun legal action.
Before we went to that extreme, Betanews tested the Buzz changes on accounts where Buzz was already set up. There we noticed the promised Buzz tab has been added to Gmail settings, where as we expected, the user is given the option to withdraw the lists of other Buzz users she's following from her public Google profile. This is effectively a copy of the option from Buzz setup that Google only made prominent after its first round of changes at this time last week.
Though the initial problem with new users inadvertently sharing the identities of frequent Gmail contacts with others appears to have been addressed, it was in testing the efficacy of the new option for turning Buzz off that we discovered another potentially serious problem, which can begin with social spoofing, and can lead to the ability to follow other users with complete stealth.
First, we noticed one little quirk: Beside Show the list of people I'm following and the list of people following me on my public Google profile, there's a link labeled Learn more. It takes the user to a page we've seen before on Google's help system. But if you click this hyperlink, you also select the Show the list... option, even if it had been previously set to Do not show these lists on my public Google profile. This is something that users will have to remain cautious of before clicking on Save Changes.
Clicking on the clearly labeled Disable Google Buzz link brings up the Delete your profile dialog box (shown below), which explains the ramifications of exiting the social network. We noted that when the user clicks on this link, even though she has an opportunity to back out at this point, the Buzz link and its associated window are removed at that moment from the Gmail sidebar (but not from the Settings tab). Clicking on No, I changed my mind takes the user to the familiar Edit your profile dialog; but even then, Buzz is disabled.
But disabling Buzz does not mean deleting one's Google profile. From here, the user is given the option to wipe her profile clean. As the explanation reads, "Your personal profile information will be permanently removed from our system." Based on that explanation, it seems curious that Google would add another option, Also unfollow me from anyone I am following in Buzz, Google Reader, and other Google products. You would think that not having a Google profile means you're not following anyone in Buzz. As we would discover, that's wrong.
As a test, we first clicked on No, I changed my mind. But Gmail did not respond as we expected; it did not re-enable Buzz in Gmail. As it turns out, the disablement part already happened; the "change my mind" part refers to the deletion of one's Google profile. This may lead to some confusion among users of Google Reader and Picasa, where profiles are also prominent; they may never have had an interest in deleting their profiles on those services anyway, just in Buzz.
Next, we noted that once the user has disabled Buzz and signed out of Gmail, she will not be given the traditional invitation to join Buzz. So Google will not continue to advertise a service the user has apparently rejected. However, even if the user visits http://buzz.google.com
to restart the service, she'll find she's taken to Gmail where Buzz remains disabled.
But the Buzz tab still appears in Gmail settings, where she has the option of clicking on Show Google Buzz in Gmail and restoring it to the Gmail sidebar. If the user has not deleted her profile (if she "changed her mind" earlier), then Buzz will re-appear as though nothing had changed at all. Followers remain followers, and members who were followed before, are followed again.
Next, we tried the more destructive option: disabling Buzz and deleting the public profile, with the Also unfollow me... option checked. Google responded by taking us to the Accounts page, where we were told we didn't have a public profile yet and were given the option to create one. That makes sense, because one reason a person might want to delete his profile is to start over with a new one.
What's interesting here, though, is that the information in the Google Account we used for this test continues to include my picture, which one might think was a profile element. If the user goes to the page for the profile she thought was deleted, she'll find a page with her picture on it...which might have her thinking she still does have a Google profile. Is it true that Google really deleted the profile information as it said it would? To figure this out, we tried re-entering Buzz.
Even when a user who's discontinued Buzz once before enters Buzz through its own dedicated URL, she's taken to Gmail where Buzz remains disabled. Though there are no explicit instructions here, we discovered the user can re-enable the service using the Buzz tab. However, she won't be led by the hand in the creation of a new profile -- there's no auto-suggesting, no auto-following, no auto-anything. Buzz starts out with a blank slate. Arguably, that's the most secure state it can start out in, blank -- and perhaps Google wouldn't have been the subject of such criticism if it had started out presenting a blank slate to begin with.
But what we were surprised to discover was this: When using a Gmail account to re-enroll in Buzz after having exited the service once already, Buzz does not automatically set up any Google profile at all. This despite the fact that our new Buzz service picks up the list of followers we generated the first time -- not the list of people being followed, that's gone. The list of people following a once-deleted Buzz user does remain and is restored once the user re-enters Buzz. This is probably because that list is compiled "live" from the active profiles of non-deleted Buzz users, so it can be reconstructed.
A person without a public profile shows up in Buzz as a person without a public profile, at least at first.
This made us wonder: If a user follows someone else using her old Buzz account, then disabled Buzz, and re-enabled it later, is the user still following that other person? No. Does the other person get notified? No, not directly. Can the followed person go into his Buzz list and discover that person is no longer following? Yes, just as though the following person were still inactive in Buzz. If the following user re-enrolls the followed user, is the followed user told? No, but the followed user can see the picture and ID of the following user in his list, assuming he's looking for it.
Next: Following somebody who thinks she's blocked you...
As we discovered in our tests, when a user deletes her Google profile, certain information about her remains -- for instance, the photo from her Google account, and her screen name. For someone who legitimately wants to discontinue using Buzz and all other Google services, erasing the Google profile may be pointless. Even though Google appears to promise that a deleted profile is a destroyed one, traces of a user's activity could enable elements of that profile to be reconstructed. Apparently one key element survives the profile deletion: the list of people that a Buzz member is following.
But that points to a second problem, which may even be dangerous: Theoretically, a malicious user could leverage this situation to create a false Buzz identification that is not tied to any publicly searchable profile. That malicious user could then masquerade as someone whom the followed person knows, using only a name and perhaps a photo (that's optional anyway), both of which could be false. If the malicious user created a false Google profile with Buzz, and then de-activated Buzz, the false photo and name would remain associated with the Gmail account.
The fact that this element survives even before the public Google profile is reconstructed reveals certain characteristics of Buzz that we did not previously know:
- A Buzz user may follow others without a Google public profile. Even though Google states the creation of a public profile is necessary in order for a new user to enroll into Buzz, one certainly was not necessary for us to re-enroll an account into Buzz after de-activating it and deleting our test profile. As a result, if you find yourself using Buzz, you may discover that other individuals are following you whom you did not invite, and whose identities you cannot determine. In order to keep things simpler and more brief, let's call the malicious user trying to follow someone X, and the person being followed Y. At first, X's ID and photo (if he has one) is listed in Y's Gmail under Y's list of followers, even if X does not have a "public profile," and even if X elects not to share his list of followed contacts on his (non-existent) profile. Y can unfollow that person (assuming he's a person at all). However, if X does not have a public profile, all Y can see is the name and perhaps the photo. Therefore, it's possible that a "non-profiled" person can follow any Buzz user, not with complete stealth, but at least without being able to present his credentials first. And if he has set up his Gmail account under a false name and photo, then conceivably anyone may easily become followed without permission by someone else passing himself off as a friend. This, in our opinion, is dangerous -- perhaps even more so, theoretically, than the possibility of accidentally revealing one's contacts list during sign-up.
- Evidence exists that a user's Buzz activities in Google's database survive the deletion of her Google profile. Even without re-creating the Google profile, in our test, when we re-activated a once deactivated Buzz, it suggested (but did not automatically select) other Buzz members to follow. That list of suggestions (shown above) contained individuals to whom our test account had never sent a Gmail message, and from whom it had never received one, but who were previously followed under our Buzz account before we disabled it and deleted our test profile. That fact suggests that each user's Buzz activity is being stored at Google independently of that person's profile, so deactivating Buzz does not wipe one's slate clean.
- "Blocking" a follower can lead to a situation where the blocked follower can end up following that person anyway without being detected. Assume that X has no public profile, and is following Y. Y discovers X in her list of followers, so she blocks X. X is not notified -- in fact, X still thinks he's following Y. But he doesn't receive Y's updates, so he gets curious. X unfollows Y. Then X follows Y again. X is no longer blocked. What's more, not only is Y not notified that X is no longer blocked, she cannot see that X is following Y. Y appears in X's list of followed people, and X does not appear in Y's list of followers. What's more, X is not counted as one of the followers in Y's Buzz count; so if Y has three other followers besides X, Y's Gmail will read, "3 followers."
- An unprofiled Buzz user may be followed by anyone else without being notified. This is where you could say Y turns the tables on X: Assume once again that X has no public profile, and is following Y. Y discovers X and blocks X. Immediately afterward, Y follows X. X can continue to follow Y, and Y will not appear in X's list of followers. If X has not discovered yet that Y has blocked X, and X has not yet unfollowed and re-followed Y, then for the time being, X appears in Y's list of followed people, and Y does not appear in X's list of followers. However, X does have this one strange clue: Y is counted as one of the followers in X's Buzz count. So if X has no other followers besides Y, X's Gmail will read, "1 follower." However, when X clicks on that link, the dialog box that appears will read, "X has 0 followers."
Two simultaneous dialog boxes from different Gmail accounts: X is informed he's following two people, one of whom is Y. Y believes she has blocked X, and Y is told that X is not following her. X does not have a public Google profile.
In our initial tests last week, Betanews determined that it was indeed possible for a Buzz user to not have a public profile, and we explained why in one sense, this was a good thing. It made it possible for there to be a safeguard for new Buzz users to avoid inadvertently sharing her list of frequent Gmail contacts with other Buzz users.
But the addition of a system that enables a Buzz user to exit the service and come back with no profile at all, creates a new problem: It makes it easier for someone you don't want following you to falsify his identity. Betanews notified Google of our test results prior to the publication of this story.
Copyright Betanews, Inc. 2010