Watch Out Who You Reply To On Google Buzz, You Might Be Exposing Their Email Address

The danger in creating an instant social network around email contacts, as Google Buzz does with Gmail, is that the boundaries between what is private and what is public are not always clear. One issue raised earlier today is that the people you follow and who follow you are made public by default on your profile page, but are based on people who you email the most in private. You can make these lists invisible, but it remains an opt-out process instead of an opt-in one.

It turns out there is another privacy flaw in Google Buzz that can expose private email addresses to everyone who follows you. Google Buzz borrows the @reply convention from Twitter so that if you want to reply to someone or direct a comment to them you simply put the @ sign in front of their name. Google autosuggests names from your contact list as you start typing. Normally, this doesn’t cause any problems if you select the Gmail account or chat name associated with that person’s public profile. It ends up posting their name, and not their email address.

But if you select a name or account that is not public, Buzz will fill in with their private email. For example, I wanted to direct a comment at TechCrunch writer MG Siegler, so I typed in “@mg” and up came three of his different emails. I picked his TechCrunch email, not realizing that his public profile is linked to a different Gmail account. What this means is that the 231 people following me on Buzz can all see MG’s private email address in my comment even if they had no direct connection to him before.  They can now send him unsolicited emails and spam galore.  Now multiply that type of potential exposure by the millions of people already using Buzz, and you can see why it is a hole that should be patched up quickly.

I asked Google to explain how all of this works, and here is their response:

Generally typing someone’s email address autocompletes with that person’s name and therefore their address is not visible to anyone. Only in cases when you don’t have access to a person’s name and there is no name to connect to that email address, the system will show that person’s address instead of their name. This is very rare, and only happens when:

  • the person who’s address you’re typing doesn’t have a public profile OR
  • they are not Following you and you are not connected via Chat.

The moment you post, it will be very obvious that the email address is publicly visible, and you can always edit and/ or delete that post.

Except that it is not rare.  Many of my contacts, including the ones using Buzz, have multiple email addresses.  When I type their name in Buzz to reply to them, the autosuggest box shows me all the different email addresses I have for them in Gmail, and doesn’t specify which of those are public or private.   When I typed in MG’s name, for instance, I chose the TechCrunch email because that is the one I use the most.  I had no idea that his Gmail address is the one linked to his public profile, and thus the one I should have used to protect his privacy.

In my eyes that is a design flaw.  Google actually expects us to pick up on these things and protect each other’s privacy, rather than the other way around.  What happens when you inadvertently type in someone’s email address?  According to Google:

In this case, a person attempts to type an @reply using a contact’s email address, types out the email address, and then after posting sees the email address plainly displayed in the post. It is expected that after this, most people would understand that the email address will be visible to the viewers of the post. The user can edit or delete the post.

Sorry, but that is expecting too much from the average user, who probably wouldn’t even notice such a tiny detail.  It’s really up to Google to warn users or to make sure that only public names come up in the autocomplete.  How hard can that be? Instead, Google is telling us that it is our problem and we should be more vigilant using their product.

In the overall scheme of things, this is a small and fixable flaw for a feature that 80 percent of people may never even use.  But it is an example of what can go wrong when you inject private contacts into a public stream.  Google needs to be extra careful with details like this one.