"We have seen a storm of protest and outrage over alleged privacy violations and my Office also has questions about how Google Buzz has met the requirements of privacy law in Canada," Commissioner Jennifer Stoddart said in a statement.
Google says that it has already talked to Stoddart about Buzz and the changes it has made to the service. "We're always happy to hear from privacy commissioners in Canada and in other countries," a company spokesperson said in an e-mailed statement. "We regularly brief them on new products and features either before or just following launch, both as a courtesy to them and as a way to get valuable feedback on our products."
Google launched Buzz as a way to turn Gmail into a social network. Aware that some of the beta testers for Google Wave, the company's unreleased real-time social messaging platform, don't use the service much because of the absence of an existing social network, Google's Gmail team wanted to jump-start the lengthy process of building network connections by treating existing e-mail contacts as publicly viewable social networking friends. It was a decision that backfired.
In response to what Stoddart characterizes as "a storm of protest and outrage," Google twice changed the way Buzz works to accommodate privacy expectations.
Though Google's swift response shows that the company learned something from Facebook's foot-dragging following the controversy over its discontinued Beacon service, the changes in Buzz were nonetheless insufficient to satisfy critics of the company's privacy practices. On Tuesday, the Electronic Privacy Information Center (EPIC) asked the Federal Trade Commission "to require Google to make the Buzz service fully opt-in, to stop using Gmail users' private address book contacts to compile social networking lists, and to give Google users meaningful control over their personal data."
Google also responded almost immediately to reports of a security flaw in Buzz. A cross-site scripting vulnerability identified on Tuesday was fixed "a few hours after we became aware of it," according to a company spokesperson.
Google, which has repeatedly insisted that it takes privacy very seriously, said over the weekend that it was very sorry about the concern caused by Buzz.
It has reason for regret: Privacy problems continue to blindside the company. Despite earnest attempts to address the issue through, for example, the creation of a privacy Dashboard late last year, the company's commitment to privacy continues to be cast into doubt through missteps like CEO Eric Schmidt's suggestion that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Even after those remarks were put into their proper context and revealed to be less damning than Google foes claim, the company remains sullied by the mudslinging.
The stain is magnified by the fact that those fighting Google on a different front can point to privacy problems associated with a particular service and use them to justify calls for restrictions elsewhere. A case in point is the Electronic Frontier Foundation, which argued on Tuesday that "Buzz's disastrous product launch highlights the danger posed by [the possibility that Google will make secondary use of Google Books information, if the company's lawsuit settlement is approved]."
In 2004, Microsoft decided to get serious about security in order to save Windows. Though security remains an challenge for Microsoft, its commitment to confronting the issue through its Security Development Lifecycle processes is now widely accepted.
Google, as it embraces social networking, faces a similar decision about privacy.