Google+ and Privacy: A Roundup

July 3, 2011 at 7:04 pm 13 comments

By all accounts, Google has done a great job with Plus, both on privacy and on the closely related goal of better capturing real-life social nuances. [1] This article will summarize the privacy discussions I’ve had in the first few days of using the service and the news I’ve come across.

The origin of Circles

“Circles,” as you’re probably aware, is the big privacy-enhancing feature. A presentation titled “The Real-Life Social Network” by user-experience designer Paul Adams almost exactly a year ago went viral in the tech community; it looks likely this was the genesis, or at least a crystallization, of the Circles concept.

But Adams defected to Facebook a few months later, which lead to speculation that it was the end of whatever plans Google may have had for the concept. But little did the world know at the time that Plus was a company-wide, bet-the-farm initiative involving 30 product teams and hundreds of engineers, and that the departure of one made no difference.

Meanwhile, Facebook introduced a friend-lists feature but it was DOA. When you’re staring at a giant list of several hundred “friends” — Facebook doesn’t do a good job of discouraging indiscriminate friending — categorizing them all is intimidating to say the least. My guess is that Facebook was merely playing the privacy communication game.

Why are circles effective?

I did an informal poll to see if people are taking advantage of Circles to organize their friend groups. Admittedly, I was looking at a tech-savvy, privacy-conscious group of users, but the response was overwhelming, and it was enough to convince me that Circles will be a success. There’s a lot of excitement among the early user community as they collectively figure out the technology as well as the norms and best practices for Circles. For example, this tip on how to copy a circle has been shared over 400 times as I write this.

One obvious explanation is that Circles captures real-life boundaries, and this is what users have been waiting for all along. That’s no doubt true, but I think there’s more to it than that. Multiple people have pointed out how the exemplary user interface for creating circles encouraged them to explore the feature. It is gratifying to see that Google has finally learned the importance of interface and interaction design in getting social right.

There are several other UI features that contribute to the success of Circles. When friending someone, you’re forced to pick one or more circles, instead of being allowed to drop them into a generic bucket and categorize them later. But in spite of this, the UI is so good that I find it no harder than friending on Facebook.

In addition, you have to pick circles to share each post with (but again the interface makes it really easy). Finally, each post has a little snippet that shows who can see it, which has the effect of constantly reminding you to mind the information flow. In short, it is nearly impossible to ignore the Circles paradigm.

The resharing bug

Google+ tries to balance privacy with Twitter-like resharing, which is always going to be tricky. Amusing inconsistencies result if you share a post with a circle that doesn’t include the original poster. A more serious issue, pointed out by many people including an FT blogger, is that  “limited” posts can be publicly reshared. To their credit, Google engineers acknowledged it and quickly disabled the feature.

Meanwhile, some have opined that this issue is “totally bogus” and that this is how life works and how email works, in that when you tell someone a secret, they could share it with others. I strongly disagree, for two reasons.

First, this is not how the real world (or even email) works. Someone can repeat a secret you told them in real life, or forward an email, but they typically won’t broadcast it to the whole world. We’re talking about making something public here, something that will be forever associated with your real name and could very well come up in a web search.

Second, user-interface hints are an important and well-established way of nudging privacy-impacting behaviors. If there’s a ‘share’ button with a ‘public’ setting, many users will assume that it is OK to do just that. Twitter used to allow public retweets of protected tweets, and a study found that this had been done millions of times. In response, Twitter removed this ability. The privicons project seeks to embed similar hints in emails.

In other words, the privacy skeptics are missing the point: the goal of the feature is not to try to technologically prevent leakage of protected information, but to better communicate to users what’s OK to share and what isn’t. And in this case, the simplest way to do that is to remove the 1-click ability to share protected content publicly, and instead let users copy-paste if they really want to do that. It would also make sense to remind users to be careful when they’re sharing a limited to their circles, which, I’m happy to see, is exactly what Google is doing.

The tip you now see when you share a limited post (with another limited group). This is my favorite Google+ feature.

A window into your circles

Paul Ohm points out that if someone shares content with a set of circles that includes you, you get to see 21 users who are part of those circles, apparently picked at random. [2] This means that if you look at these lists of 21 over time you can figure out a lot about someone’s circles, and possibly decipher them completely. Note that by default your profile shows a list of users in your circles, but not who’s in which circle, which for most people is significantly more sensitive.

In my view, this is an interesting finding, but not anything Google needs to fix; the feature is very useful (and arguably privacy-enhancing) and the information leakage is an inevitable tradeoff. But it’s definitely something that users would do well to be aware of: the secrecy of your circles is far from bulletproof.

Speaking of which, the network visibility of different users on their profile page confused me terribly, until I realized Google+ is A/B testing that privacy setting! These are the two possibilities you could see when you edit your profile and click the circles area in the left sidebar: A, B. This is very interesting and unusual. At any rate, very few users seem to have changed the defaults so far, based on a random sample of a few dozen profiles.

Identity and distributed social networking

Some people are peeved that Google+ discourages you from participating pseudonymously. I don’t think a social network that wants to target the mainstream and wants to capture real-world relationships has any real choice about this. In fact, I want it to go further. Right now, Google+ often suggests I add someone I’ve already added, which turns out to be because I’ve corresponded with multiple email addresses belonging to that person. Such user confusion could be minimized if the system did some graph-mining to automatically figure out which identities belong to the same person. [3]

A related question is what this will mean for distributed social networking, which was hailed a year ago as the savior of privacy and user control. My guess is that Google+ will take the wind out of it — Google takeout gives you a significant degree of control over your data. Further, due to the Apple-Twitter integration and the success of Android, the threat of Facebook monopolizing identities has been obliterated; there are at least three strong players now.

Another reason why Google+ competes with distributed social networks: for people worried about the social networking service provider (or the Government) reading their posts, client-side encryption on top of Google+ could work. The Circles feature is exactly what is needed to make encrypted posts viable, because you can make a circle of those who are using a compatible encryption/decryption plugin. At least a half-dozen such plugins have been created over the years (examples: 1, 2), but it doesn’t make much sense to use these over Facebook or Twitter. Once the Google+ developer API rolls out, I’m sure we’ll see yet another avatar of the encrypted status message idea, and perhaps the the n-th time will be the charm.

Concluding thoughts

Two years ago, I wrote that there’s a market case for a privacy-respecting social network to fill Livejournal’s shoes. Google+ seems poised to fulfill most of what I anticipated in that essay; the asymmetric nature of relationships and the ability to present different facets of one’s life to different people are two important characteristics that the two social networks have in common. [4]

Many have speculated on whether, and to what extent, Google+ is a threat to Facebook. One recurring comparison is Facebook as “ghetto” compared to Plus, such as in this image making the rounds on Reddit, reminiscent of Facebook vs. Myspace a few years ago. This perception of “coolness” and “class” is the single biggest thing Google+ has got going for it, more than any technological feature.

It’s funny how people see different things in Google+. While I’m planning to use Google+ as a Livejournal replacement for protected posts, since that’s what fits my needs, the majority of the commentary has compared it to Facebook. A few think it could replace Twitter, generalizing from their own corner of the Google+ network where people haven’t been using the privacy options. Forbes, being a business publication, thinks LinkedIn is the target. I’ve seen a couple of commenters saying they might use it instead of Yammer, another business tool. According to yet other articles, Flickr, Skype and various other Internet companies should be shaking in their boots. Have you heard the parable of the blind men and the elephant?

In short, Google+ is whatever you want it to be, and probably a better version of it. It’s remarkable that they’ve pulled this off without making it a confusing, bloated mess. Myspace founder Tom Anderson seems to have the most sensible view so far: Google+ is simply a better … Google, in that the company now has a smoother, more integrated set of services. You’d think people would have figured it out from the name!

[1] I will use the term “privacy” in this article to encompass both senses.

[2] It’s actually 22 users, including yourself and the poster. It’s not clear just how random the list is; in my perusal, mutual friends seem to be preferentially picked.

[3] I am not suggesting that Google+ should prevent users from having multiple accounts, although Circles makes it much less useful/necessary to have multiple accounts.

[4] On the other hand, when it comes to third party data collection, I do not believe that the market can fix itself.

I’m grateful to Joe HallJonathan Mayer, and many, many others with whom I had interesting discussions, mostly via Google+ itself, on the topics that led to this post.

To stay on top of future posts, subscribe to the RSS feed or follow me on Twitter or Google+.

Entry filed under: Uncategorized. Tags: , .

Data-mining Contests and the Deanonymization Dilemma: a Two-stage Process Could Be the Way Out Everything Has a Fingerprint: The Case of Blank Paper

13 Comments Add your own

  • 1. Benlog » and the laws of physics changed  |  July 3, 2011 at 8:39 pm

    […] just introduced Google Plus, their take on social networking. Unsurprisingly, Arvind has one of the first great reviews of its most important feature, Circles. Google Circles effectively let you map all the complexities […]

  • 2. zubinwadia  |  July 3, 2011 at 9:38 pm

    Impressive insights, especially on identity.

    Google+ could experiment with disposable social interactions as well and see if people would prefer engaging others in a time-elapsed manner with no trace of the interaction upon conclusion.

    Google could still infer context and place ads, it just can’t store the information once the interaction concludes. Kind of like a hang-out but with text/pictures/video off-the-record.

    I am biased ofcourse – my startup is called SecretSocial and does just that!

  • 3. Brett Glass  |  July 3, 2011 at 9:47 pm

    On Google+, there’s one kind of privacy you will never have: privacy from Google. Google will gladly aggregate data on your relationships and contacts, combining it with the dossier it has built by tracking your Web browsing habits, reading your e-mail (if you use GMail), and tapping your phone book on your Android phone. This is the sort of privacy that people should be concerned about, and you will never have it if you use Google+. Just say no!

    • 4. Arvind Narayanan  |  July 3, 2011 at 9:59 pm


      That is a valid point, and I addressed it in the part about using client-side encryption on top of Google+.

      But with all due respect, it’s not for you or me to say what people should be concerned about and what they shouldn’t. Personally I trust Google more than most companies and I’m comfortable letting Google/Android manage my phonebook (but not, for example, with Google tracking my web browsing).

  • 5. youreallymustseebeneaththefascade  |  July 3, 2011 at 10:10 pm

    i still don’t understand how circles beats email. if i wanted “limited conversations”, i _will_ use email and contact groups. it is just as easy to email a latest picture, than it is, to send it to a circle. frankly web is about _public_ data. if you don’t want to share it publicly use a different protocol. i actually prefer wave to circles. it does something new. but circles same old crap but with extra cognitive dissonance.

    • 6. Arvind Narayanan  |  July 4, 2011 at 6:39 pm

      Hey, nobody’s forcing you to use it. Meanwhile the rest of us will be over here having fun, while you’re updating your “contact groups” in email.

  • 7. ab  |  July 3, 2011 at 10:14 pm

    “””First, this is not how the real world (or even email) works. Someone can repeat a secret you told them in real life, or forward an email, but they typically won’t broadcast it to the whole world. We’re talking about making something public here, something that will be forever associated with your real name and could very well come up in a web search.”””

    One can just forward the email to a public blog, such as posterous, with header information. And viola its public, indexable by Google.

    • 8. Arvind Narayanan  |  July 4, 2011 at 1:35 am

      Pathological counterexamples usually do not advance the discussion.

  • 9. lnx  |  July 4, 2011 at 1:28 pm


    I agree, Google has definitely got a lot thing right with Google+

    There is one little bit of “privacy” that could have been impacted for some though and this is the substitution of a previously selected Picasa Web Albums nickname, by the real user’s name. Of course, Google + users get notified about this when they create their account. You can “hide” your Picasa album from within Google + but you can’t change your username’s appearance on Picasa.

    Now, if you had a blog (on blogger) where you used a nickname, and you wrote a piece of text accompanied by a public photo album through Picasa (where you could previously also use a nickname), you must be aware that after joining Google+ your Google profile’s FirstName – LastName will show up everywhere (only for the public albums of course and next to picture comments).

    Perhaps this should have been explained in more detail by Google

  • 10. Martin  |  July 6, 2011 at 12:04 am

    Good article, thanks.

    We are eye witness of Google building up something that is never done before: No, not a good social network – Google is building a “layer” between you – the user – and the internet!

    What we will see is a step by step integration of all Goolge services (Maps, Gmail, Calender, Search, etc) and that construct in total is a massive threat for fb. With that layer Google will be able to deliver Ads so focussed, personal and relevant like its never done before, so that AdWords and AdSense will be obsolete some day.

    But even with this vision in mind, Google does not have to harm your privacy at all. Even better: Being respectful and keeping privacy will be in long term thinking a requirement for success.

  • 11. Bill Dietrich  |  July 9, 2011 at 7:02 am

    I don’t know, I’ve used Google+ for an hour or two, and so far it seems EXACTLY like Facebook. A little more eye-candy in the user interface, but otherwise identical. But all of my friends and family are on Facebook, of course. I don’t use any fancy features of FB or Google+, so I don’t care about differences in video-group-chat or whatever. I think there is a lot of wishful thinking going on, people hating Facebook and investing their hopes into Google+ being amazingly better.

    I’d like to get your feedback about a page I’ve created, about the good and bad features of Facebook and how they should fix it: Some of the issues and ideas may apply to Google+ also. Thanks.

  • 12. Joel Tremblay  |  July 15, 2011 at 3:56 am

    Hi Arvind,

    I just read an article on regarding Plus and Privacy. It seems that finding out who’s in each circles is pretty simple.

    They say that you can see who can read a post. After a few posts, you should be able to figure out, who else is in the same circles than you and possible deduct the context itself. After a while, when the post is shared in different circles, you can just find who’s in the other circles and again, deduct their context.

    They agree with you concerning social contexts in a social network but they have a good point when they ask if one should trust more Facebook with their info or Google who made $28 Billions in advertising last year only?

    Concerning the sharing button, I think that the fact that the button exists, it legitimates sharing other people’s info. “If I have the option, it must be OK.” Such incentive is non-existent in life. From a behavior perspective, it makes a difference. If you share someone’s secrets you only have yourself to blame, no interface.

    Thanks for the great reads. J.

  • 13. Rahul  |  August 15, 2011 at 5:05 am

    The privacy features are better than Facebook.
    But what really concerns me is whether Google+ will also be a victim of Social Media spam as Facebook and Twitter have been off late.
    As of now, it looks unlikely but as more and more 3rd party applications join the fray the problem might become intense.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


I’m an associate professor of computer science at Princeton. I research (and teach) information privacy and security, and moonlight in technology policy.

This is a blog about my research on breaking data anonymization, and more broadly about information privacy, law and policy.

For an explanation of the blog title and more info, see the About page.

Me, elsewhere

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 265 other subscribers

%d bloggers like this: