The important thing to consider when you're thinking about privacy on Google Wave is that it's not fundamentally any different from e-mail, Facebook, or a wiki. When you send someone an e-mail, they can choose to forward it along to whomever they want. When you post on Facebook, your friends can see it and comment (or pass it along, if they copy and paste it). When you post on a wiki, someone can come along and change it. Wave doesn't change any of that, it just automates the process of sharing and changing and brings it all together.
Google isn't developing Wave as an internal proprietary system that they maintain control over (like Facebook). They're making it like e-mail, which means that anyone can set up a Wave server, and it should work the same, and inter-operate seamlessly with Google, and everyone else out there with a server and a peering relationship. This in itself dictates that users will have limited control over who sees what information, and how they can control it.
In a closed system, it can be possible to un-send a message, or to prevent someone from easily passing along what you send to them (at least, in the same form). Wave is not a closed system. Once your information hits a foreign server, you can have no control over it, and so in order to create a consistent system, once your information is sent to any other user, you can't take it back.
What kinds of controls are possible?
If you have any kind of information, you can send it to certain people, and not to others. You cannot prevent them from sharing that information, but you can refuse to accept their changes to the canonical version of the information (at least, canonical according to you). So it is theoretically possible to divide people into three categories with respect to information:
- Those with no access. These people don't know about the information at all.
- Those with limited access, who can read, but not change the canonical information.
- Those with full access, who can both read and write changes back to the canonical information.
So using Wave means that you must trust those who you share with, not because Wave makes it possible for information to be passed along to more and more people (or to everyone), but because it makes doing so very easy.
One thing that is not currently in the preview, but will be in the final product (nay, protocol) is federation. Federation basically means that Wave will eventually be like e-mail, because Google will agree to exchange Wave information with Yahoo, and Microsoft, and Apple, and even Bob's computer in his parents' basement. Everyone except, hopefully, spammers, but I'm sure they'll find some way in. Joe@googlewave.com will be able to add firstname.lastname@example.org and email@example.com to the same wave, and it will not be any different from adding firstname.lastname@example.org.
I'm not certain what Google's plans are for the 2nd category. Personally, I would find it quite useful to allow only certain people to edit, but a larger set of people to view (and possibly comment on), but not edit a blip. This would be perfectly doable in terms of federation, except that a foreign server can perform any action that its users have a right to do, so granting write access to email@example.com might give firstname.lastname@example.org write access too, depending on how the acmewave.com server is coded.
Actually, I've been thinking a lot about writing a robot that would allow me to expose the content of a wave to the public through a website (e.g., a blog), and allowing the users of that website (optionally including anonymous users) to interact with the wave using the website and the robot as their proxy.
Basically, it would be a lot like Bloggy, but without needing to make the wave public, and with finer-grained control over user actions. The first step would be to make a robot that simply reads the wave contents, and posts them on the web, updating the website whenever the wave is updated.