In a court case by people who object to the privacy intrusion of scanning their email Google defends itself by saying 'that's the deal, you signed up for that business model'. You get ads in exchange for a free service.
Fair enough, but do you feel that extends to people who just exchange emails with Gmail users while having an account elsewhere?
The plaintiffs state that Google "unlawfully opens up, reads, and acquires the content of people's private email messages." It quotes Eric Schmidt, Google's executive chairman: "Google policy is to get right up to the creepy line and not cross it."
Google now states it's service is comparable to delivering a letter in an office where you can't guarantee only the intended recipient will read it. It seems fair to counter that by the analogue of the postal service which only reads the address and doesn't open the envelope.
If you signed up for a Google Gmail account you agreed to the scanning of your email, but if you exchange emails and one of you is not on Gmail what do you expect happens:
1) nothing is read by any Google bot
2) everything is read by a Google bot and possible by the other persons service provider as well
3) only the stuff you sent (assuming you're the one with the gmail account
And if you use business email as well where one of you has a Gmail account, does your company allow this exchange?
Interesting case with many more aspects. See coverage on http://www.theguardian.com/technology/2013/aug/14/google-gmail-users-privacy-email-lawsuit
and the full text of Google's plea to dismiss the case here http://www.scribd.com/doc/160134104/Google-Motion-to-Dismiss-061313 #Tech
Critics call revelation ‘a stunning admission’ as Google makes claim in court filing in attempt to head off class action lawsuit
It is only time to worry when the Google bot starts replying to them! But anyone can read mine, they are full of spam and nerdy articles.
misquoted all day long http://readwrite.com/2013/08/14/google-didnt-just-screw-gmail-user-privacy-lawsuit#awesm=~oewx1vlmVQGEg0
I don't understand this. All the e-mail exchanged by the two parties goes through gmail's servers (whether outbound or inbound). Google can, and does, process (scan) it for use in their advertisements. Whether it's inbound or outbound really doesn't matter.
Why would someone who doesn't use gmail's service expect them to refrain from scanning anything they send to gmail?
Also, as I've mentioned in other posts on this topic, this whole thing is being blown out of proportion by people who don't understand the technology behind it.
If you want privacy, encrypt your e-mail content and/or find a secure provider. If you don't like gmail's privacy policy or the fact that they scan e-mail content to provide you with targeted ads, delete your gmail account and get something else.
+Russell Deasley Fair enough, but the "I have nothing to hide" approach is dangerous
I have no issues with this. If I want privacy, I can have someone write me a note, and then I can burn the note upon delivery.
If I'm going to see ads, they may as well be relevant to me.
I've shared this Guardian article as well +Max Huijgen and I feel that Google has let us down. The control that the US has on email and social media is something that we in Europe probably need to address.
The 'delete your gmail account' is besides the point +Raphael Schmidt We're talking about people who don't entered into a legal agreement with Google.
+Andrij Harasewych +Russell Deasley it's not about you as the owner of a gmail account, but about the other party.
Where should that link go +Luke Olson?
+Max Huijgen Any internet service that provides email, "reads" your email in the sense that it will pass several filters(being those, spam, antivirus, ads targeting, etc). This is an automated process that happens in more places than Gmail. There's definitely no guarantee that your email won't be "processed" . If you have concerns about this, the only thing that anyone can suggest is to use PGP to encrypt your email.
I disagree, +Max Huijgen. The counterpart to my 'delete your account' suggestion is the following: if you want privacy, don't send confidential e-mail to gmail users. Tell them you won't risk the breach of privacy. Insist that they get a secure provider before you send them anything that you don't want scanned.
Anyone who has worked in electronic security will tell you that the first rule is to never, ever expect plaintext to be safe. Not in a database, and certainly not in an electronic transmission.
Nothing is preventing people from encrypting their communications. There are applications and plugins that will do this, and Google can't (at least not without considerable effort and computing power) crack this type of encrypted message.
So why all the fuss?
+Max Huijgen link goes to readwriteweb. I've updated my comment to exclude the shorten link, because i can't use bit.ly properly
I worked between 1996 and 2004 in an ISP. ALL mail is read and scanned! What's all the fuss? I mean, do you know why you don't get tens of virus attached emails? Do you know why you don't get 90% spam, 10% real mail? Because EVERY mail is automatically processed! I remember, about 20 years ago, already explaining people that email is not like a letter but like a postcard. Everything you write may be read/processed. If you don't want this to happen, encode your mails.
+Max Huijgen .. Every email is read by bots by every email provider. Even if you paid for that service, this will be done to fight spam and malware. Whether someone has a google account or not is irrelevant. If they are sending something to a google account(or to any other email account) their email will be scanned.
+Pedro Marcolino +Raphael Schmidt +Víktor Bautista i Roca it's not that I don't understand how it works or that I don't know the only solution is encryption, but these are mute points.
That things 'always are done this way' doesn't make them okay, nor in compliance with the law nor a given.
In the old days of mail (yes written letters) there were no envelopes and the postman read the letter for you as lots of people couldn't write.
New technologies take some time to settle and I for one am pretty sure that ten years from now emails won't be 'routinely scanned'.
Full encryption will become a realistic option with Gmail like ad-sponsored models to be the equivalent of the old hotmail account. Not to be trusted and not in use for business exchanges.
+Max Huijgen _«New technologies take some time to settle and I for one am pretty sure that ten years from now emails won't be 'routinely scanned'.» That would mean going back to the times of getting tens of virus per day and 90% of your mail being spam…
http://www.theverge.com/2013/8/14/4621474/yes-gmail-users-have-an-expectation-of-privacy
Not to mention that, by definition, the entire Internet needs to make copies of your data in order to function at all, regardless of whether you use email or any other protocol. Besides, Google already gives you a method to opt-out entirely from interest-based ads if you want to. You'll still get ads, but it won't be generated from your email. Would you prefer your spam relevant or not?
There are more ways to fight spam. Reading the contents is a very limited way +Víktor Bautista i Roca
+Mike Trieu there is a misunderstanding that I complain about Gmail. I use it myself, never see an ad by the way, but this was about people who don't have a gmail account and whose mail is read.
That its used to deliver ads is not the important thing.
+Max Huijgen As fas as I know, is the more effective. Yes, you can have greylists and so on, but automatic scanning is a must. And what about virus and malware?
+Max Huijgen _«whose mail is read.»_ We should make clear what "read" means. Their mails are scanned, processed, whatever, but not "read". At least as a human writen text is expected to be read.
+Max Huijgen, I don't see how you can claim that you understand the technology if you think e-mail will not be routinely scanned in 10 years.
As +Mike Trieu mentioned, this is not merely a requirement for e-mail; it is a requirement for the internet to function.
I have operated mail servers. Would it surprise you to know that as the administrator, I can read all non-encrypted incoming and outgoing e-mail? Would it also surprise you to know that despite the internet community's best efforts, it is a relatively simple task to send an e-mail appearing to come from any valid address, including the one used by the president of the United States?
The technology involved is not trivial.
As for your last point, it is possible, today, to encrypt your business e-mail, even on gmail. People use gmail because it's convenient, not because it's secure and private. At the risk of being insulting, I would say that anyone who expects privacy from gmail is at least ignorant and at most an idiot.
The ways around the privacy issue are clear and available to anyone who really cares.
+Max Huijgen Any spam software available today(and the same goes for antivirus) does this. They might, at some point, use signatures, but content verification is still the best and most effective way of doing this and signatures are created based on this content verification.
The only way to not get any mail verified, is to not have a mail account and use normal post mail , and even there there's no guarantee that it won't be verified(for example it's very common when mail goes to a different country for a small part of it to be manually verified, and yes this has happened to me before).
To be blunt it's unreasonable to expect 100% privacy from any long distance communication whether it's email, phone or snail mail. The only way to be truly private is to be facing the other person in a place where no one else can hear or see you. Or else lock the doors and communicate with no one in any way.
I'd rather have people from a company like Google look after my private data than, say, Microsoft or oracle… Paranoia isn't a very healthy thing. As a user, what exactly am I supposed to fear? Do we really have to live in a society where we aren't allowed to trust anyone, where terror is the rule and pray at the altar of false journalism to save us from the enemy which isn't even there? I don't want this kind of life.
Business mail isnt scanned for profiling.
And we should redefine privacy.
Algorythms scanning mail is not breaching my privacy in my book.
+Raphael Schmidt of course I know the sysadmin can read the emails. I have an email account since somewhere in the mid eighties and around that time maintained our unix servers. I do understand the technology, but there is no reason to accept the status quo.
+Jean-Loup Rebours-Smith
I prefer Google to read my email
That's why I asked if you would expect that your emails were scanned by the other party's provider.
What do you mean by 'business email isn't scanned +Riël Notermans How does your service provider know it's business email?
+Max Huijgen Good new Max. In the near future Google will no longer need to scan emails to tag them. Have a look at http://www.wired.com/wiredenterprise/2013/06/d-wave-quantum-computer-usc/ . However, you'll still have "privacy" problems with any other email provider 🙂
I use Google Apps for Business, thats what I mean.
+Max Huijgen I'm assuming he signed a contract with Google for a business account. Everything sent and received through that account should be "business".
Quantum can improve on Bayesian spam filtering, but I'm pretty sure that's a dead end anyway. There really are lots of other and often better ways to fight spam, but that's beyond this post.
Compare with post: some of you would have protested the 'invention' of the envelope as a) you have nothing to hide b) why live in a world with privacy and c) the postman can't read the letter to your grandma who never learned to read herself (quite common when postal services got popular).
Oh and d) how could the postman throw away junk post if it was covered by an envelope 🙂
+Max Huijgen, again, I don't understand what you're talking about.
The status quo you mention is purely voluntary. There are multiple options available to users who don't want to expose the contents of their e-mail to third parties.
So what's the real problem? There is no lack of choice. Google isn't forcing anyone to abide by their rules. They provide a service, and people are free to use it or not.
to put email technology and 'etiquette' into perspective. Less than 15 years there were about 30 million email users worldwide.
Compare with the few billion we have now.
Ah +Víktor Bautista i Roca regarding your argument that 'read' necessitates a human reader: I beg to differ.
I would venture that more information can be extracted by machine scanning than by human reading. Google knows more about you than a co-worker who sometimes reads your emails.
+Raphael Schmidt now you go back to the 'accept Google's conditions or leave' argument, but again that's not what this post is about.
It's about reading emails from other accounts, not connected to Gmail.
Tnx +Riël Notermans but again, if you email with someone else your email will be scanned for ad profiling.
However the crux is that your email is anyway scanned as Google considers this a crucial service.
+Max Huijgen I would argue that by merely converting an SMTP message into a webservice-readable format, any email provider has already had the opportunity to "read" any other provider's email messages. It didn't involve any humans, yet it parsed all the content in order to provide a different presentation. You don't think that Yahoo or Microsoft doesn't store metadata about the contents of received messages?
+Max Huijgen, no, that's completely wrong.
It's about reading emails that are sent to gmail accounts. These are stored on Google's servers and belong to their recipient (the person who accepted Google's terms).
Do you believe that when you send me a letter, it is still your property? I would argue that once you've sent it and I've received it, it is now my property.
If I tell my postman he can read all my mail, that includes both incoming and outgoing mail, and the sender of that mail has no claim to privacy.
I understand the argument you're trying to make. However, I think it's unreasonable because of the reasons I mentioned above. The mail is no longer the sender's property. It belongs to the recipient, who has agreed that it can be scanned. Therefore, Google has no legal obligation to respect the sender's privacy.
Legally that's not sure as we need to await the outcome of the court case(s) +Raphael Schmidt Your argument is not used by Google's defense and I think for good reasons.
This goes back to post and later fax. If you send a letter and it gets in the wrong hands, the receiving party can expect it to be destroyed. This is a matter of case law and it could easily be extended to email.
Basically, you don't lose your rights to the content and the privacy of it just because its processed by the recipient.
An interesting point, +Max Huijgen. I agree that we will need to wait and see the outcome of the lawsuit.
However, we are not talking about mail being sent to the wrong party. That is a completely different situation.
Is there anything stating that, without prior agreement between the two parties, the contents of a normal letter are protected?
Up until delivery a letter is protected by postal laws which within the Western world converged to a similar standard. Part of it being that a 'third party provider' a status which Google claims can't claim possession or rights on behalf of the recipient.
A complex way to say that your postman can't open your letter as long as it's not delivered.
So your argument that Google can do what they like on behalf of you as the owner of a gmail account doesn't hold.
However Google claims that it 'has to' scan mails to provide decent service. As they don't seem sure enough they also claim they are allowed to do so and exempt from the regulations protecting phone calls and traditional post.
+Raphael Schmidt
"Delivery" in terms of email would be arrival at the destination server. Since the user of the email account has agreed to the TOS and EULA which state that all email will be scanned and used for advertising ect… unless you choose to opt out I would say that there should be no reasonable expectation of privacy.
The sender from another email service provider did not agree +Clayton Reeves
And delivery is established once the recipient has it.
So…what defines "has it"? Does merely clicking on the link to open the message count? If so, who's to say Google doesn't do the scanning on-demand?
The USPS considers delivery placing your mail in your mailbox, for email the would be analogous to the server.
As for the sender, if they don't like a certain companies policies then they shouldn't send anything to anyone using that company.
It certainly is not a line of defense Google wants to use +Mike Trieu You can read yourself at http://www.scribd.com/doc/160134104/Google-Motion-to-Dismiss-061313
Linked this in the OP, but so many comments later it's easy to miss that we have the 'horse's mouth' on record.
+Max Huijgen, I didn't say Google can do things on my behalf. I said Google has every right to read my mail (yes, once it's delivered), because I agreed to their TOS, and it's my mail, not the sender's (once it's delivered) anymore.
I think +Clayton Reeves is correct. As gmail is primarily a web-based service (although it can be accessed via POP or IMAP), the final destination is Google's servers.
Also, is Google claiming they have to scan e-mails to provide decent service, or are they claiming that they provide a free service, with terms of service that are presented at user registration time, one of which is that they can scan e-mails for targeted ads?
I think it's rather disingenuous to imply that Google believes they couldn't provide decent service without scanning the contents of mails. They would probably say that removing the scanning would degrade the quality of their service, and they're right.
There are a few reasons gmail is so popular: it's free, there's a lot of storage, it's fast, and they have great spam filters. The spam filters obviously depend on the characteristics of the contents of the e-mail as well as the e-mail headers in order to do their job. And they do a great job. I would hate to lose gmail's spam filters because some people disagree with the notion that a service provider can scan their e-mail.
See my comment to +Clayton Reeves it's not an argument Google makes.
As for Google being popular or being appreciated that's not the issue here. Microsoft, Yandex, RediffMail, etc will scan your emails if you exchange emails with people using their services.
+Max Huijgen, the motion to dismiss contains this quote: Indeed,“a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979)
That is not substantially different from my argument. By sending mail from any provider to an @gmail.com address, you are voluntarily turning over your information to third parties.
And then, a little bit later, there is this quote:
Similarly here, non-Gmail users who send emails to Gmail recipients must expect that their emails will be subjected to Google’s normal processes as the ECS provider for their intended recipients. Indeed, when the non-Gmail Plaintiffs filed their initial complaints, some specifically alleged that they continued to send emails to Gmail users despite their knowledge of Google’s automated scanning (as confirmed in their complaints).
That's my argument, right there in the motion to dismiss: if you don't want Google to scan your e-mail, don't send it to gmail users.
+Max Huijgen, have you ever actually administered an e-mail service, and been involved in trying to keep spam under control?
Content-based filtering is essential to do it effectively. You can't rely on addressing, headers, or even communication patterns, only content analysis gives you any significant success.
If you compare email with fysical mail which is protected and may not be opened by postman it has one consequence:
You have to put a stamp on every message you send.
Note here that it's hard to know if the target person is using gmail. You may send me email @voidstar.com but I redirect it all to @gmail.com to take advantage of Gmail's spam control, search and archiving. I'll then download it using pop3/imap to yet another system.
It's probably only if I forward it back to you, that the headers and so the full route becomes visible to you. Anything else like reply is likely to strip all the headers. And I use a different route for outgoing (because yahoogroups has a stupid quirk), so that won't show up as @gmail either.
I presume that Gmail does not profile YOU as a sender.
It might use the content of your message to profile the Gmail receipient!
I don't think you can make an issue out of that.
+Raphael Schmidt the arguments you quote are based on the specific case where the senders were very aware of Google scanning their email. If you scroll back you will notice. I wouldn't hold for a 'general' non Gmail user.
Good point +Julian Bond
+Riël Notermans I don't think anyone objects to the specifics of scanning for ads, but they oppose the (machine)reading of their emails.
Why?
No, Google claims it applies to any user of any e-mail service. The quotes refer to the non-gmail plaintiffs specifically, but the section states that anyone using e-mail must necessarily expect it to be scanned by automated processes.
+Raphael Schmidt will check it later. Maybe i misinterpreted.
+Luke Olson Your links were automatically removed as they were considered spam (incorrectly). I have just restored them manually.
+Max Huijgen
"+Riël Notermans I don't think anyone objects to the specifics of scanning for ads, but they oppose the (machine)reading of their emails."
So what exactly is machine reading? It gets 'machine read' a lot: to know where the mail has to go, to present the mail to another person, to open it, etc.
If the end-user you send the mail to, wants all mail from you about a party in a particular label on his own device locally. He sets up his own filter, to use your content to filter it and do something with it.
It is 0,0 difference to what Google does with your mail… since in both cases you, as a sender, have zero to do with it. It won't come back at you either way.
You follow that thought?
part of what you describe is the meta-data +Riël Notermans and these are essential for email to work, just like proper addressing on an envelope.
The sorting etc you describe at the end-users place is no problem: this court case is about people complaining that Google does the reading.
General note: I'm fully aware how things work, I happen to have implemented a Bayesian filter on a mail exchange, know my protocols etc. If you want to discuss the post: great. If you want to explain how things work assuming I'm a bit slow on the uptake: waste of time.
+Max Huijgen, I apologize if I seemed skeptical about your technical knowledge.
Many of the things you are saying (comparing to physical mail, dismissing the technical solutions as irrelevant, etc) struck me as the types of things someone relatively non-technical would say.
However, I realize that you are focusing on the legal and societal implications and not the technical reasons behind them, and that's fine.
Again, I apologize if you were offended by my comments.
+Max Huijgen I mean if I decide to filter on a word in the subject (which I do a lot).
Still hard to make my point (which is probablt my own fault) :p I mean, it's not actual reading, and the scanning of the mail does not have any consequence for the sender.
No problem +Raphael Schmidt I always hesitate between putting in a disclaimer stating I do understand the technical side of the subjects of my posts or leave it as it may sound pedantic.
Just checked the references to your quotes from the motion to dismiss +Raphael Schmidt
The first one won't hold as basically it refers to meta data (telephone number), not content which is the subject of the complaint.
Second quote is the same I referred to when I commented that these were specific circumstances, not covering the general position of people sending mail to gmail accounts.
The general argument you proposed is never made in Google's defense statement.
+Riël Notermans I understand what you're saying and of course this is part of a service people expect from an online mail provider. Beware though that sorting, filtering and all other manipulations used to be done after the recipient / his company got the email.
In other words you used to do this locally and not remote so the functionality Google offers is not covered by existing case law.
To summarize: Google offers services which were abandoned by traditional mail (postal) services. No doubt (some) people would have loved the postal service to dump junk mail, sort stuff on relevance, read the letter aloud and check packages on dangerous goods, but they didn't for good reasons: the postal secret.
+Max Huijgen RIGHT?
"DON'T READ MY EMAILS." but then, god forbid that same person gets some spam in their inbox! "GODDAMN WHY CAN'T THEY TAKE CARE OF SPAM!"
hmmm…
Sure +Andrij Harasewych that's why I have often suggested to Google to give a total opt-out where email is black-boxed (not encrypted, but the minimal treatment necessary).
So far Google employees were positive about the idea, but the decisions about all 'processing' are made by a small circle within Google and there is an extreme secrecy governing it.
+Max Huijgen, what would the "minimal treatment" include/exclude?
Keep the email in TLS/SSL state throughout Google transport and store it encrypted would create a base line +Shawn Willden
+Max Huijgen, we apparently have very different interpretations of the Motion to Dismiss.
Not only does the clause my first quote is from not mention metadata, it explicitly states that messages can be recorded. How is that about metadata (phone numbers) and not content (recordings)? It is purely about the contents of the messages.
As for my second quote, Google explicitly states at the beginning of the clause that all users of e-mail (not gmail exclusively) must necessarily expect that their emails will be subject to automated processing. That is very general, including users of all e-mail services, and not a specific group, as you claim.
Are we reading the same document?
We read the same text, but I read it with a bit of training: Smith v. Maryland is an amendment on the general rule that telephone calls can't be wiretapped. It makes an exception for the 'meta-data', being phone numbers in the case of phone calls.
The second quote starts general, but it's legal claim is narrow.
Ok, fair enough. I am not a lawyer, I'm a technologist.
Spent years in university studying international law, but in my free time I programmed large scale 3D visualization software so I'm a bit of both.
Encode mail leaves the third party/ encryption with access to the "Private" mail. They will have keys. Problem is not being regulated by government. A data base/ record; Once created- may be seized by any government. While US has limits on government needing cause and warrant to search; we see reports from other countries where social media is used to identify dissidents. And political repression follows. Each host country should legislate these data base records and limit the private sector from compilling/ data mining in the first place! Now all we have to worry about are the spy versus spy games in foreign intelligence!
+Max Huijgen, Google does transport email in SSL/TLS wherever possible (when transferring to other e-mail providers which don't support SMTP over SSL, it's not possible), and does store your e-mail encrypted. I don't think that achieves what you want it to (though I'm not sure exactly what you're trying to achieve).
I know they use SSL/TLS +Shawn Willden but I didn't know they encrypt it in storage. Any link to that?
No, +Max Huijgen. It's company policy to encrypt all personally-identifiable information at rest, but I don't have a public link.
I find it remarkable in view of the recent announcement that Google would start storing cloud data encrypted.
For consumers this is a fairly uninteresting statement but it does suggest it's not common practice within Google +Shawn Willden
Google Compute Engine data may or may not be personally-identifiable. Google doesn't know because it's managed by the developers of the app, not Google. Google is trying to help its GCE customers be as responsible with their users' data.
? +Shawn Willden they did decide to encrypt Google Cloud Storage themselves which will lead to less developers doing it themselves Check http://readwrite.com/2013/08/16/google-encryption-cloud-data#awesm=~oeUd1R2MQbt9Ye
Yes, "Cloud Storage" is the storage used by Google Compute Engine, which is what I addressed in my last comment. Google doesn't know what's stored there, and it's really the responsibility of the app developers. However, Google has decided to provide this encryption service to help them out.
I don't know why you conclude that it will lead to fewer developers doing it themselves.