Most of us have a hard enough time keeping track of the security implications of the services we’ve signed up for, but recently an assertion was made that should send chills down the spine of virtually anyone who ever uses the Web.
Namely, Google can scan and use the electronic communications not just of its own customers, but also those of anyone who sends emails or messages to business partners that do.
That disquieting little fact made the headlines when Google cited a ruling in a 1979 court case earlier this year while defending itself in a class-action privacy lawsuit over Gmail that was filed in a U.S. District Court in San Jose, Calif.
The ruling in that case, Smith v. Maryland, stated, among other things, that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
Google also stated, in essence, that non-Gmail users provide implied consent to Google’s practices because all users of email must necessarily expect that their emails will be subject to automated processing.
That means electronic communications sent by a business that does not use Google’s services to one that does will fall under Google’s terms of service.
Google’s ToS states that uploading or otherwise submitting content to Google’s services gives Google and its partners a “worldwide license to host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute such content.”
Those rights are for the purpose of operating, promoting and improving Google’s services and developing new ones, the company says.
The license continues even if the subscriber stops using Google’s services.
“Google claims that people who have Gmail or a Google App have read [its] ToS and that the ToS explains that Google will read their emails and analyze its content,” said John Simpson, privacy project director at Consumer Watchdog.
“Non-Gmail users who send to Gmail addresses don’t consent to anything,” Simpson told the E-Commerce Times. “I guess that’s why Google says they can’t expect privacy.”
Google “reads all the content of email messages, including attachments that are sent to Gmail or Google Apps users from a non-Gmail user, without the permission of the sender,” Simpson continued.
That means Google “has access to this material and is doing whatever it wants with it,” he added.
“We take our users’ privacy and security very seriously,” Google spokesperson Nadia Blagojevich told the E-Commerce Times, repeating a statement the company has used frequently in response to the furore triggered by its citing of the Smith v. Maryland ruling. “Recent reports claiming otherwise are simply untrue.”
Google has “built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply,” Blagojevich added.
‘We Know Where You Are’
Despite its protestations, Google and privacy issues go way back.
To wit: “We know where you are,” then-CEO Eric Schmidt reportedly said at the Washington Ideas Forum in October 2010.
“We can more or less know what you’re thinking about,” Schmidt added, echoing a statement he made the previous month during a keynote at the IFA consumer show in Berlin.
“We know where you are, we know what you like,” he stated at the time.
Going Back To First Causes
The class-action suit that sparked this uproar alleges, on behalf of both users and nonusers of Google Apps, that the company “unlawfully opens up, reads and acquires the contents of people’s private email messages” and that it tells users the messages are automatically scanned or filtered for unwanted spam and viruses.
The suit also alleges that Google does not disclose the extent of its processing.
Google’s defense, apart from forwarding the Smith v. Maryland ruling, is that the plaintiffs who don’t use Gmail gave implied consent to the company’s practices because “all users of email must necessarily expect that their emails will be subject to automated processing.”
Under federal law, the consent of a single party to a communication is complete defense against any liability, Google further pointed out. Indeed, courts “have held that the continued use of a form of communication that an individual knows may be monitored or recorded is sufficient to supply consent under the Wiretap Act — even if there was no meaningful choice,” Google contends.
“The plaintiffs cited particular laws in bringing the lawsuit, and Google is arguing in their motion to dismiss that (a) there is a specific carve-out within the language of the statute for their actions, or (b) that the statutes themselves don’t apply,” Brian Pascal, research fellow at UC Hastings College of the Law’s Institute for Innovation Law, told the E-Commerce Times.
It’s worth noting that there has been considerable dispute over the meaning and context of Google’s statements.
The attorneys for the plaintiffs did not respond to our request for further details.
‘It Would Destroy Its Brand’
In its filing, Google also contends that, in essence, all email providers conduct automated scanning of emails.
In fact, Microsoft also scans emails to block spam, Stefan Weitz, the company’s director of Bing search, has reportedly said. The difference, he added, is that Redmond’s intent is benign while Google’s is bad.
Facebook scans private messages to boost “Like” counters on third-party websites, according to Sophos’ Naked Security blog. It also scans postings and chats for criminal activity.
While Google’s TOS do state that it can publish content served up to it, “I can’t imagine Google ever doing it,” Rebecca Jeschke, digital rights analyst at the Electronic Frontier Foundation, told the E-Commerce Times.
“Imagine the backlash — no one would ever use Google again,” Jeschke continued. “It would destroy its brand.”
There is actually nothing new in Google scanning emails to deliver ads whether users want them or not, and non-Gmail users getting caught up in this whether they want to or not, Jeschke asserted. Nevertheless, “it’s still as creepy as it was all along.”
In any case, as long as Google’s scanning is automated, there is little cause for concern unless companies want to forgo electronic communications altogether.
“If you equate the automated processing of content on a remote server with reading that content,” UC Hastings’ Pascal concluded, “then it sounds like you might have a problem with quite a few Internet companies beyond Google.”