Whatever happened to the concept of
Gentlemen do not read other gentlemen's letters?
Google faces a torrid court battle in the US after a judge ruled that a class action lawsuit brought against the company that challenges its practice of scanning emails for ad-targeting can proceed. Mountain View had protested against plaintiffs in the case, who claimed that Google had breached several stateside laws including …
Gentlemen do not read other gentlemen's letters?
Now you've got me trying to reconcile the concept of "gentlemen" with "Eric Schmidt".
Head asplode icon, please.
It was a flat out lie at the time. Nothing has changed since then.
Tell me, what's the difference between scanning it for ads or scanning it for spam? We need to be VERY careful what precedent gets set here.
"a person has no legitimate expectation of privacy in information he
voluntarily turns over to third parties Google"
There is a huge difference. For example opening a document and clicking find and searching for "Spam" and opening a docment and reading it all to see what it contains. The first one will inform you if the document contained spam, and the reader will gather no other information. The second one will result in the reader learning anout your porn habits from the pornsite that sent you the email in the first place.
My server side spam filter (Bayesian) reads each email and sorts them into tokens, then rates the email based on whether they are statistically likely to be included in a Spam email or not this is a fairly common spam filtering system.
Either way it is opening the email and since auto-learning is enabled it is, in fact storing information from the email in a database to aid in future spam detection.
My worry is that there is actually very little difference between what Google does and what I do from a technical standpoint and if non Google users can sue Google for what they do, what prevents spammers from making the same argument against me or any other mail provider that uses modern filtering techniques?
I dropped my ISP after they changed over to google.
does your spam filter handle mail for many people?
does your database link stored content to the to and from email addresses?
If both the above are true, start worrying
Tell me, what's the difference between scanning it for ads or scanning it for spam?
Yup, that's whyt Google is trying to use to talks its way out of that one, but it doesn't fly.
Scanning for malware entails scanning for a set of known (public) signatures of malware which is universally applied to everyone and which does not establish person specific data. Scanning for personal information is creating specific, personal information and association information that is used for purposes usually not very much under the control of the user - which means that even if the profile comes to wrong conclusions/associations, they are passed on as facts without consent or control by the user.
I must admit it's interesting to see an issue like this appear in the US courts - it's almost like they are trying to clean up a little privacy problem for Silicon Valley. Under EU law, Google is already breaking the law with this - worse, any EU company using Google at present for their corporate email is flat out in breach of EU wide privacy laws every time they receive a client email as no permission has been gained from the sender to pass it to a 3rd party.
BTW, if you think that Google doesn't know it's breaking the law (sure, after the last time they were found to be creative with Streetview), read their "help" texts. I think you may come to a different conclusion.
Indeed we do, since there also is precious little difference between either of the things mention and scanning for porn, links to copyrighted material, or indications of terrorist activity. My inclination is to think that my privacy is something I had best look after myself. Trusting the ISP or other email provider might work out, but it also might not.
My ISP's spam filter handles mail for a large number of customers. Yours likely does the same. Not being a Google (or Yahoo?) user I don't know the implementation of their database, but I question whether they trouble themselves to maintain a database targeting ads to non-customers.
They probably also don't succeed very well scanning PGP or GPG encrypted email, so that's an option, although it might interfere with web access.
There's reading, and then there's reading. Surely it can be regulated what falls under spam protection, what falls into advertising and what falls under pure snooping.
spam - messages scanned by machines and is never visible to human eye; no data is stored except patterns needed for machine learning, original emails encrypted in DB
ads - same thing technically, but the purpose is clearly defined for that of marketing
everything else should be flagged to the user in BIG RED FONT, that his emails will be read by humans and no privacy should be expected. Store your CC info in your emails? expect our admins to read it and Google to do whatever we want with that info.
People need to know upfront what they're getting into, and that's it. Want free service? You'll get ads with it, email reading, and your CC details in your emails are ours to distribute however we want.
One form of scanning is for commercial gain through harnessing the content of a non-consenting third party, the other is to provide a non-commercial** service to the user. If there isn't a legally defined difference, there probably should be because it has any number of uses in a networked world that probably wouldn't have applied before. The way I look at it is "I don't work for these people".
** You could argue that the spam scanning is 'commercial' in the sense that it is a feature used to attract users to a free email service that then generates revenue through advertising once they're on board. But revenue is not its direct purpose, and it is after all only a small component of providing the email service.
....is a reasonable author.
This will be interesting to follow.
The argument from Google will likely be that without scanning the mail, providing the service will be impossible from an economic stand-point, but that's simply a weird argument. They'll still have tons of information about the user whose gmail it is. They can still show all the ads they care for, they just can't read the contents of people's mail.
As for the information of who has sent you mails, that also offers a problem. Personally I don't like the idea that Google knows my email address (although they likely do since "friends" of mine have sent me g+ invites *sigh*), but on the other hand, in regular post the sender also displays his address prominently. I guess you might expect Google to not retain knowledge of who has sent mails to you. I don't expect the post-service to keep logs of who has sent mail to me over the years, so maybe even retaining information about who is sending mails to users would be a problem.
The personal assistant analogy is silly. Even if we accept it, it's still idiotic. Personal assistant can open my mail no problem, but please refrain from reading it, keeping notes about the content and then wear shirts displaying various ads that he/she deems I'd be interested in.
I'm more in favour of a post-service analogy. There are of course blatant differences, but the same level of privacy should be expected - primarily the cannot open my mail bit. But then again you pay for the regular post-service, so the analogy seems to hint at a problem all by itself. (As an aside: What about stamps that are instead adverts? Or envelopes made entirely from adverts? Both = free mail)
Now that we're kind of on the topic (or brushing it lightly), does anyone know of a free email service that has an automatic forwarding function? I should like an somewhat generic email that I can use for signing up, which will send mails on to my primary email.
@Eguro - you could try spamgourmet (http://www.spamgourmet.com/)
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter....."
It's not correct.
It should be:
Just as a sender of a letter to a business colleague cannot be surprised if the postman opens up your letters, has a little read, finds a relevant sales leaflet and then puts them back in the envelope, before handing it over to you."
There Google,fixed the analogy.
that should fall flat. It might make their model of free email untenable, but it doesn't make providing email as a service economically untenable. They might have to switch to a paid service, but those are the breaks.
I don't know who is officially listed on the suits, but I expect the first thing Google will now do is make sure none of them HAVE signed the terms of agreement.
Until a couple of years ago Yahoo didn't scan either and AFAIK MS still don't. Then if we look outside the US there are loads other free providers which don't scan. So it is viable.
The analogy I prefer is "a sender of a postcard cannot be surprised if the postman has a little read on the way to putting it in your mailbox." Google, with probability not significantly different from 1, does not read through encrypted email (the equivalent, more or less, of a letter in a sealed envelope), and even the NSA and friends probably almost never try to do so unless it is to or from a specific intelligence target.
Plain text email messages are open to scanning by many others than the email service providers, and most or all of those others are more to be concerned about than Google. How many routers pass along the average email message? Almost all of them have management ports available to administrators (not all of them possessed of high ethical standards), and potentially accessible by law enforcement officers, hackers of varying motive, and spies of various origins. Jumping on Google, which openly admits to scanning the email it processes, does nothing meaningful about the real problem.
Their argument is looking at the content of you email is necessary to run the service.
When the argument first cropped up the 'reg seemed pretty convinced - I said it was utter nonsense and people on these forums gave me funny looks so... :)
Just because it 'can' be read in transit doesn't mean it 'should', or that reading it is reasonable. I might not be surprised if the postie reads my postcards to while away the time, but I'll certainly be affronted - not unreasonably I think - if he attaches a stick on advert contextual to its content.
I'm personally not bothered that my average unencrypted mails are readable, but just because unethical types can do it, doesn't mean its ok for Google to profit from doing so. I thought ethics was supposed to be a bit better than "it's OK because I can".
Soon gmail users will get a message: You agree to letting us read the emails stored in your account, if you disagree, then you have 30 days to either buy a personal account or remove your emails from our servers.
Any way, if Google looses the case, does that means they will be forced to turn OFF their anti-spam and anti-virus system?
That doesn't work either. I have no more right to sign over the right to read their email than Google has to take it in the first place.
In which case the system in which gmail accept external emails will be changed. If the user pays for the account, then s/he will receive their emails immediately. If not, then whenever they receive an email from an external source, gmail will email that external source asking them to agree to the T&C, otherwise the email will be rejected.
Ether way, I meant the original post as a joke..... failed measurably at it, sorry.
FFS it's "loses" not "looses "
You lose, because you are a moron with a loose grasp of the language.
Write it out a thousand times until you understand the difference.
Friday: Beer: It's been a long week and the illiterate have been hard on me this week :(
Actually, English isn't my first language, but thank you for taking the time to point out my poor grasp of the language. And while you were at it, you reminded me why I stopped posting on El'Reg.
"That doesn't work either. I have no more right to sign over the right to read their email than Google has to take it in the first place."
Exactly. It's a non-starter.
you reminded me why I stopped posting on El'Reg.
Funny, I still see new postings by Anonymous Coward
If this ends up being enforced, where does that leave things like antivirus scans on incoming emails? What about using filters to sort mail into folders? Can a company complain if it's spam, sorry 'marketing', emails are getting automatically junked?
In the same place as other non-invasive searching that goes on in the Royal Mail (choose your local monopoly), such as X-Ray, drug sniffing, bomb sniffing, etc.
The issue at hand here is that Google is intercepting and "reading" private content and using it for economic gain, without consent of the senders. Whether that is wire fraud is something up to the courts to decide.
And what is this hate affair with Judge Lucy Koh relative to Google? Did she preside over a case in which Google was part? None that I recall, but I don't read her docket either.
If they were to win this lawsuit that would surely put paid to any e-mail anti-spam and anti-virus scanning at the server level?
This also involves a system "reading" the contents of an e-mail to determine if it is legitimate or not.
There would also be issues with corporate systems and accessing another user's mailbox or checking against company policy.
In reality I don't see the complaint - the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs. It's not as if Google are personally opening each e-mail to read it. They could open any e-mail at will for sure, but then so can any company that hosts a standard SMTP server and there is even a requirement to hold these plain-text message by some goverments for analysis.
"the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs"
No, the Sender (firstname.lastname@example.org) has NOT accepted the Ts&Cs. Well, not Gmail's Ts&Cs, anyway. He isn't a Google user. Goodness, he might not even ever visit a Google site. (Odd, these days, but not impossible.)
The complaint is that the external sender has not accepted the privacy-busting aspects of Gmail's Ts&Cs, and yet email he sends to email@example.com will be manipulated in those privacy-busting ways.
And yes, the complaint is also that Google *are* opening each email to read it, so that they can display ads that might be relevant to the content.
the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs
the ads only affect the G-mail user, not the Sender, who already knows about the service and has accepted the Ts&Cs
"And yes, the complaint is also that Google *are* opening each email to read it, so that they can display ads that might be relevant to the content."
In this case
Google == a big computer system
Opening == passing through their system and the bits (1s and 0s) being analysed for a pattern
From your PC, your router "opens your e-mail", so does your ISP, and any switches and routers in between including any system, software or hardware (of which there'll be a few).
What exactly is the privacy impact (above and beyond the privacy impact of any other normal SMTP e-mail system) - I really don't understand?
People don't complain that when they send a Word Document to someone Microsoft Word (The computer program) opens the document and reads it, analyses words and compares them and then shows spelling and grammar errors?
The point would be that the service isn't self-contained.
The things being done are not isolated to the mail itself.
Spam sorting could be done merely from addresses, something that is personalised by the user of Gmail.
The problem is when the actual content of the email is not just scanned for virus or spam, but is also stored, compared against marketing data, keywords saved to the google account for ads on other services. The sender email being stored as an active email, something for the broader system to know about.
MS word isn't sending the text file I sent to a friend and sending key words to MS and linking it with accounts and emails and any other information it can get away with.
As far as I know a letter is private to the sender and recipient, so the recipient does have the legal ability to publicize the letter. I think it would be legal for Google to have a "scan this mail" function. So that after a user has read a mail, he/she can allow Google access.
But of course it doesn't work in reverse, because there might actually be content in the mail that the recipient doesn't want Google to know about.
>If they were to win this lawsuit that would surely put paid to any
>e-mail anti-spam and anti-virus scanning at the server level?
Not really, as long as no information about the scanned emails leaks from the scanning process (i.e. is kept in a form that may allow linking it back to sender / recipient(s)).
"The problem is when the actual content of the email is not just scanned for virus or spam, but is also stored, compared against marketing data, keywords saved to the google account for ads on other services. The sender email being stored as an active email, something for the broader system to know about."
Where do you get this from?
As far as what is explained, and evidence shown, no "extra" e-mail is stored elsewhere. The ads appear based upon the content of the current e-mail. If you interact with those adverts then your interaction and profile is very likely to be updated to reflect that. It would be absurd to think that Google take a copy of every e-mail remove extraneous words and store it elsewhere on the system as part of your profile. This would add 50% to the storage size for absolutely no reason whatsoever.
It would be prudent to assume that the ads work just like any other system such as spell checker or website underlines that find keywords. i.e. it uses an algorithm to find paid for search terms and displays a relevant ad next to it. The advertisers doesn't know who you are, who the sender is, what your e-mail contained unless you interact with the advert and that would be similar to the search referrer from a search engine.
"But of course it doesn't work in reverse, because there might actually be content in the mail that the recipient doesn't want Google to know about."
That is just anthropomorphism. You are personifying a computer system.
Do you know how a mail server works? If you don't want someone other than a recipient to know the contents of an e-mail you have to use reliable encryption that isn't broken or backdoored. There is no other way.
How about this then:
"there might actually be content in the mail that is meant only for the sender and receiver"
"there might actually be content in the mail that the recipient doesn't want Google to scan"
Now it could be that it's all very innocent. The system simply looks for key words and sends for ads related to that.
But Google has built an ad-empire on having a profile for their users. So when Legitmailaddress-gmail.com get an email, it seems unlikely that it would only go for ads related to "Thailand" and "travel" as was stated in the mail, but also for this or that type of travel based on other information it has about that user.
If Google believes it is allowed to scan user emails, then why wouldn't they throw this into the mix of profiles? Why wouldn't it use this information in full?
And no - not copying the email and keeping it, but extracting whatever is deemed to be useful information. Adding emphasis to some information or other that is already in the user profile, reducing emphasis.
And, as I've stated elsewhere, also know that some email or other is actually in use.
"you have to use reliable encryption" - Perhaps that is how it is, but that is not necessarily how it ought to be.
- but the systems have to scan the mail to be able to forward the information. That is true! This does not mean that whatever is scanned should then not simply be destroyed afterwards.
Just because I send a postcard, doesn't mean that the postman should feel free to read it and make notes about it.
It's like a really accurate chain of whisperers, but with the added function that every whisperer along the way from sender to receiver are able to actively forget what they whispered.
Incidentally what "evidence shown" are you talking about. I might have missed it! - Not irony/sarcasm/snark - legitimately curious!
..since the only emails it ever gets are from them and apart from the ggogle scholar citation updates they all get periodically deleted unread.
only the gullible and stupid would believe that.
On the flip side - i am sure the judge would enjoy generating plenty of work for fellow lawyers .
Interesting to see what happens for companies and ISPs that white label gmail. Virgin Media is one. I need to go back and read the T&Cs to find out what they said...
Comes back to "if you're not paying for it, you're not the customer, you're the product being sold". (Except if you're paying your ISP, you are the customer)
Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties'.
- Stupid comment. In describing itself, Google uses words like "mail", "inbox", and "your messages", all concepts related to, and implying privacy.
In the context of email, those words do not imply any privacy to me.
If you think your email and inbox is private.... You might want to look into how email works.
"...after a judge ruled that a class action lawsuit brought against the company that challenges its practice of scanning emails for ad-targeting can proceed"
for ad-targetting ? They assume too much. Google might say it uses the datamine for advertising. But we don't really know what Google does with our info, or what it might elect to do in future. Advertising is merely the most innocent-sounding of the possibilities.
Actually, it seems to me that Google's point is a good one.
If somebody sends an email, they are normally letting the recipient do whatever they want with the email, including forwarding it to third parties, publishing it in a newspaper, or indeed, letting Google read it.
I believe that in general, you make no assumption when sending a letter to someone that no one else has the right to read that letter. If the recipient decides to publish the letter, he publishes it.
In fact, only governments (ha!) seem able to restrict the right of the recipient to publish their letters. This is precisely the criticism that has been leveled at National Security letters and "super injunctions".
"If the recipient decides to publish the letter, he publishes it."
That is a breach of the sender's copyright.