Whatever happened to the concept of
Gentlemen do not read other gentlemen's letters?
Google faces a torrid court battle in the US after a judge ruled that a class action lawsuit brought against the company that challenges its practice of scanning emails for ad-targeting can proceed. Mountain View had protested against plaintiffs in the case, who claimed that Google had breached several stateside laws including …
There is a huge difference. For example opening a document and clicking find and searching for "Spam" and opening a docment and reading it all to see what it contains. The first one will inform you if the document contained spam, and the reader will gather no other information. The second one will result in the reader learning anout your porn habits from the pornsite that sent you the email in the first place.
My server side spam filter (Bayesian) reads each email and sorts them into tokens, then rates the email based on whether they are statistically likely to be included in a Spam email or not this is a fairly common spam filtering system.
Either way it is opening the email and since auto-learning is enabled it is, in fact storing information from the email in a database to aid in future spam detection.
My worry is that there is actually very little difference between what Google does and what I do from a technical standpoint and if non Google users can sue Google for what they do, what prevents spammers from making the same argument against me or any other mail provider that uses modern filtering techniques?
My ISP's spam filter handles mail for a large number of customers. Yours likely does the same. Not being a Google (or Yahoo?) user I don't know the implementation of their database, but I question whether they trouble themselves to maintain a database targeting ads to non-customers.
They probably also don't succeed very well scanning PGP or GPG encrypted email, so that's an option, although it might interfere with web access.
There's reading, and then there's reading. Surely it can be regulated what falls under spam protection, what falls into advertising and what falls under pure snooping.
spam - messages scanned by machines and is never visible to human eye; no data is stored except patterns needed for machine learning, original emails encrypted in DB
ads - same thing technically, but the purpose is clearly defined for that of marketing
everything else should be flagged to the user in BIG RED FONT, that his emails will be read by humans and no privacy should be expected. Store your CC info in your emails? expect our admins to read it and Google to do whatever we want with that info.
People need to know upfront what they're getting into, and that's it. Want free service? You'll get ads with it, email reading, and your CC details in your emails are ours to distribute however we want.
One form of scanning is for commercial gain through harnessing the content of a non-consenting third party, the other is to provide a non-commercial** service to the user. If there isn't a legally defined difference, there probably should be because it has any number of uses in a networked world that probably wouldn't have applied before. The way I look at it is "I don't work for these people".
** You could argue that the spam scanning is 'commercial' in the sense that it is a feature used to attract users to a free email service that then generates revenue through advertising once they're on board. But revenue is not its direct purpose, and it is after all only a small component of providing the email service.
Tell me, what's the difference between scanning it for ads or scanning it for spam?
Yup, that's whyt Google is trying to use to talks its way out of that one, but it doesn't fly.
Scanning for malware entails scanning for a set of known (public) signatures of malware which is universally applied to everyone and which does not establish person specific data. Scanning for personal information is creating specific, personal information and association information that is used for purposes usually not very much under the control of the user - which means that even if the profile comes to wrong conclusions/associations, they are passed on as facts without consent or control by the user.
I must admit it's interesting to see an issue like this appear in the US courts - it's almost like they are trying to clean up a little privacy problem for Silicon Valley. Under EU law, Google is already breaking the law with this - worse, any EU company using Google at present for their corporate email is flat out in breach of EU wide privacy laws every time they receive a client email as no permission has been gained from the sender to pass it to a 3rd party.
BTW, if you think that Google doesn't know it's breaking the law (sure, after the last time they were found to be creative with Streetview), read their "help" texts. I think you may come to a different conclusion.
Indeed we do, since there also is precious little difference between either of the things mention and scanning for porn, links to copyrighted material, or indications of terrorist activity. My inclination is to think that my privacy is something I had best look after myself. Trusting the ISP or other email provider might work out, but it also might not.
This will be interesting to follow.
The argument from Google will likely be that without scanning the mail, providing the service will be impossible from an economic stand-point, but that's simply a weird argument. They'll still have tons of information about the user whose gmail it is. They can still show all the ads they care for, they just can't read the contents of people's mail.
As for the information of who has sent you mails, that also offers a problem. Personally I don't like the idea that Google knows my email address (although they likely do since "friends" of mine have sent me g+ invites *sigh*), but on the other hand, in regular post the sender also displays his address prominently. I guess you might expect Google to not retain knowledge of who has sent mails to you. I don't expect the post-service to keep logs of who has sent mail to me over the years, so maybe even retaining information about who is sending mails to users would be a problem.
The personal assistant analogy is silly. Even if we accept it, it's still idiotic. Personal assistant can open my mail no problem, but please refrain from reading it, keeping notes about the content and then wear shirts displaying various ads that he/she deems I'd be interested in.
I'm more in favour of a post-service analogy. There are of course blatant differences, but the same level of privacy should be expected - primarily the cannot open my mail bit. But then again you pay for the regular post-service, so the analogy seems to hint at a problem all by itself. (As an aside: What about stamps that are instead adverts? Or envelopes made entirely from adverts? Both = free mail)
Now that we're kind of on the topic (or brushing it lightly), does anyone know of a free email service that has an automatic forwarding function? I should like an somewhat generic email that I can use for signing up, which will send mails on to my primary email.
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter....."
It's not correct.
It should be:
Just as a sender of a letter to a business colleague cannot be surprised if the postman opens up your letters, has a little read, finds a relevant sales leaflet and then puts them back in the envelope, before handing it over to you."
There Google,fixed the analogy.
The analogy I prefer is "a sender of a postcard cannot be surprised if the postman has a little read on the way to putting it in your mailbox." Google, with probability not significantly different from 1, does not read through encrypted email (the equivalent, more or less, of a letter in a sealed envelope), and even the NSA and friends probably almost never try to do so unless it is to or from a specific intelligence target.
Plain text email messages are open to scanning by many others than the email service providers, and most or all of those others are more to be concerned about than Google. How many routers pass along the average email message? Almost all of them have management ports available to administrators (not all of them possessed of high ethical standards), and potentially accessible by law enforcement officers, hackers of varying motive, and spies of various origins. Jumping on Google, which openly admits to scanning the email it processes, does nothing meaningful about the real problem.
Just because it 'can' be read in transit doesn't mean it 'should', or that reading it is reasonable. I might not be surprised if the postie reads my postcards to while away the time, but I'll certainly be affronted - not unreasonably I think - if he attaches a stick on advert contextual to its content.
I'm personally not bothered that my average unencrypted mails are readable, but just because unethical types can do it, doesn't mean its ok for Google to profit from doing so. I thought ethics was supposed to be a bit better than "it's OK because I can".
that should fall flat. It might make their model of free email untenable, but it doesn't make providing email as a service economically untenable. They might have to switch to a paid service, but those are the breaks.
I don't know who is officially listed on the suits, but I expect the first thing Google will now do is make sure none of them HAVE signed the terms of agreement.
Soon gmail users will get a message: You agree to letting us read the emails stored in your account, if you disagree, then you have 30 days to either buy a personal account or remove your emails from our servers.
Any way, if Google looses the case, does that means they will be forced to turn OFF their anti-spam and anti-virus system?
In which case the system in which gmail accept external emails will be changed. If the user pays for the account, then s/he will receive their emails immediately. If not, then whenever they receive an email from an external source, gmail will email that external source asking them to agree to the T&C, otherwise the email will be rejected.
Ether way, I meant the original post as a joke..... failed measurably at it, sorry.
In the same place as other non-invasive searching that goes on in the Royal Mail (choose your local monopoly), such as X-Ray, drug sniffing, bomb sniffing, etc.
The issue at hand here is that Google is intercepting and "reading" private content and using it for economic gain, without consent of the senders. Whether that is wire fraud is something up to the courts to decide.
And what is this hate affair with Judge Lucy Koh relative to Google? Did she preside over a case in which Google was part? None that I recall, but I don't read her docket either.
If they were to win this lawsuit that would surely put paid to any e-mail anti-spam and anti-virus scanning at the server level?
This also involves a system "reading" the contents of an e-mail to determine if it is legitimate or not.
There would also be issues with corporate systems and accessing another user's mailbox or checking against company policy.
In reality I don't see the complaint - the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs. It's not as if Google are personally opening each e-mail to read it. They could open any e-mail at will for sure, but then so can any company that hosts a standard SMTP server and there is even a requirement to hold these plain-text message by some goverments for analysis.
"the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs"
No, the Sender (firstname.lastname@example.org) has NOT accepted the Ts&Cs. Well, not Gmail's Ts&Cs, anyway. He isn't a Google user. Goodness, he might not even ever visit a Google site. (Odd, these days, but not impossible.)
The complaint is that the external sender has not accepted the privacy-busting aspects of Gmail's Ts&Cs, and yet email he sends to email@example.com will be manipulated in those privacy-busting ways.
And yes, the complaint is also that Google *are* opening each email to read it, so that they can display ads that might be relevant to the content.
the ads only affect the G-mail user not the Sender who already knows about the service and has accepted the Ts&Cs
the ads only affect the G-mail user, not the Sender, who already knows about the service and has accepted the Ts&Cs
"And yes, the complaint is also that Google *are* opening each email to read it, so that they can display ads that might be relevant to the content."
In this case
Google == a big computer system
Opening == passing through their system and the bits (1s and 0s) being analysed for a pattern
From your PC, your router "opens your e-mail", so does your ISP, and any switches and routers in between including any system, software or hardware (of which there'll be a few).
What exactly is the privacy impact (above and beyond the privacy impact of any other normal SMTP e-mail system) - I really don't understand?
People don't complain that when they send a Word Document to someone Microsoft Word (The computer program) opens the document and reads it, analyses words and compares them and then shows spelling and grammar errors?
The point would be that the service isn't self-contained.
The things being done are not isolated to the mail itself.
Spam sorting could be done merely from addresses, something that is personalised by the user of Gmail.
The problem is when the actual content of the email is not just scanned for virus or spam, but is also stored, compared against marketing data, keywords saved to the google account for ads on other services. The sender email being stored as an active email, something for the broader system to know about.
MS word isn't sending the text file I sent to a friend and sending key words to MS and linking it with accounts and emails and any other information it can get away with.
As far as I know a letter is private to the sender and recipient, so the recipient does have the legal ability to publicize the letter. I think it would be legal for Google to have a "scan this mail" function. So that after a user has read a mail, he/she can allow Google access.
But of course it doesn't work in reverse, because there might actually be content in the mail that the recipient doesn't want Google to know about.
"The problem is when the actual content of the email is not just scanned for virus or spam, but is also stored, compared against marketing data, keywords saved to the google account for ads on other services. The sender email being stored as an active email, something for the broader system to know about."
Where do you get this from?
As far as what is explained, and evidence shown, no "extra" e-mail is stored elsewhere. The ads appear based upon the content of the current e-mail. If you interact with those adverts then your interaction and profile is very likely to be updated to reflect that. It would be absurd to think that Google take a copy of every e-mail remove extraneous words and store it elsewhere on the system as part of your profile. This would add 50% to the storage size for absolutely no reason whatsoever.
It would be prudent to assume that the ads work just like any other system such as spell checker or website underlines that find keywords. i.e. it uses an algorithm to find paid for search terms and displays a relevant ad next to it. The advertisers doesn't know who you are, who the sender is, what your e-mail contained unless you interact with the advert and that would be similar to the search referrer from a search engine.
"But of course it doesn't work in reverse, because there might actually be content in the mail that the recipient doesn't want Google to know about."
That is just anthropomorphism. You are personifying a computer system.
Do you know how a mail server works? If you don't want someone other than a recipient to know the contents of an e-mail you have to use reliable encryption that isn't broken or backdoored. There is no other way.
How about this then:
"there might actually be content in the mail that is meant only for the sender and receiver"
"there might actually be content in the mail that the recipient doesn't want Google to scan"
Now it could be that it's all very innocent. The system simply looks for key words and sends for ads related to that.
But Google has built an ad-empire on having a profile for their users. So when Legitmailaddress-gmail.com get an email, it seems unlikely that it would only go for ads related to "Thailand" and "travel" as was stated in the mail, but also for this or that type of travel based on other information it has about that user.
If Google believes it is allowed to scan user emails, then why wouldn't they throw this into the mix of profiles? Why wouldn't it use this information in full?
And no - not copying the email and keeping it, but extracting whatever is deemed to be useful information. Adding emphasis to some information or other that is already in the user profile, reducing emphasis.
And, as I've stated elsewhere, also know that some email or other is actually in use.
"you have to use reliable encryption" - Perhaps that is how it is, but that is not necessarily how it ought to be.
- but the systems have to scan the mail to be able to forward the information. That is true! This does not mean that whatever is scanned should then not simply be destroyed afterwards.
Just because I send a postcard, doesn't mean that the postman should feel free to read it and make notes about it.
It's like a really accurate chain of whisperers, but with the added function that every whisperer along the way from sender to receiver are able to actively forget what they whispered.
Incidentally what "evidence shown" are you talking about. I might have missed it! - Not irony/sarcasm/snark - legitimately curious!
>If they were to win this lawsuit that would surely put paid to any
>e-mail anti-spam and anti-virus scanning at the server level?
Not really, as long as no information about the scanned emails leaks from the scanning process (i.e. is kept in a form that may allow linking it back to sender / recipient(s)).
Interesting to see what happens for companies and ISPs that white label gmail. Virgin Media is one. I need to go back and read the T&Cs to find out what they said...
Comes back to "if you're not paying for it, you're not the customer, you're the product being sold". (Except if you're paying your ISP, you are the customer)
"...after a judge ruled that a class action lawsuit brought against the company that challenges its practice of scanning emails for ad-targeting can proceed"
for ad-targetting ? They assume too much. Google might say it uses the datamine for advertising. But we don't really know what Google does with our info, or what it might elect to do in future. Advertising is merely the most innocent-sounding of the possibilities.
Actually, it seems to me that Google's point is a good one.
If somebody sends an email, they are normally letting the recipient do whatever they want with the email, including forwarding it to third parties, publishing it in a newspaper, or indeed, letting Google read it.
I believe that in general, you make no assumption when sending a letter to someone that no one else has the right to read that letter. If the recipient decides to publish the letter, he publishes it.
In fact, only governments (ha!) seem able to restrict the right of the recipient to publish their letters. This is precisely the criticism that has been leveled at National Security letters and "super injunctions".
"Nope. Once sent, a letter is the property of the recipient for them to do with as they please, including but not limited to public disclosure."
A rather sweeping and inaccurate statement, making assumptions about legal jurisdictions.
For example, in the UK the ownership of the letter, as opposed to the words, is with the person it was sent to. The words remain the "property" of the sender. However there are exceptions and/or defences to copyright infringement.
There are also restrictions on commercial use of such communications in some jurisdictions.
Further a breach of confidence may also arise.
You also fail to address the Berne Convention and, for Europeans, the European Convention on Human Rights, parts of which deal with respect for correspondence and is one of the rights protected.
It's not quite as straightforward as you would have us believe.
In future, all of your incoming mail will be held in quarantine by your ISP, while said ISP replies to the sender asking for permission to read the email so that it can determine whether or not it is spam. Once the sender of the
spam email agrees, your ISP can then look at the email contents to determine whether or not it is spam. Simple, and no laws are broken.
Google is scanning your email to... wait for... wait for it...
...create their own spam to you.
Spam and malware scanning are not the issue nor do they required the entire contents of an email to be read to determine which is which.
Google is flat out reading the content of private communications AND generating spam in your admin panel from it.
The lawsuit will fail.
Google have a watertight case here: in setting up a gmail account gmail users have clicked past an implied consent contract at some point, and Google will argue - successfully - that a non gmail-account holder gives implied consent by emailing to a gmail user.
I'm not so sure of that, even for Gmail account holders: Google's privacy statement and/or Gmail T&Cs do not explicitly mention scanning emails for profiling (for advertising) or at least finding that takes quite a bit of interpretation, which makes meaningful consent rather suspect. As for senders from other providers, there is not even that.
How would the sender know that the recipient is a gmail user? It is perfectly possible to use GMail for email for an acoward.com domain.
It may be argued that anyone who sends me an email implicitly agrees to the terms of *my* providers of internet and email services, whoever they may be. Basically, there is an implicit realization that there are *some* terms and conditions as a part of the service, and it is out of the sender's control. If he/she doesn't agree then it should be discussed between us in advance.
No, I am not arguing this is the right approach, but I can't say it is a completely unreasonable start, either. Anyone who sends an email should realize that metadata are in the open and the content is, too, unless encrypted. As has been said many times, email is a postcard, not a sealed envelope. And when you send a sealed letter to N. Korea (or, say, the USSR of old) you cannot reasonably have expectations that it won't be opened (or your phone call will not be listened to), even though you yourself are not subject to terms and conditions (laws) of the recipient's provider (country, which likely runs the postal service), or indeed, know them.
Maybe my 15 years of working as an email admin has skewed my perspective, but I find it insane that anyone would ever expect their email to be "private".
It seems many folks do not realize how many different places along the path of a typical email that their message is stored, logged, scanned, recorded, inspected, etc.. All in plain text and able to be seen by not just the many servers it intentionally passes through but also any other computer on any of the dozens networks it traverses.
I am not saying I necessarily support Google, but if the case against them is based on an email user having some "expectation of privacy"... well that isn't much of a case.
While they're busy suing Google for automatically scanning Google hosted mail in order to attach relevant ads to pay for the free email service, do you suppose they have even considered the possibility of also suing the NSA for their vastly more widespead and intrusive scanning of everybody's email for unclear purposes?
I doubt it. They're suing Google because they can be sued. And they're not suing the NSA because they can't. Or because it would be "unpatriotic".
No Ralph they are not suing the NSA, GHCQ or other security services because they only use your data for nefarious purposes not to send you marketing adverts which are much more *evil* as we all know.
Would be amusing if Google started sending the jihadist brothers and sisters adverts for illegal ordnance though.
If someone emails me they do so with a reasonable expectation that I will use an email client of my choice to process and read that email. It might be that I choose to view the email in plain text (SMTP headers, MIME headers and raw HTML, etc). Or I might choose a client that only shows me the formatted HTML part, hides the headers, handles attachments etc. I might have everything - spam and viruses included - dumped into one big "Inbox", or I might have my email system filter them in some way. And I might have my email system, should I choose to do so, provide advertising alongside it based on the content of the emails.
By sending me an email, the sender has chosen to accept this in using my email address in the first place. All of the above are in my control, not the sender's. It is not within the rights of the sender to determine whether my client is Outlook, Thunderbird, Gmail, Hotmail or just plain telnet to a POP3 server (any more than it's within mine to dictate their choice of sending client).
That I might choose to use an ad-funded service, and that I might prefer to have a handful of vaguely relevant ads rather than a pageful of random "hopefully one of these will be of interest" ads, is my choice. Those ads aren't shown to the sender, the sender isn't getting spammed or having their details sold to advertisers.
When I send an email to an Outlook user I am indirectly supporting the business model and practices of Microsoft. I might not like this, but it is not within my rights to sue Microsoft because I object to this happening even though I never agreed to a Microsoft EULA.
And, of-course, anyone who is *really* bothered about this would just encrypt their email so my choice of email system can't pre-/post-process it in any way. Or they could freely check my email account's MX records and determine where the email is going. If they're too lazy to do either, that's their problem not mine.
Sorry, but Google is no angel but anyone who believes that this is anything more than an exercise for lawyers and for people who think they might be able to make a few quid is deluding themselves, and that kind of people should not be encouraged.
Personally I think the whole issue stems from the fact that most people thing of email like the letters of days gone by. If everyone would simply accept that email has much more in common with a postcard and treat it appropriately we'd have far fewer problems. Letters were typically delivered in sealed envelops (which you can still do in email via encryption, but few people do) and sometimes contained information that you wouldn't want third parties to know. Postcards sent to friends, on the other hand, never contain information that you don't mind sharing with the world. Further, no one complained when some random postal worker read your postcard. You simply didn't expect privacy with your postcards.
With email, unless it's encrypted, it can be read at every node it passes through. In fact it probably IS read by at least your own network's (or ISP's) exit node and the receiving network's entry node simply because so many of them are configured to weed out spam. Honestly how do you expect spam filters to work if they can't peek at the emails?
The argument could be made that Google shouldn't be storing and analyzing the data gleaned from emails. I certainly wouldn't argue with that point. But this idea that emails are the same thing as a sealed snail mail letter and that anyone reading it is breaking the seal to do so is ludicrous. Even on the technicalities alone email shouldn't be treated like that.
I've no idea what the lawyers will do with this case. Probably, make a mess.
However, isn't the key point how long Google retains any sort of memory of what it "learned" by scanning my e-mails? (By which I mean purely statistical analysis thereof. Not forwarding them to the NSA, which is a separate issue, nor storing the actual e-mails after I delete them, which might actually be illegal under EU law).
I've no objection to Google delivering targetted ads based on a statistical profile that is forgotten over a week or two. If they continue to profile me cumulatively over months or (gods forbid) years, it starts to become highly intrusive. Most *people* can't remember in detail what I was doing this time last year, and that's including myself in "most people".
As for the ads, I never see them anyway. Because some advertizers insist on delivering visually intrusive graphics that make me feel nauseous, I block all adverts, and also all flash content.
"Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.'"
To think, I send a mail to a 'recipient' and expect it to get to the person, without the post office scanning the sender address, and scanning the contents of my letter. I do have a LEGITIMATE EXPECTATION of privacy. This is not pirates on the sea, or the pony express.
What is so wrong with MY expectation of privacy. Nothing I say! What is wrong is the 'corporate' view that THEY assume have the right to inspect that letter, envelope and all. Everything is wrong with that thought process.
Wrong wrong wrong!
Mail is a service, free or not, but does not give the 'service provider' the right to inspect the contents. Why even do we have to go to court over something so simple. GOOGLE, do not do evil.
In the US, the USPS photographs every letter. I believe this may be followup on the anthrax letters in 2001. And, as others have noted, anything you put on a postcard may be read by a number of people you don't even know on its way to delivery, just as an unencrypted email may be scanned by a number of systems (and read, possibly, by the administrators of those machines and others with less authorization.
I dont think you can expect your email to be private just because many people do not understand how email works. Email simply is not a medium that provides privacy. By design, it does not work that way.
A realistic comparison would be shouting at your recipient across a large hotel lobby full of various staff members, other guests, and quite possibly criminals. Email provides fairly equivalent privacy. Regardless of how you or anyone else feels things should be, that is the reality.
I think Google's point is partially quite valid - I signed up to gmail fully knowing that I'd get ads on it. I don't look at ads, so it's a freebie to me. Even if I did, it'd still be my choice. I value the quality of service, functionality, as well as my expectations that they will not go out of business and that I can change ISPs and conserve my address.
Re my expectations of privacy, they are actually a fair bit higher here. I know exactly what Google does their scans, they serve me ads. What _I_ care about is that they don't pass on the info to third parties who will spam me some more. I can see very little incentive for them to do so, precisely because their business model IS to serve me ads. If they were a pay-for-service with no ads, I'd have to trust them not to try to make an extra $, a very different thing.
(NSA is an entirely different subject in this context and I blame our govs here).
However, when JaneHottieDoe@hotmail.com sends me a torrid email (I wish), I understand that she did NOT sign up for gmail and its privacy clauses.
Compromise: how about gmail does not serve ads when a recipient or emitter is not @gmail? That way, I don't get saddled with the privacy expectations of the class action participants. And gmail users are free to decide on their own, like adults. A difficult concept.
Oh, and keep the spam filtering regardless, of course. Again, must be careful not to throw out babies with bathwater here.
...is practically dead.
If the government must have a warrant to search private possessions (please no NSA snarks just yet) then why does ANY corporation think it is above the law of the Constitution? Which also seems to be the problem with most all American corporations these days.
Now you may snark.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
I don't think Google should lose the whole case necessarily (automatic scanning of E-Mail to get better targeted ads, given that I'm using a free service that will have ads? I don't mind at all). But the blanket argument "users of 3rd party services have no expectation of privacy" is nonsense*, it depends on the nature of the 3rd party service.
*With the NSA's illegal actions it's probably true as a practical matter that 3rd party services have no privacy, but I still expect companies to properly disclose how they will violate privacy if they are going to, which Google does. And I hope a huge wave of lawsuits sweeps over the NSA for their illegal actions, hopefully with jail time involved.
Biting the hand that feeds IT © 1998–2019