If you care about privacy, it’s time to drop Google.
That’s what Consumer Watchdog is recommending following Google’s admission that people shouldn’t expect privacy when they send messages to a Gmail account, any more than people would were they to send a business letter that could be opened by an assistant.
Here’s how Google put it in on Page 19 of a brief filed recently in federal court [PDF] and reported on by Consumer Watchdog, a US consumer advocacy group, on Monday:
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient's [email provider] in the course of delivery.
"Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.'"
The brief was a motion to dismiss, which Google filed in connection with a class action suit over its automatic scanning of email.
Plaintiffs in the class action suit contend that Google’s automated data mining is an illegal interception of their electronic communications, without their consent, that violates federal and state wiretap laws.
Google uses this automated scanning both to filter out spam and to serve up targeted advertising to users.
The company contends that anybody who uses its services has consented to the scanning, in exchange for the email services.
Google points out that courts have determined that all email users, in like fashion, “necessarily give implied consent to the automated processing of their emails.”
In the brief, Google cites Smith v. Maryland, a 1979 Supreme Court decision that upheld the collection of electronic communications without a warrant – specifically, information collected off of a pen register installed at a telephone company’s central offices.
Consumer Watchdog has posted the court papers for the suit here, albeit in highly redacted form.
Consumer Watchdog called Google’s statement a “stunning admission” and warned people who cared about their privacy not to use Gmail.
John M. Simpson, Consumer Watchdog’s Privacy Project director, said in the group’s news release that comparing email to a business letter is a “wrong-headed analogy”. Really, when users send email, they expect their privacy to be on par with using the postal system:
"I expect the Post Office to deliver the letter based on the address written on the envelope. I don't expect the mail carrier to open my letter and read it.
"Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?"
"In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience."
Google has defended its handling of customers’ email data in the past. Here’s what it said earlier this year in a statement to CNET:
"We work hard to make sure that ads are safe, unobtrusive and relevant. No humans read your e-mail or Google account information in order to show you advertisements or related information."
Email privacy, of course, has taken on marked attention in the wake of reports of US surveillance by the National Security Agency, on top of both the business suicide of encrypted email provider Lavabit and the pre-emptive closure of encrypted email service Silent Circle – both done to avoid government seizure of email data.
Giving up the Google habit is hard, but doable. If the idea of going Google-free appeals, I suggest reading the story of Tom Henderson’s Google divorce for a blueprint of how one man did it.
Is Google’s statement that users can expect no privacy the last straw for you, privacy-wise?
Please do let us know, one way or the other, in the comments below.
Image of binocular view and spy courtesy of Shutterstock.
34 comments on “Google says people can’t expect privacy when sending to Gmail”
Sadly it seems there are few if any alternatives in this world of 'no email is private'
Email was not ever private, it’s always been the equivalent of a postcard that can be read by anyone in it’s path. But… You bet you butt email can be private(not the meta data but the content). That is of course, if you want it to be, and refuse to believe those who wrongly claim email encryption is a difficult thing. It can be I guess… but in reality for most people it is “point and click” simple. I’m not tech savvy and yet I teach people w/much less IT knowledge than I all the time about PGP/GnuPG email encryption. Sure learning to use PGP from the command line can be challenging but it is not necessary. Installing Thunderbird w/the Enigmail plug-in makes it so anyone capable of sending an email is capable of military grade encryption. It works, it’s not hard, and there is a LOT of help out there for interested people. for beginners, Thunderbird + Enigmail is your answer and don’t let anyone tell you otherwise. You CAN do it regardless of skill level. Promise!
If Google is guilty of using automated systems to scan email, then which are the popular webmail systems that are innocent?
Surely all the big names are scanning the emails passing through their systems for spam, phishing, malware…
And some, like Yahoo (which never seems to get as hard a time about this) and Google, are scanning to offer context-sensitive advertising too.
I can’t remember, because it’s been so long since I created a Google account, how visibly they warned me of what they were planning to do with any email I received, but my advice to users is… if you don’t like it, stop using webmail and start encrypting your email.
How about Silent Circle or Lavabit?
Oh, no, wait…
There are others of course. Perhaps the most well known is Hushmail.
Others include Switzerland-based MyKolab, Neomailbox (also in Switzerland), Countermail (Sweden, which allows you to buy an account with Bitcoin), etc.
Of course, look at using PGP or GnuPG locally if the message is going to travel outside of their servers.
Note – I haven't used all these services, and am not endorsing any of them.
Bingo! Great advice. Oh, Graham… you are on the money, as always.
And I guess it's worth noting that Silent Circle has other communication options besides email—options that it says are truly safe from surveillance.
my thoughts exactly
in *small* defense of corporate web services – before the PRISM terror, companies have been running email security plus IPS and other deep packet inspection tools for a decade or more.
While that is a pretty different mission from gathering intelligence or archiving all private conversations, it is still a breach of the expectation of absolute privacy.
Not that easy to avoid GMail. Cause I have to communicate with others, and those are not using GnuPG. And some of them forward the E-Mail automatically to their GMail accounts. Or reply with fullquote and add one recipient… or or or.
so if “you don’t like it” don’t fix the problem, just ignore it? okay.
Are you sure you interpreted this right? See this article from The Verge http://www.theverge.com/2013/8/14/4621474/yes-gma…
Your story is completely inaccurate. Last time I bother w/ this site.
This article explains the situation accurately (no fud):
If a webmail service doesn't scan your e-mails, how are they supposed to know what to send to the e-mail recipient ?
I gave up Gmail about two months ago, the last straw being the discovery on the web of two throwaway/junkmail email addresses that I have never associated with my name being associated with my name. Both of these were used for, among other uses, signing up for YouTube accounts. I distrust Google so much that I go out of my way to avoid any services they offer or are associated with. Doesn’t mean I’m not sometimes caught in their net, but if I can help it I avoid those evil bastards!
Google bought YouTube and you need a Google account to fully use it now. That may have been part of what you saw.
Doesn't bother me. Google makes my life and business easier and more effective – whether they serve me a targeted ad or not. Almost every single client, including my wife, I've moved to Google Apps says the same thing.
At this time and as it stands now (meaning I can change based on circumstances) I have bigger things to worry about than a computer scanning my email like family, friends, business, my religion, etc.
then you do not understand the potential severity of the circumstance. it’s always good to work on a small problem before it implodes.
If you don't encrypt your email, you should assume it can–though not necessarily *WILL*–be read by unintended parties.
@Freida Gray: the unstated assumption is that the mail servers will stop "scanning" at whatever MIME boundary or "end-of-header" flag indicates the body of the email begins. That said, the mail server will (must) still copy each & every bit of the email and store it in a file until it is retrieved. It may possibly remain on the server.
The key is that bit about "no humans read your email". Google is not "intercepting" the emails (as John M. Simpson, Consumer Watchdog's Privacy Project director, complains). The emails are being sent to Google. In the case of gmail addresses quite deliberately. Perhaps there is a legitimate complaint from those who send an email not realizing that one of the recipients is using Google as their MX provider.
PGP/GPG: Relevant & useful in 1991. Still relevant today.
Wasn't the guy who wrote that encryption program forced to give a key to some federal law enforcement agency under penalty of prison at a not very nice place? I was sure he relented to avoid jail. I don't think you can legally have an encryption service without somebody in law having a key.
Although PGP/GPG are capable of being configured to use key escrow, that configuration is at the discretion of the user. There have been claims that the US Government and/or NAI/PGP Corp placed a backdoor in PGP, no one has ever identified any portion of the code that implements a back door. The source code for PGP & GPG is open and available for inspection. If there were a back door–given the wide spread use by sophisticated, knowledgeable, and interested parties–it would have been identified by know.
The code being open-source is key to its trustworthiness.
I'm afraid you're simply wrong about whether an encryption service can be offered without providing law enforcement a key. I'm afraid your being "sure he relented" is an unfounded and unsupported assertion.
Please take a look at some of the history of PGP. There is a lot of information available online.
I want to put this here and spark some more discussion: http://thenextweb.com/google/2013/08/14/no-google…
This blog post says that the quote is taken out of context, and that the level of privacy that GMail provides is the same that it had back in 2004 when the discussion of scanning emails to better help advertising came up.
Google's quote was taken out of context and this is an old debate.
How did anybody think Google made money? They profile users based on content ostensibly to target ads, but also to sell indexed profile data to companies that prepare personality profiles of individuals for sale to anyone with the money. I’ve seen reports that 90% of hiring managers at large companies order them.
[Post edited for length]
As for Google, basically I use it only to receive information from organizations. If I want to send a message of any substance (other than, rarely, for the most innocuous messages), I use corporate email addresses. If I can’t get them, I don’t send anything.
I have to wonder if this includes corporate email accounts hosted by GMAIL…
I get it, and am uncomfortable and disturbed about it but unwilling to change if my efforts are ineffective. This seems like a Catch-22 case.
If I understand this, not only would I have to stop using Gmail, but I would also have to stop sending to anyone who does. I don’t have that kind of control over my contacts, and likely none of us do.
Likewise, in communications with simpler users (thinking of parents), I cannot expect them to play along with new encryption methods.
I’ll be reading the Google Divorce link (thanks), but I’m skeptical as to whether I could actually keep my emails out of gmail, even if I stopped using it. Am I missing something?
Honestly this is more panic of not much substance. So Google has scanning software that looks for viruses, malware and spam. While there it also looks for key words that can help target the ads it displays to interests you have. I've never understood the aversion to the latter. I mean they're going to show you ads anyway, so I know that I personally prefer the ads at least be about something I care about. By way of comparison, when I log into my Yahoo mail account I continue to be inundated with ads from Zulily. Why would I as a mid-30's male have any interest in these ads showing plus size females modeling the latest fashions available at that site? Answer, I don't. I'd much rather see ads for the latest Toyota Tundra or something of that nature.
Which is why I have run my own email server for such a long time.
As the old saying goes – "there is no such thing as a free lunch" – or in this case, "free email" has to have some benefit to the provider. In Google's case, this is statistics mined from your email about your interests so they can sell targeted advertising to you.
If you don't like it. don't use Gmail – most ISPs offer email as part of the package you are paying for at no extra cost, or you can buy hosted email services.
You get what you pay for – it is just that the payment you make is not always monetary. With Gmail, you exchange your privacy for the email service and no money changes hands.
I really don't see what is wrong with this, unless it was made clear that you did have absolute privacy, and then you found at that this was not true. The only problem I see then is what is the remedy? I don't see that a user should be entitled to compensation, because they never contributed money for the service. The only recompense would have to be fines and/or criminal proceedings if laws and/or codes of practice are broken.
Don't put anything in an e-mail that you wouldn't put on the back of a postcard. It's as simple as that.
The bottom line is that once data leaves your computer, by any means, in any form, it is no longer under your control. We are not counting on some mythical technology that prevents our email from being read; we are depending on the idea that our correspondence is too banal to interest anyone other than those for whom it is intended or those intimately involved in our lives. That latter number is growing thanks to technologies such as Google employs to send you targeted ads. Their argument that no human reads your email is spurious. It matters not whether you hit me with your fist or a baseball bat, the action is still yours and you are responsible for it. BTW, I use gmail. I'm just careful what I put on there.
It is disappointing to find that NakedSecurity has been swept along with the mob. I urge all NakedSecurity readers to do a Google search for "Press Suckered By Anti-Google Group's Bogus Claim That Gmail Users Can't Expect Privacy", and come to their own conclusions about whether Consumer Watchdog's false assertions are true.
Google didn't actually say anything of the kind. Notice the single quotation marks inside the double quotation marks. Google was quoting from a 1979 court case (Smith v. Maryland), where the issue in question concerned the phone company's use of pen register information.
Now, if you want to argue that Google's legal team has had a monumental lapse of reason in using such a potentially backfiring bullet in its motion to dismiss, I'll support that argument. But on its face, as written, the headline of this article — "Google says people can't expect privacy when sending to Gmail" — is misleading at best, and…well, I won't say what it is at worst.
In any case, it's not accurate reporting, and I'm sorry to say that NakedSecurity's credibility just took a very disappointing hit.
Do not use gmail.
If I have no expectation of privacy, why does gmail require that I set a password?
I read in the Daily Telegraph that Google scan mail to seek key words so that they can target the sender with advertisements.
For example if I put the word "timeshare" into a message, they can target me with adverts for timeshare sales, resales, etc.
I find this unacceptable (even though I am a satisfied timeshare owner).
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient's [email provider] in the course of delivery."
If you write to someone at a company address, of course you understand that, in the absence of clear "addressee only" markings, the letter is likely to be treated as a communication to the company. If, however, you send an e. mail to email@example.com, you can't really be expecting it to be treated as a message to Google Inc. If the people in charge at GOOG truly think they've hit on an insightful analogy there, the shareholders should be worrying.
The suggestion of what can be expected of the e. mail provider is mealy-mouthed with its verbosity. If it was worded "processed by the recipient's [email provider] during delivery", we'd more readily appreciate that the "process[ing]" is distinct from the "delivery". We expect the e. mail provider to deliver our message, not to process it in some other way, or for some other purpose.
More and more I miss the early days of the Internet before governments, law enforcement, governments, and big business decided to take over the town. As the saying goes, you can never step in the same river twice.
I often feel like we're standing against the tide and expect to turn in back with righteous indignation. Like water, we may erect a barrier here and there, but it always finds a way around, under or gets by them some way.
My concern is mission creep. It always starts out straight forward enough. A practice like scanning email is developed and used for 'legitimate' purposes such as virus detection, scams, and especially targeted ads to generate revenue that allows the service to be free.
Yet once such technology has been proved and people come to 'accept' it, then comes the inevitable "Well, since we're doing that anyway, with a little tweak we can start scanning for words and contextual phrases OTHERS may be interested in." Remember when post 9/11 several telecoms handed over lots of records of subscriber Internet usage to the Feds without being asked? And one even offered the Feds permanent taps to be installed without a request to do so? Laws were passed to reward them making them not liable for violating user agreements for privacy violations.