Why we should still be worried about what Google said regarding Gmail privacy

Google says Gmail users can't expect privacy

GoogleLast week a furore erupted over a statement Google made about privacy – it was widely, and incorrectly, interpreted as having said that Gmail users could have no legitimate expectation of privacy.

Google was then widely re-interpreted, correctly, as not having said that.

So what happened, what did it say, and now that the mistake has been corrected is everything rosy in the garden?

On 12 August, Consumer Watchdog issued a press release warning Gmail users who care about privacy to ditch the service.

It issued its advice in response to a recently issued legal brief from Google that, in Consumer Watchdog’s eyes, showed the search giant admitting that it doesn’t care about people’s privacy.

At the root of their concern was some text taken from a motion to dismiss issued by Google in June in response to a class action lawsuit. The lawsuit claims that Gmail’s targeted advertising violates federal and state wiretapping laws.

The text taken from the motion to dismiss reads as follows (my emphasis):

Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS provider in the course of delivery. Indeed,"a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties."

The idea that Google had admitted that it didn’t respect Gmail users’ privacy hit a nerve and Consumer Watchdog’s story gained an awful lot of traction on 13 and 14 August.

The words of Consumer Watchdog’s Privacy Project director, John M. Simpson, are, unsurprisingly, a neat summary of the general tone of the coverage:

People should take them [Google] at their word; if you care about your email correspondents’ privacy don’t use Gmail

The widespread panning of Google’s attitude to privacy was quickly followed by another wave of articles arguing that we’d all got it wrong, with titles like Yes, Gmail users have an expectation of privacy and No, Google did not say that there is no privacy in Gmail.

The rebuttals point out two significant errors in the global coverage thus far:

  1. The widely reproduced offending text is not about Gmail users, it is actually referring to non-Gmail users specifically
  2. The quote in the text is not Google opining, it is law; a quote from Smith v. Maryland, a 1979 Supreme Court ruling

One of the websites that ran the story that misinterpreted what Google said was Naked Security (story since corrected). Our mistake was #1. We implied that the text was referring to Gmail users and the article was written with that basic assumption in mind.

So, after the dust has settled and those of us who made errors have owned up, is this a case of “nothing to see here”?

Well no, I don’t think it is.

Gmail privacy. Image courtesy of ShutterstockLet’s start with the basics. Just because the text isn’t about Gmail users it doesn’t mean those people are immune from Google poking around in their electronic mail.

The fact is that Gmail users sign terms and conditions that establish Google’s right to do that.

So the text that asserts Google’s legal right to read emails applies to the rest of us – people who might knowingly or unknowingly email one of the four or five hundred million people with a Gmail account.

The fact that the quote, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”, comes from existing law does not make it OK, or an obligation, it just makes it legal.

Google may not have invented those words but it is happy to use them to defend a practice that the law in question could never have been intended to cover.

It is saying that you have no right to expect privacy when you hand over your email to 3rd parties in general (in others words whenever you send any email) because a law written before the widespread adoption of email says you don’t.

Having invoked the 3rd party doctrine Google goes on to explain that users are giving implied consent to ‘automated processing’ of any email sent from a non-Gmail account to a Gmail user.

...all users of email must necessarily expect that their emails will be subject to automated processing.

Consent is implied, by the way, by the very act of you sending an email.

That the principle of the 3rd party doctrine might not be a good fit for the internet age has not gone unnoticed in judicial circles. The Supreme Court’s own Justice Sonia Sotomayor has already questioned it in comments relating to United States v. Antoine Jones:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

The assertion that I am giving implied consent to ‘automated processing’ where ‘automated processing’ is undefined and therefore ‘any reproducible process Google can think of’ is the nub of what the article is about.

Personally, I do not believe that automated processing to remove spam is even remotely similar in nature to, say, automated processing to learn as much as possible about somebody from the content of emails they send. (Or more worrying still, the same as something Google might decide to automatically process emails for next week without my knowledge.)

I think the reason that this story has generated so much coverage is because it’s news to an awful lot of people, both Gmail users and non-Gmail users, that they are giving that kind of consent and because they are worried about the license that Google may be giving themselves on the back of that consent.

And because of that I think the general concerns the original story raised, and the legitimacy of those concerns based on Google’s arguments in this case, hold true despite the hyperbole and the inaccuracies in the reporting.

However it seems only fair that we leave the last word to Google and finish with its response to the original Consumer Watchdog report:

We take our users' privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply.