Google Says Those Who Email Gmail Users Have ‘No Legitimate Expectation of Privacy’

Legitimate, as Google's using the word, simply means lawful.

  • Share
  • Read Later

Correction appended at 7:53pm EDT on 8/14/2013: An earlier version of this article erroneously stated that Gmail users have “no legitimate expectation of privacy” when it should have stated that non-Gmail users who email Gmail users have “no legitimate expectation of privacy.” The article’s title has been changed to reflect the update. A quote from Google has also been added, as has a quote from the introduction of Google’s motion concerning wiretap statuses and automatic email scanning.

Lavabit is no more. Silent Circle has shuttered its secure email service. All the major email providers appear to be complicit in one form or another with PRISM, the NSA’s clandestine email surveillance program revealed by The Guardian in early June. And now Google’s legal team seems to be spraying gasoline on the controversy after filing a motion in mid-June that, among other things, argues users who access Google services like Gmail shouldn’t expect their transactions to remain secret.

The salient quote was surfaced by Consumer Watchdog, a nonprofit California-based consumer rights group founded in 1985. It’s from a 39-page motion filed by Google on June 13, 2013 in hopes of dismissing several disparate complaints that allege the company violates wiretap laws by poking around in email to engage in targeted advertising.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS [electronic communication service] provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”

That last sentence, which refers explicitly to non-Gmail users who send email to Gmail users, does sound damning. Is Google’s legal counsel right? Do people who interact with Gmail have no rightful expectation to privacy when voluntarily turning information over to third parties like Google? Consider what comes next in the motion before dusting off the pitchforks and torches.

Referring to the 1979 court case from which the above quote was extracted, Google writes:

In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.”

Google does seem to be semantically overreaching when it claims non-Gmail users have no rightful expectation of privacy: who doesn’t expect (naively or no) that their communications will remain private when sending or receiving email? But the point the company’s making involves pragmatics: email systems have to parse emails in order to process and route them properly. That’s a by-design thing. Fretting about it’s a little like expecting a snail mail carrier not to read the outgoing and return addresses on an envelope.

But that’s only a fraction of what Google’s up to in this motion, most of which talks about Gmail users themselves, including this section (from the introduction):

Second, the wiretap statutes also preclude liability where either a single party to the communication (for the federal statute) or both parties (for the state statutes) have expressly or impliedly consented to the practices at issue. Here, all Plaintiffs who are Gmail users consented to the automated scanning of their emails (including for purposes of delivering targeted advertising) in exchange for using the Gmail service, thus precluding any claim under federal law.

In short, the company claims both federal and state wiretap statutes exempt it from liability related to conduct — both for Gmail and non-Gmail users — that occurs in the ordinary course of business. Google, of course, is appealing to as wide a definition of “conduct” as you’d imagine a company like it would, dismissing complaints about email scanning because it says you’ve consented to be scanned, whether you’re a native Gmail user or exchanging emails with a native Gmail user.

As Google puts it in its privacy policy explainer:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.

Assuming Google’s right legally speaking — and don’t confuse what’s legal with what’s ethical — the company has a point. Throughout the motion, Google’s essentially saying that it does what it does, that it has a legal right to do what it does, that it’s been very clear about what it does, and that anyone accessing a service like Gmail, whether natively or indirectly, is beholden to its terms of use, including automated rifling through email content and using that information to craft targeted ads.

That, I suspect, is why you have Consumer Watchdog director John Simpson saying: “Google has finally admitted they don’t respect privacy. People should take them at their word; if you care about your email correspondents’ privacy don’t use Gmail.” The message isn’t sue Google, it’s quit Google.

Indeed, unless we believe Google hasn’t been clear about what it does or doesn’t do, the legal onus isn’t on Google to stop scanning every Gmail message it’s parsing; it’s on users opposed to either lobby the company to change its behavior, or abandon the service, whether that’s shifting to another email provider (problematic, especially if your concerns extend to government snooping), opting for self-hosted and/or encrypted email (the do-it-yourself route, i.e. build your own email server), or investigating peer-to-peer email services (server-less, secure, anonymous…supposedly).

After 9/11, an old Ben Franklin quote started circulating: “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” Replace “a little safety” with “lifestyle conveniences” and you have an applicable analogue for what’s happening as we hand our digital correspondence off to massive memory banks controlled by a handful of groups increasingly willing to challenge traditional expectations about privacy in hopes that product momentum — bolstered by the whole free-with-ads angle — will outpace consumer paranoia.

Update: Google emailed this over earlier this evening:

We take our users’ privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply.

28 comments
AlejandroMosqueraOchoa
AlejandroMosqueraOchoa

Does anyone know how much does google earn by wiretapping their users' emails for targeted advertising?
how much are worth the 
email marketing insights ?


Angel_Meadows
Angel_Meadows

So...if you are wanting to continue accepting submissions from journalists or fiction writers, editors will now have to deny works from all those writers unless it is via snail mail? Is this supposed to mean that not only is insuring privacy regarding their emailed material not only impossible, but is the fault of both the submitting writer and the editor for chosing to use email to begin with? Are we all going to have to earn computer science and law degrees along with our English or journalism degrees just to send secure email...or do we all just have to create our own personnal email servers? Does encryption really mean only the sender and receiver can read that which is encrypted? Or does it mean: the sender, the receiver, the email service & its advertisers, and the NSA, and the FBI, and GCHQ, and the IRS, and the DEA, and the...and the...and the...? Does anyone ever have the time to read the page after page after page of statements to must agree to before you can merely comment on a story or blog or post or...? Oh never mind...

Denesius
Denesius

I see a huge fundamental problem with google's comparisons: my mail carrier knows me, he better not be keeping track of my addressees. At the post office, they have to see the address, but they don't know the sender. There's a natural division that guarantees my privacy. Google is keeping track of the sender, the recipient, and I suspect, the content of the message. Think about the data that would be collected (the dirt on everyone from politicians to local business owners), and the power & immunity it would give this multi-billion dollar company. If any gmail user out there thinks that the power & potential has not been identified and used, you're naive beyond words.

mrbomb13
mrbomb13

This revelation of The End of Email Privacy should come as a surprise to no one. 

In some form or another, this has been going on for the last decade.  Colleges/universities warn all of their undergraduates/graduates that most companies employ email tracking devices, and can certainly read through your 'electronic paper trail.' 

As someone who works for a leading Fortune 500 company, I can attest to the sophistication of such tracking systems, and to the fact that comapnies will also periodically check all social media accounts as well.  That ensures that employees are not putting out a 'bad rep' on behalf of the company.

emanvieux
emanvieux

If Google took privacy seriously, they would implement end-to-end S/MIME encryption support for email.  There's nothing in the legislation enabling Prism et etc, which *prevents* them from doing so.  There are a few patents on key technology which need to be negotiated, but under the circumstances, I doubt the patent holders could withstand the public outcry if they (the patent holders) refused to place the necessary in the public domain, "for the public good.".  Come on people, let's lean on Google to do the right thing.  If we let bad guys' use of a technology deny us of the right to use that technology, they have achieved what is known as a successful "denial of service" attack. 

sensi
sensi

Reading the "tech news" today half the articles running this gmail non-story are bogus and blatantly misleading/lying, with so-called "journalists" turned brain-dead parrots on a slandering agenda. That's pathetic and shameful, yet almost trivial nowadays...

stagesirenandi
stagesirenandi

I worked for several years as a phone relay operator for the deaf and hard of hearing. We have to adhere to strict FCC guidelines in regards to privacy. The FCC regulations state that even deaf and hard of hearing phone users have a right to the same privacy afforded the hearing population. How does this not apply in regards to the privacy that we DO expect - even as users of intermediary vehicles?

yborcafe
yborcafe

i WANT TO READ ALL OF GOOGEL'S EMAILS TO WASHINGTON . HOW CAN I DO THAT?I WANT TO READ THE EXECUTIVES E MAILS TO THEIR MISTRESSES  DO YOU NOTICE THE WORD EXECUTIVES COMES FROM EXECUTE.

yborcafe
yborcafe

GOOGLE SHOULD CHANGE THEIR NAME TO THE  GEHEIME STAATSPOLIZEI   OR THE JOSEPH GOBBELS NETWORK 

jason.c
jason.c

The Google comment is "Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS [electronic communication service] provider in the course of delivery."

I believe this article places incorrect spin on this by connecting the fact that Google said it to a perceived Google-specific privacy risk. The fact is, no matter what email service you use, you cannot be surprised if your communications are processed by the recipient's ECS - which very well may not be Google. 

Unless you know whose hands your email passes through at every single step in the process, it doesn't matter. You could use your own mail server running on your own machine locked safely away in a vault in your basement and that still does not prevent the recipient's mail handling system from doing whatever it wants with your email, regardless of whether they use GMail or not.

If your emails are truly sensitive, consider encrypting emails with, say, GPG. Otherwise there's not much you can do.

I do not think it is fair to pin this to Google, and I do not think this article is in the right for doing so. I believe that the approach this article should have taken is to point out that the same concerns exist for all email in general, and use Google as a credible and straightforwardly honest source.

J

HeavyD
HeavyD

There is a very important distinction missed in the article. The author compares what Google is admittedly doing to a letter carrier "not to read the outgoing and return addresses on an envelope." 

What Google does, however, is open the envelope, read its contents, decide what else should be stuffed into the envelope, reseal it and send it on. 

There shouldn't be an expectation of privacy when the destination email address reads "IwanttokilleveryoneJIHAD@blowupeverything.com", but if the email address is a normal email address, they SHOULD NOT have the right to see its contents and target marketing to either party based on it. THAT is a definitive breach of privacy, and just because they offer the service DOES NOT give them the right to do what they are admittedly doing.

SwiftrightRight
SwiftrightRight

Why would anyone have expected that they have a right to privacy when communicating through a 3rd party? 

Google exists for one purpose; To make a small group of people rich. 

skeeboe
skeeboe

Google's system (specifically Google Now) reminds me when my flight is coming up.  It gets that info from my email.  It lets me know, automatically, when traffic is going to be a problem.  It gets my destination from my calendar.  It provides information to track packages that are mentioned in an email by parsing the message.

They're not reading my email with human eyes.  It's a computer grabbing keywords.  If that scares you, quit using the Internet, including blogs, comments on news sites, shopping sites... really just get off the Web.  (or grow up).

EukaryoteGrex
EukaryoteGrex

@emanvieux It's not physically possible for google to implement end-to-end encryption in gmail, because gmail is NOT AN ENDPOINT - it is an intervening router.  Any attempt to implement strong encryption where the encryption/decryption code resides on a remote webserver (Hushmail, Lavabit, Gmail) is inherently incapable of actually assuring end-to-end security.


If you want end-to-end encryption with gmail, your best bet is probably to send OpenPGP messages as attachments and then decrypt them on the endpoints.

DeweySayenoff
DeweySayenoff

@stagesirenandi When you did your job, you were a "man in the middle".  A real, breathing human being.  Therefore, you were required by law to keep things private.  Now, let's look at what Google does:

Machines scan individual e-mails and matches the text to a database of ads, selecting the most relevant ads to display on the RECIPIENT'S account page based on the e-mail.  No record of what is scanned is kept.  A record of what ads are delivered MAY be kept.  No human eyes see the text.  No one else is allowed to view it (at least with the same force of law as you as a human were required to follow).

Unless you're afraid of sentient machines snickering over someone's spelling errors or some such thing, no information is leaked to humans in any way.  The "privacy" implication is that the email is sent and received without ever being scanned.  But antivirus programs scan emails, and even the act of sending one, contents are scanned by each end to determine that it was sent accurately.  That intrudes on the notion of "privacy" since it is, in effect, making sure the letter in the envelope was transmitted correctly by reading the contents as it's being sent.

And that "reading" is done just by sending an e-mail from ANYWHERE.  It's part of the transmission protocol for all data going over the Internet whether it's e-mail or not.

The bottom line here is that unlike your job, humans aren't in the loop in any way other than maybe to adjust the ad algorithms to make ads more relevant based on whatever is being scanned at the time. But they never see the text that's being scanned.  They merely adjust the algorithms to assign ads based on keywords they program in.  Since it's done at the machine level, only machines can do it.

The alternative is to write letters and mail them.  Then you have to hope it gets there. 

I hope that addresses your question.

DeweySayenoff
DeweySayenoff

@yborcafeAn IQ above 100, and reading the story, is required before posting. 

Please note that no human actually reads your gmail as it passes through their servers.  Computers scan the text then pull up ads relevant to the text.  People don't read your mail.  Maybe you're embarrassed about having too much cyber sex or ordering sex toys and getting ads about that, but I promise you the computers don't care.

So your post is utterly unreasonable, and your thinly veiled terrorist threat is neither thin enough or correct. From Online Etymology: Executive: mid-15c., "performed, carried out;" 1640s, "of the branch of government that carries out the laws," from Middle French executif, from Latin executivus, from past participle stem of exequi (see execution). The noun in this sense is from 1776, as a branch of government. Meaning "businessman" is 1902 in American English. Executive privilege is attested by 1805, American English."

Execution, as it happens, means "carrying out" - not killing someone.

If you're going to post, please adhere to the posting rules.  It's patently obvious that you didn't.

DeweySayenoff
DeweySayenoff

@HeavyD The analogy breaks down on the "read" part.  No human reads anything except the sender and the receiver (the NSA notwithstanding).  Computers scan the contents and choose ads to deliver with it.  That's how Google makes money providing you with a "free service".

Another thing people don't get: Your right to privacy is guaranteed from your GOVERNMENT.  NOT FROM A BUSINESS.  Businesses have no LEGAL obligation to respect your privacy if, in the course of doing business with them, you agree to having your privacy abridged.  And you did.  That agreement you click "I agree" to has all of this written out in perfectly legal terms that you agree to this kind of business activity in exchange for the services and convenience gmail offers.  And the fact that no human from Google actually reads, or even monitors, individual e-mails in the course of transmission means your privacy is only being abridged by machines that don't give a damn.

Finally, you seem to object to this.  I can't understand why.  You don't pay for the service.  Not one thin dime.  Welfare recipients must accept some rather steep terms in order to receive their benefits (Look THAT up sometime).  Your terms were specified as a quid pro quo in the service agreement to which you agreed.  If you object to it, then do not use that service and don't communicate with anyone who does.  You have other options to which you can avail yourself.  But if you want the gmail service, it's on you to accept the terms of that service.  It's a "take it or leave it" proposition.

It isn't rocket science, and it isn't either illegal or unconstitutional.

yborcafe
yborcafe

@SwiftrightRight  THESE GOOGEL PEOPLE ARE THE SAME PEOPLE THAT HAD j kENNEDY KILLED AND MADE THEIR MONEY OFF THE MILITARY INDUSTRIAL  COMPLEX . THE SONS OF REPUBLICAN JACKALS.

jason.c
jason.c

@ouija Exactly. Thank you for a rare display of sanity and analytical thought on the internet.

DeweySayenoff
DeweySayenoff

@yborcafe @SwiftrightRight Seriously, you need help.  I'd recommend a mandatory 72 hour hold for a mental health evaluation at the LEAST.  You're getting way too worked up about something that is both legal and constitutional.  That you can't recognize that indicates a severe delusional state.

I'm not trolling here.  You need help.  Get some.

yborcafe
yborcafe

@DeweySayenoff @yborcafe @SwiftrightRight dewey where are huey and louie  on a train to Auschwitz .Thats what 7 million jews 2 million polish peoples  where  saying at the time they got the free ride and shower.  its ok to stop and frisk its ok to spy on your private life its ok to have drones watching you . hitler would have climaxed if he had facebook wake up we are headed down memory lane.

42maxam24
42maxam24

@DeweySayenoff I found your replies (the 4 I found) more informative, interesting and with much fewer words than the actual article.. Thanks for that!