Correction appended at 7:53pm EDT on 8/14/2013: An earlier version of this article erroneously stated that Gmail users have “no legitimate expectation of privacy” when it should have stated that non-Gmail users who email Gmail users have “no legitimate expectation of privacy.” The article’s title has been changed to reflect the update. A quote from Google has also been added, as has a quote from the introduction of Google’s motion concerning wiretap statuses and automatic email scanning.
Lavabit is no more. Silent Circle has shuttered its secure email service. All the major email providers appear to be complicit in one form or another with PRISM, the NSA’s clandestine email surveillance program revealed by The Guardian in early June. And now Google’s legal team seems to be spraying gasoline on the controversy after filing a motion in mid-June that, among other things, argues users who access Google services like Gmail shouldn’t expect their transactions to remain secret.
The salient quote was surfaced by Consumer Watchdog, a nonprofit California-based consumer rights group founded in 1985. It’s from a 39-page motion filed by Google on June 13, 2013 in hopes of dismissing several disparate complaints that allege the company violates wiretap laws by poking around in email to engage in targeted advertising.
Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS [electronic communication service] provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
That last sentence, which refers explicitly to non-Gmail users who send email to Gmail users, does sound damning. Is Google’s legal counsel right? Do people who interact with Gmail have no rightful expectation to privacy when voluntarily turning information over to third parties like Google? Consider what comes next in the motion before dusting off the pitchforks and torches.
Referring to the 1979 court case from which the above quote was extracted, Google writes:
In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.”
Google does seem to be semantically overreaching when it claims non-Gmail users have no rightful expectation of privacy: who doesn’t expect (naively or no) that their communications will remain private when sending or receiving email? But the point the company’s making involves pragmatics: email systems have to parse emails in order to process and route them properly. That’s a by-design thing. Fretting about it’s a little like expecting a snail mail carrier not to read the outgoing and return addresses on an envelope.
But that’s only a fraction of what Google’s up to in this motion, most of which talks about Gmail users themselves, including this section (from the introduction):
Second, the wiretap statutes also preclude liability where either a single party to the communication (for the federal statute) or both parties (for the state statutes) have expressly or impliedly consented to the practices at issue. Here, all Plaintiffs who are Gmail users consented to the automated scanning of their emails (including for purposes of delivering targeted advertising) in exchange for using the Gmail service, thus precluding any claim under federal law.
In short, the company claims both federal and state wiretap statutes exempt it from liability related to conduct — both for Gmail and non-Gmail users — that occurs in the ordinary course of business. Google, of course, is appealing to as wide a definition of “conduct” as you’d imagine a company like it would, dismissing complaints about email scanning because it says you’ve consented to be scanned, whether you’re a native Gmail user or exchanging emails with a native Gmail user.
As Google puts it in its privacy policy explainer:
We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.
Assuming Google’s right legally speaking — and don’t confuse what’s legal with what’s ethical — the company has a point. Throughout the motion, Google’s essentially saying that it does what it does, that it has a legal right to do what it does, that it’s been very clear about what it does, and that anyone accessing a service like Gmail, whether natively or indirectly, is beholden to its terms of use, including automated rifling through email content and using that information to craft targeted ads.
That, I suspect, is why you have Consumer Watchdog director John Simpson saying: “Google has finally admitted they don’t respect privacy. People should take them at their word; if you care about your email correspondents’ privacy don’t use Gmail.” The message isn’t sue Google, it’s quit Google.
Indeed, unless we believe Google hasn’t been clear about what it does or doesn’t do, the legal onus isn’t on Google to stop scanning every Gmail message it’s parsing; it’s on users opposed to either lobby the company to change its behavior, or abandon the service, whether that’s shifting to another email provider (problematic, especially if your concerns extend to government snooping), opting for self-hosted and/or encrypted email (the do-it-yourself route, i.e. build your own email server), or investigating peer-to-peer email services (server-less, secure, anonymous…supposedly).
After 9/11, an old Ben Franklin quote started circulating: “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” Replace “a little safety” with “lifestyle conveniences” and you have an applicable analogue for what’s happening as we hand our digital correspondence off to massive memory banks controlled by a handful of groups increasingly willing to challenge traditional expectations about privacy in hopes that product momentum — bolstered by the whole free-with-ads angle — will outpace consumer paranoia.
Update: Google emailed this over earlier this evening:
We take our users’ privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply.