By Doug Miller
Many of us have been following a legal case being fought in California in which 10 plaintiffs are suing Google over its practice of scanning the content of private Gmail messages for the purposes of showing ads related to the content of the user’s email.
The plaintiffs and many privacy organizations claim Google “unlawfully opens up, reads, and acquires the content of people’s private email messages” and this violates California’s privacy laws and federal wiretapping statutes. Google states that it has always done this and “all users of email must necessarily expect that their emails will be subject to automated processing.” Google also states that the revenue gained by delivering context-sensitive ads to Gmail users enables it to offer a free service. In fact, Google was just awarded a patent related to scanning the content of emails, ranking the content and matching ads to the content.
Where’s the Harm?
There may be other indirect forms of harm when you think about how Gmail is used. If a lawyer or doctor, using a non-Gmail system sends a private message to a customer that uses Gmail and that email gets scanned, has client-attorney privilege been violated or has personal healthcare information been inadvertently disclosed to a third party. While Google would argue that no humans are involved in the scanning, it is clear that humans do see the results of this scanning. For example, imagine a co-worker happens to see a big ad for DUI legal services on your Gmail screen or the recommendation that your psychiatrist join Google+ is shown to your friends. The disclosure of private emails sent by non-Gmail users, who never agreed to Google’s terms, to Gmail users is a key part of this case. As Texas attorney Sean Rommel states, “The injury is two-fold: the privacy invasion and the loss of property. Google is taking people’s property because they can get it for free as opposed to paying for it.”
We may never know the full extent of the scanning that takes place in Gmail as Google has asked the court to redact information related to scanning in court documents. However, the Electronic Privacy Information Center (EPIC) has created a Gmail Privacy FAQ that provides a lot of useful information and is a “must read” for anyone who uses Google Gmail.
The Questions That Have Not Been Asked
According to an AP story in the Washington Post, Google attorney Whitty Somvichian said “it’s ‘inconceivable’ that someone using a Gmail account would not be aware that the information in their email would be known to Google.” Google has also stated “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Finally, Google has also stated that the scanning of email helps to pay for the costs of running a free service.
Now let’s tie in the fact that Google provides Gmail as a service for businesses, schools and governments as part of its Google Apps program. We have asked the scanning question before and the answer back has been, these customers do not see ads when they use Gmail (unless they chose to enable ads). But that is not the question in this case. Here are the questions that should be asked (and answered):
Does Google scan the private content of Gmail messages used by Google Apps customers?
Should Google Apps customers have a legitimate expectation of privacy since they have handed over their information to Google?
I know for a fact that some scanning occurs for Google Apps for Business customers, since the names and email addresses of people I communicate with while using Google’s paid Google Apps services are extracted from my communications and are presented as potential buddies in Google’s Google+ social networking service.
What about Education Users?
Another troubling aspect of this case is Google’s insistence that it has a right to mine private emails and show relevant ads in order to offset the costs of running its free services. So how does this impact education users of Gmail? Google Apps for Education is offered to schools for free therefore it seems likely that Google is scanning these emails and is monetizing the information to help offset the cost of offering the free service. Google states that by default it does not show ads to kids who use Google Apps but in fact, kids always do see ads when they use other Google services such as Google Search or YouTube. So the question then is:
Does Google scan the content of our kids’ emails and monetize that information through advertising on ad-based services such as YouTube?
This is definitely a case worth watching and the outcome will not just impact Google but will set the rules for any online company that uses private user information to make money. But will this case go far enough? Should we be looking beyond consumers and also look at how private business, school and government information is also being used and whether these practices are legal as well?