Gmail

GMail panel photo...

The Gmail Plenary at CFP. Nicole Wong, the Chief Compliance Officer for Google, was a great sport to show up amid the recent controversy. It was also great to get David Link from Sen. Figueroa's office. Note, thanks to Ms. Wong, I know have a Gmail account... email joehall at GMail plus the dot com part to reach me. From left to right: Chris Hoofnagle, Electronic Privacy Information Center; Sunil Paul, Brightmail; Sonia Arrison, Pacific Research Institute; Nicole Wong, Senior Compliance Counsel for Google; Ari Schwartz, Center for Democracy & Technology; J.C. Cannon, Microsoft; David Link, Technology Counsel, Cal. Sen. Liz Figueroa; Amalie Weber, UC Berkeley Boalt Hall School of Law.

Incoming/Outgoing (G)e-mails?

I was also particularly intrigued by panel members' concerns about the difference between e-mails sent by a Gmail user and those received by said user. How could Google restrict the scanning of e-mails to content created by those who have consented to Gmail's privacy policies?

I liked Joe Hall's suggestion of a "don't scan me!" header that could be placed in an e-mail, but wouldn't that still require a third-party sender to know/realize that their e-mail was headed to a place where it would be scanned? Couldn't Google, as Chris Hoofnagle suggested, only scan outgoing e-mails? To address a comment from an audience member, concerned about the scanning of third-party emails when Gmail users forward or reply to such messages--most e-mail clients automatically mark (i.e. >>>) such text to distinguish it from new text. Couldn't Google build it into their system to automatically exclude this text from scanning?

GMail - Unintended uses

So, Nicole Wong of Google said she couldn't think of an instance where they would tell us what to do with our GMail accounts. I'd like to use it exclusively to send myself and other GMail account-holders encrypted messages and files. It'll be interesting to see what kind of advertisements get served up in that case, but what is even more interesting than having a free GB of storage out there with Google's reliability are the additional uses people will think of.

For instance, you may have heard of freenet. It's an encrypted peer-to-peer file-sharing network that is highly anonymous. Right now, when you install freenet it defaults to using 256MB of your hard drive space to store the encrypted contents of the freenet network. You can't know what portion of freenet your computer stores without breaking the encryption. (Good luck. Let me know how that turns out.) How long do you think it will take some hacker to figure out how to use GMail's 1GB of storage space as part of freenet or a similar network? About two seconds.

While this use might eventually irritate Google as it'd be rare that any human ever saw their ads, in the case where I just use the space to send myself encrypted files I want to backup, I will still occasionally find myself on the GMail site looking at ads, some of which I might even click on. They'll have trouble targeting ads at me, perhaps I'll be offered security or encryption-related products! But, on balance, I think that my proposed usage (the personal one, not the freenet one) would constitute such a small percentage of users and would only moderately thwart their purposes, and hence should be allowed.

Once people write scripts to interact with the site for other purposes that don't send human eyeballs to GMail, I bet we'll see a turnaround on Ms. Wong's/Google's stated position.

Gmail vs. Corporate Mail

An interesting issue has come up in the Gmail and privacy session. If you send an email to someone at a corporation, e.g. jason@microsoft.com, there is an implicit understanding amongst most people that Microsoft could scan the email and read its contents. After all, Microsoft has a number of trade secrets to protect (as well as other interests) and since you are sending the email to one of its employees, it presumptively has the right to check it to make sure it isn't causing the corporation any harm. At the very least, it could argue that since the mail has been sent to its comptuer servers, it has a right to look at it if it wants.

So what about Gmail? Shouldn't people have the same low expectations of privacy if they send email to someone using a gmail.com email address? After all, the email is residing on Gmail's servers and there's no illusion that the email is residing on a private server.

The difference, I think, is one of perceived control and ownership. When I send email to microsoft.com, I understand that Microsoft has a right to police its email and servers because the person you are sending the mail to is an employee there -- someone who Microsoft has control and supervision over while they are at work.

With Gmail, however, Google doesn't have any control or supervision over its users. At least, that's our current perception. In return for seeing ads, users get a Gig of storage. That's the relationship. Google doesn't try to tell the user what to use to account for or try to control their behavior or supervise it. Therefore, when I send email to someone at a Gmail account, I assume the user is in control of the privacy of that email, not Google.

User Contract Terms

From the Gmail beta user agreement: (emphasis added)

Privacy. As a condition to using the Service, you agree to the terms of the Gmail Privacy Policy as it may be updated from time to time. Google understands that privacy is important to you. You do, however, agree that Google may monitor, edit or disclose your personal information, including the content of your emails, if required to do so in order to comply with any valid legal process or governmental request (such as a search warrant, subpoena, statute, or court order), or as otherwise provided in these Terms of Use and the Gmail Privacy Policy. Personal information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using Gmail, you consent to any such transfer of information outside of your country.

Advertisements. As consideration for using the Service, you agree and understand that Google will display ads and other information adjacent to and related to the content of your email. Gmail serves relevant ads using a completely automated process that enables Google to effectively target dynamically changing content, such as email. No human will read the content of your email in order to target such advertisements or other information without your consent, and no email content or other personally identifiable information will be provided to advertisers as part of the Service.

Filtering and Collection vs. Dissemination

Early on in this panel, Prof. Mulligan, who is moderating, is hitting the panelists hard on defining privacy and getting at just why Gmail's filtering is alone a privacy issue. ISPs filter spam, so why is filtering for advertisement targeting different? Is the real issue the dissemination of the information? The misuse of the profiles generated by Gmail?