L.E.P. is Lacking When We’re Talking Gmail

Is anyone really surprised by this revelation via Facebook, via your Great Aunt Sue, via the family party group, via Huffington Post, via who knows where else, that Google’s arguing its Gmail users have no legitimate expectation of privacy? Not me (or even this one).

google devil

The Background

A bunch of consumers in California got together and are suing Google, class-action style, for privacy violations with regard to its Gmail service. In particular, the group argues that “Google unlawfully opens up, reads, and acquires the content of people’s private email messages.” Google counters by saying that it doesn’t actually read the message, such as a human would read the message, but rather its system scrapes the messages for information and feeds you ads based upon those messages. You’ve probably seen these advertisements if you haven’t turned them off already.

Well, as expected, Google filed its motion to dismiss, and because of some of the arguments, many are upset. In particular, most stories I’ve seen grasp onto Google’s primary argument that “all users of email must necessarily expect that their emails will be subject to automated processing” and therefore, users have no expectation of privacy. Motion at 19. Google argues that this expectation applies to all users, not just those of Gmail. Google argues that users implied on the part of the non-Google users. Specifically, Google argues: “[T]he non-Gmail Plaintiffs must have expected that their emails to Gmail recipients would be subject to automated processing by Google in its capacity as the ECS (electronic communication service) provider for their intended recipients.” Motion at 20. Google even goes further to argue its reasoning is supported by the timeless string of cases flowing from Smith v. Maryland (a.k.a., “the pen register” case).

The Theories

In theory, I’m agreeing with Google on this one. Most, if not all, users of email understand that cloud email providers scan email messages to provide filtering and spam protection. Heck, almost every message I get from other attorneys contains the “attorney-client privilege” and “please destroy and notify” caveats as appendages to their sent items. Moreover, unless I specifically know who your receiver’s email messages, you can’t predetermine whether your provider will scan the message once it arrives.

Email is similar to a letter sent via post: once deposited, there’s no guarantee of its arrival or its security. Sure, you can argue that at least the post office or its employees don’t scan the messages prior to delivery and serve ads, but how many times have you seen stories of ditched or destroyed mail. And don’t even get me started on the instances where the machines ate the letter, which necessarily required the post office to snoop. Or even the USPS’s post-9/11 mail logging service. Or your own users’ incompetence.

Quite frankly, the only reason the carrier services have the presumed status they do is because of trust. You trust the carrier to deliver the goods or materials as sent. And, in essence, Gmail does that. Yes, Google skims the content and adds ads. But you can turn them off. Otherwise, the email arrives just as they were sent.

I’m also giving the benefit of the doubt to Gmail that they’re not actually reading the messages. I guess they could. But why? Their goal is advertising, and advertising is only as relevant as the most recent message. As one Google ad proclaims: “You know who needs a haircut? People searching for haircuts.” Timing truly is everything.

And Here’s the Beef

Google’s contention hinges on the argument that no one expects privacy when they send a message, and Gmail users are among that bunch. While I agree that Gmail’s free service lacks any expectations of privacy, I’m don’t believe that goes hand-in-hand with its paid service, Google Apps.

First, Google Apps users pay for their accounts. This includes their domain names and the extra storage for messages, pictures and documents. Payment implies certain protections and benefits that freebies don’t, including the benefit of ad-free harassment.

Second, Google Apps permits users to restrict access to a user’s ability to send or receive messages. Once again, these restrictive settings imply added security and privacy protections for paid users.

Why do we pay extra for FedEx or UPS delivery? Because they implicitly (and explicitly) guarantee a certain standard of behavior. Similarly, Google’s paid services imply stricter standards and increased privacy. Therefore, Google’s argument fails when it says that all Gmail users have no expectation of privacy.

Certainly, some Gmail users have no legitimate expectation of privacy based on their status as free users. But arguably, Google Apps users, as paying consumers, have a legitimate expectation of privacy, even though Gmail is their platform. What’s the benefit of paying for a service otherwise? Google forces its Google Apps users to adopt Gmail as the email client and provides no other alternatives (yes, I realize there’s email forwarding). As such, simply using Gmail does not necessarily waive those Google Apps users’ expectation of privacy.

Of course, Google will argue otherwise when it comes to Gmail’s privacy policy.

But I Don’t Want Evil

Face it folks, privacy is dead. In reality, I don’t care whether Google wants to scrape my incoming messages and feed me advertising. Frankly, Google’s ads are a lot less wasteful, and more environmentally friendly, than my daily pile of junk from the post office.

If you’re truly scared that Google’s invading your privacy more than the government (or your local grocery store), there are a some solutions.

Stop using Google. This is the easiest, and guaranteed, method to ensure that Google doesn’t have access to your information. This means ditch Gmail, Google Apps, and all the other Google products. Now.

Use third party software for email. If you’re a little bit okay with Google, you might try using third-party (usually self-hosted) software to send and receive email. Most email providers have POP3 and IMAP capabilities that enable you to send and receive email without using an intermediary. Microsoft Outlook is one such software, but there are literally hundreds of different desktop solutions. The key is to bring your email “in house” as much as possible. Speak with a qualified IT professional for the best solution.

Hold clandestine meetings in a park. If you don’t know what this means, read more Brad Thor, Vince Flynn, or even watch a little Burn Notice. Spies do it in private and in person because of these concerns.

Succumb to the Borg. The Borg, for non-Star Trek geeks, represents all things evil, which operate as drones. Granted, Google’s not that bad, almost. I suspect, based on the pleadings, Google will reach a collective settlement with the class-action plaintiffs. I hope that settlement clarifies some of the blurred lines between paid and unpaid services, including Gmail. As I said before, I’m not worried about Google’s scanning, especially since I’ve learned to ignore the ad placements altogether (please don’t ignore the ad placements on this site).

Parting Thoughts

I don’t like surprises (like the NSA’s snooping), but nobody should be surprised by Google’s lack of LEP arguments. I can’t count the number of times I’ve received emails intended for “the other” Jeff Taylor. And even though I “destroyed” the message, I still read its contents. Certainly, in the sense of all email, “if you wouldn’t want your mother to read it, you shouldn’t send it,”  is a fact. Always be careful and cautious about the contents of your emails.

Update (08/14/13): I went ahead to dig deeper into Google’s Motion. I noticed this:

Non-Gmail Plaintiffs

 

Of course, since I spent all of the day moving my office and the power company cut our power early, The Verge scooped my insight. Google’s actually arguing that non-Gmail users have no expectation of privacy. This makes Gmail’s scanning methods even less of an issue, since Google’s privacy policy applies to its users.

I’m still standing by my initial assessment that even Gmail’s free users have little to no expectation of privacy.

9 Responses to L.E.P. is Lacking When We’re Talking Gmail

  1. Always good writing. As a college classmate of Vince Flynn (seriously), I appreciate the advice on clandestine meetings. Meanwhile, on a side but related note, I’ve wondered why more people aren’t talking about Yahoo’s unsung efforts to protect their customer’s privacy, as in this article on Estate Dispatch http://estatedispatch.com/estate-map-board-member-marc-zwillinger-challenged-the-nsa-on-prism/? I would have expected more chatter on the subject. (Sorry if any discussion of the PRISM program is taking us off-topic though.)

  2. Jeffrey,
    I looked that this issue in March (see http://chardjeffrey.wordpress.com/2013/03/16/practice-guidelines-for-the-use-of-cloud-computing-by-lawyers-revisited/). My conclusion then was Google has a policy to protect the confidentiality of Gmail communication and confidentiality would not be lost by using Gmail. There are different policies for different classes of users, although the free service is harder to find].

    I do believe that Google went a little to far in the particular submission, even though that submission was taken out of context. The particular submission was directed to the proposition that no non GMail sender of an email could have an expectation of privacy when sending an email a Gmail account. Whilst it is true that there is no contractual privity with the non Gmail user, there is no doubt that the recipient of the email has an legitimate expectation of privacy and confidentiality.
    In relation to automatic processing, as I discussed in my post referred to above, I do not believe that confidentiality or privacy is lost in Google automatically processing the information. Confidentiality is not lost just because information is disclosed to a third party who has agreed to maintain the confidentiality of that information.
    Jeffrey Chard

    • Thanks for the comment.

      I’m sure that most courts would not waive privilege simply because a user picks Gmail as his/her preferred email client. I’m in agreement that the receiver has some sort of expectation of privacy, though perhaps not a “legitimate” one as United States courts have determined. I’ve always take the long-held belief that email is similar to shouting: if you don’t want anyone to hear, you’d better whisper.

  3. I’m not so sure that Google’s argu,ents are all that absurd. Their basic premise is that when you send email to a Gmail client, the Gmail client has scanning in place to detect and serve.

    Similarly, when I send messages to someone, I don’t know who or what measures will filter and scan my email. I’ve had several occasions where the messages I sent to opposing counsel weren’t even seen by the attorney – an assistant auto-responded and then the assistant responded with the attorney’s comments. Trues, this remained “in-house,” but how can I reasonably expect that my emails were private?

    • Same rules apply anytime you send email to somebody at a company email address. Most employers maintain the right to snoop through their employees’ emails – both incoming and outgoing. As consumers, we need to do a better job of recognizing what we’re getting ourselves into rather than just assuming that a magic fairy is vigilantly protecting us at every turn.

Let's discuss this (you can use Markdown in your comment)

Jeff Taylor

I’m just an ordinary guy living an extraordinary life. I’m also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.