Google: Why your email isn’t private

by Jon Xavier, Silicon Valley Business Journal

You might, like a lot of people, expect that your Gmail emails are private conversations between you and the recipient. You would be wrong.

That’s not me saying this, by the way. It’s Google.

The search giant is currently facing a class action lawsuit in San Jose with allegations that it violates users’ privacy by gathering data from their emails to use for its own purposes, mostly for serving ads. On Tuesday, it filed a motion to dismiss the case in which it argued, essentially, that users shouldn’t complain about its data gathering practices because it was unreasonable for them to expect it not to have access to those emails in the first place.

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [e-mail provider] in the course of delivery,” the brief said. “Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.'”

What Google’s lawyers mean

Now, the lawyers’ job is to couch their arguments in such a way as to give their employer the most wiggle room possible. But that’s still a pretty sweeping statement. They’re essentially saying that because you agree to give your data to Google, Google can use that data to do whatever it wants, potentially things with greater impact than just serving advertising. And we may already be seeing the early indication of some of those uses, as user data is now shared between Google services in a way that it wasn’t before a privacy policy change last year.

The contents of your emails might soon affect the search results you see, in other words.

Still, Google is right in some sense. Because of the way email works, Google does need access to at least some of the data so that it can properly deliver your email. And of course, Gmail is a service Google provides for free that it wants to make money on somehow. As the old saw goes, if you aren’t paying for it, then you’re the product. Having Google scan your emails and use that data to serve ads is in some sense the price you pay for the convenience of its web mail, and as the filing points, you agree to as much when you check that End User Licensing Agreement box the first time you use Gmail.

And before you get too steamed at Google for telling you what level of privacy you should expect on the Internet, you should know that there’s a reason that last bit is in quotes. Google is actually citing the decision in another, much earlier case, Smith v. Maryland. In that case, the Supreme Court held that wiretapping telephone calls at a facility owned by the phone company didn’t violate the 4th Amendment because it was just giving law enforcement access to info that the phone company would have anyway. That “no legitimate expectation to privacy” quote actually comes from Justice Harry Blackmun’s majority opinion.

The devil in this particular detail

So, open and shut, right? The Supreme Court and Google say you can’t expect emails to be private, so they’re not. Not exactly. That decision was from 1979 and the precedent applied specifically to one type of phone wiretap. Email is a slightly different issue, and lower courts have ruled that the contents of emails are protected by the Fourth Amendment, although the subject and recipient fields aren’t.

In other words, there’s more space for a legal challenge than might readily be apparent, and this case could get very interesting given that it touches on one of the cornerstones of the modern web — the ability of companies to offer free services while profiting off of users’ data.

Shrinking industry

Meanwhile, a lot of the email services where you do have a reasonable expectation of privacy are shutting down. Lavabit, which was one of the encrypted email providers used by Edward Snowden to contact privacy rights advocates, abruptly closed its doors last week after something (possibly an order by the NSA) happened that made founder Ladar Levison feel he couldn’t guarantee the privacy of the service anymore.

That prompted another major secure communications provider, Silent Circle, to discontinue its email service and destroy all customer data because its founders say “the writing is on the wall” for the industry after Lavabit shut its doors.

Still other companies, like Monterey’s Privato Security, are pressing on, seeing an opportunity to seize market share at a time when there have never been more people interested in email encryption.

But it’s a fine line — how much do you promise your customers, and what can you reasonably do if the NSA knocks on your door?

“It’s a very big opportunity right now,” Privato CEO Neal Smith told me recently. “But it’s a difficult opportunity at the same time.”