Gmail Privacy FAQ
1. What is Gmail and and what privacy risks does it raise?
1.1 What is Google's Gmail?
1.2 What is your position on Google's Gmail?
1.3 What privacy risks are presented by Gmail?
1.4 When did this issue arise, and what has happened since then?
1.5 What other things has Google been doing that might affect my privacy?
2. Technical details about Gmail
2.1 How does Google's "content extraction" work?
2.2 What is "internal" and "external" e-mail information used in the analysis?
2.3 Will Gmail build profiles of subscribers and/or non-subscribers?
2.4 Why is Gmail different than spam filtering?
2.5 It's a computer, not a person reading your e-mail. What's the big deal?
2.6 What patents has Google filed for Gmail?
3. Legal details
3.1 What are the Federal wiretapping laws, and does Gmail implicate them?
3.2 What is California's wiretapping law, and why does Gmail implicate it?
3.3 Is there a "service provider exception" under California wiretapping law?
3.4 What legal objections have been raised in other countries?
4. What can you do?
4.1 Don't sign up for Gmail
4.2 Don't send e-mails to @gmail.com addresses
4.3 Reduce the possibility of tracking you through your cookies
4.4 What are YOU guys doing about it?
Gmail is a web-based e-mail service offered by Google offering one-gigabyte (1000 megabytes) of e-mail storage to users, five hundred times the capacity offered by Microsoft's Hotmail (as of June 2004, although banner advertising-supported web-based e-mail services, including Hotmail and Yahoo! have or plan to increase their storage capacity in response to the competitive pressure of Gmail).
Gmail is supported by advertisers who buy keywords, much like the Google search engine's AdWordsadvertising program. Gmail uses "content extraction" (the term used in Google's patents) on all incoming and outgoing e-mail in order to target the advertising to the user. For example, if the user is having an e-mail conversation about applying for a job, Gmail might present the user with ads about online job search sites and resume writing services.
Gmail violates the privacy rights of non-subscribers. Non-subscribers who e-mail a Gmail user have "content extraction" performed on their e-mail even though they have not consented to have their communications monitored, nor may they even be aware that their communications are being analyzed. Subscribers to Gmail also face risks to their privacy; those risks are outlined below.
b. Unlimited Data Retention.While the prospect of never having to delete or file an e-mail is an attractive feature for space-hungry users, the implications of indefinite storage of e-mail communications presents several serious implications. Although Google has is held in high esteem by the public as a good corporate citizen, past performance is no guarantee of future behavior -- especially following Google's IPO when the company will have a legal duty to maximize shareholder wealth. Although Google currently saysthat they will not record the "concepts" extracted from scanned e-mails, they could decide to do so in the future and thereby create detailed profiles of users. Building such profiles on years of past communication in addition to current communications is made easier if users never delete e-mails. Additionally, communications stored for more than 180 days are exposed to lower protectionsfrom law enforcement access; with Gmail, many such e-mails could be made easily available to police.
d. Bad Legal Precedent.In the United States, violations of privacy with respect to the Fourth Amendment are based partly on whether the person had a legitimate expectation of privacy. If a major online e-mail provider such as Google is allowed to monitor private communications -- even in an automated way -- the expectations of e-mail privacy may be eroded. That is, courts may consider the service as evidence of a lack of a reasonable expectation in e-mail. Businesses and government organizations may thus find it easier to legally monitor e-mail communications. These effects are long-term and will undoubtedly outlive Google.
Additionally, privacy policies may provide weak protection as other major online web service providers have unilaterally changed their privacy policies to the detriment of their users, including Amazon.com.
April 1, 2004
- In a press release, Google announced launch of the Gmail service. Many initially thought this release was part of Google's traditional April Fools joke. The service is only available to a limited number of beta testers, not yet to the general public.
April 6, 2004
- Thirty-one privacy and civil liberties groups signed an open letterto Google, urging it to suspend the Gmail service until its serious privacy issues are resolved.
April 20, 2004
- California State Senator Liz Figueroaadvanced an amended version of SB 1822, a bill concerning privacy of electronic communications.
May 3, 2004
- EPIC, Privacy Rights Clearinghouse, and World Privacy Forum sent a letter to California's Attorney General, arguing that Gmail violates California Wiretapping law (see 3.2for more details).
May 6, 2004
- The California State Senate Judiciary Committee held a hearingon Sen. Figueroa's bill, SB 1822. Click hereto watch a video of this hearing (requires RealPlayer).
June 4, 2004
- CA's Attorney General respondedto the letter, acknowledging the potential wiretapping violation, and promising to look into the matter.
It is common knowledge that Google's general motto and one of their "cherished core values" is "Don't be evil." (See Google's Jobs Page, left hand sidebar). However, many have recently come to question this assertion, criticizing Google's actions across a wide range of activities. The following is a brief list of some criticisms directed at Google's record on privacy in arenas other than Gmail:
Every time you visit a Google.com site, a cookie placed on your computer. This cookie is linked to your computer by a unique identifying number and enables tracking of all searches performed along with your browser type and IP address. This Google cookie does not expire until the year 2038 unlike most other major web sites which have a much shorter durations. Google claims that this cookie is required to set preferences for Google sites, but that you can still perform searches without the cookie. For more information, see the following sources:
- In 2001, Google acquiredDeja.com's Usenet Discussion Service, providing Google with Deja.com's entire Usenet archive, dating back to 1995. Google integrated this database into their Google Groupsservice. Many were uneasywith Deja.com's service even before it was acquired by Google, because of the vast amount of information and messages contained in these archives, which nobody had really contemplated being amassed in such an accessible and searchable way. A Deja News executive even once stated: "We're positioned to become the largest content aggregator in the world." Now, with this service integrated into Google's site, the archive extends back to 1981 and encompasses over 845 million Usenet messages. Google has, however, made it possiblefor users to request that their posts be removed from this archive.
A new social networking site, Orkut, debuted in January, 2004, "in association with" Google. Google representatives have statedthat the site is affiliated with Google, developed by one of its engineers Orkut Buyukkokten during his obligatory one-day-per-week of personal project work, but is not part of Google "product portfolio." This site is a "trusted" network, meaning only those who are invited by a current member can join, and collects a massive amount of personal information about its members, who are encouraged to complete elaborate personal profiles to be shared with their friends and other Orkut users. One Orkut user was able to successfully mine the Orkut databases, creating the "Orkut Personal Network Geomapper," which allowed people to look up Orkut users and view their friends network. Google sent a cease and desist letterto the creator of this site, alleging that it violated Orkut's terms of service, and the Geomapper is no longer available. Finally, Orkut's Terms of Serviceinclude the following clause, which gives them broad rights to your information:
By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non-exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials.
While Google has not released technical details of how the Gmail e-mail "content extraction" and analysis works, the patent(#20040059712) filed with the US Patent and Trademark Officeprovides some clues. Gmail examines the entire content of the e-mail message including the header and addressing information (see 2.2for more details) in order to derive the the "concepts" contained in the e-mail. Relevant ads are then placed to the subscriber when the e-mail is displayed. Different ads may be served at different times depending on when the e-mail message is viewed, or re-viewed.
"Internal e-mail information" and "external e-mail information" are both used in the scanning and analysis process, according to the patent(paragraphs 51-80). Internal e-mail information is the actual data contained within an e-mail message where as external e-mail information is data derivedfrom the internal information using Gmail's analysis algorithms (e.g. by looking at the IP of the sender and/or the timezone in the timestamp, the geographic location can be determined).
|Internal e-mail Information||External e-mail Information|
|Body of the e-mail||Concepts derived from body|
|Actual sender e-mail address||------|
|Concepts from sender e-mail address (e.g. e-mail address based on hobby)||------|
|Recipient type (e.g. direct, CC, BCC)||------|
|Business card file (e.g. vcard)||------|
|Directory paths of attached files||Concepts derived from attached files|
|Attached files (e.g. word processing files, pictures, etc.)||------|
|Information from a web page link included in e-mail||Concepts derived from files web page links|
|Time e-mail was sent|
|Geographic location of sender|
|Geographic location of recipient|
|Information derived from search results of a query on extracted e-mail information (i.e. a Google search on the derived concepts)|
Google has impliedthat it is not building profiles of Gmail or other Google service users ("[It] will not keep a log of which ads went to which users, nor will it keep a record of keywords that appear often in an individual's e-mail"), but nothing is stopping it from doing so. In fact, the Gmail patent(paragraphs 71-76) specifically describes profile-building features. The concept-building, according to the patent, may be based on the following:
- Information about the sender, including information derived from previous interactions with the sender
- Information about the recipient, including information derived from sender'saddress book or from previous interactions with the sender
- Information about a recipient based on a profile or information about the sender (the example from that patent is: "Sender is a wine enthusiast and has recently searched for and/or browsed pages related to wine, suggesting that recipient may also be interested in wine")
- Information from other e-mails sent by sender
- Information from other e-mails received by recipient
- Information from other e-mails having the same or similar subject text
- Information about recipient from sender's contact information
- Directory and file information based on the path name of attachments sent in previous e-mails (e.g. building an index of filenames on sender or recipient's computer)
From a technicalstandpoint, there is no categorical difference between Google "content extraction" and spam filtering-- each involves an automated process that analyzes the body and/or header information of e-mail messages. However, from a legal standpoint, there is a fundamental difference between filtering out unwanted junk e-mail and analyzing the content of private communications in order to target advertisements. (See 1.3d "Bad Legal Precedent") Additionally, Google may choose to create profilesof subscribers and the people with whom they e-mail, possibly cross-referencingother Google products (Google search engine, Orkut, etc).
Google has filed three different patents:
[The primary Gmail patent] United States Patent Application 20040059712: "Advertisers are permitted to put targeted ads on e-mails. The present invention may do so by (i) obtaining information of an e-mail that includes available spots for ads, (ii) determining one or more ads relevant to the e-mail information, and/or (iii) providing the one or more ads for rendering in association with the e-mail."
United States Patent Application 20040059708: "The relevance of advertisements to a user's interests is improved. In one implementation, the content of a web page is analyzed to determine a list of one or more topics associated with that web page. An advertisement is considered to be relevant to that web page if it is associated with keywords belonging to the list of one or more topics. One or more of these relevant advertisements may be provided for rendering in conjunction with the web page or related web pages."
United States Patent Application 20040093327: "Advertisers are permitted to put targeted ads on page on the web (or some other document of any media type). The present invention may do so by (i) obtaining content that includes available spots for ads, (ii) determining ads relevant to content, and/or (iii) combining content with ads determined to be relevant to the content."
The Electronic Communications Privacy Act (ECPA)was passed in 1986 as an update to the law governing the interception of electronic communication, including e-mail. Title I of ECPA (The Wiretap Act) ( 18 U.S.C. § 2511) governs communications "in transit."
The federal Wiretap Act only requires one of the parties to consent to the acquisition of the communication. However, the Ninth Circuit Court of Appeals has indicated (in construing the authorization provision of the Stored Communications Act) that an ISP will not be insulated from liability if it "procures consent by exploiting a known mistake that relates to the essential nature of his access." Theofel v. Farey-Jones, 341 F.3d 978, 983 (9th Cir. 2003). Therefore, even the Gmail subscriber herself has consented to the acquisition of her communication, thus negating the application of the Wiretap Act, only if Gmail has adequately revealed and explained the "essential nature" of their access to the e-mail communications.
The California wiretapping law, CA Penal Code § 631, provides criminal penalties for "[a]ny person who intentionally taps, or makes any unauthorized connection with any telegraph or telephone wire, line, cable, or instrument or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained "
As interpreted by the California courts, § 631 criminalizes "three distinct and mutually independent patterns of conduct": (1) intentional wiretapping, (2) willfully and without the consent of all parties reading/attempting to read or learn the contents or meaning of any communication while it is in transit or being sent from/received in California, and (3) attempting to use or communicate any information learned by engaging in the activities prohibited under (1) and (2). See Tavernetti v. Superior Court, 583 P.2d 737 (Cal. 1978), cited in Burns v. Nature's Best, 114 Cal. Rptr. 2d 881 (Cal. Ct. App. 2001).
From the currently available information on Gmail, it appears that the service does implicate the California wiretapping law, specifically the provision that criminalizes "reading or attempting to read or learn the contents or meaning of a message or communication" (part above). The elements and implications of the offense are as follows:
"willfully and without the consent of all parties to the communication, or in any unauthorized manner"
- Google's actions are willful because the service is designed for the purpose of scanning and extracting the content of e-mail messages that pass through its Gmail system.
- Google does not have the consent of all parties to each communication. While Gmail users arguably consent to scanning of their own e-mails, parties sending messages to Gmail users have no knowledge of Google's scanning and extraction, and have not consented to these actions.
"reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication"
- Scanning of the text of e-mails and extracting, compiling, and using information from this text is an attempt to "learn the contents or meaning" of the communication.
- While no human reads the content of e-mail passing through Gmail, the information extracted from these e-mails is available for human viewing in the form of keywords, advertisements, data, etc. Google claims that this information is collected without connections to personally identifying information and is viewed by humans only in aggregated form.
"while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state"
- A legal "jurisdictional" issue exists as to whether the e-mail is "within" California.
- The statute is violated only if the reading/learning occurs while the communication is in transit, passing over any wire, or being sent/received. However, no court has addressed what it means under California law for an e-mail message to be "in transit" or "being sent from, or received." It may turn on when in the path of the e-mails journey Google is scanning the e-mail and extracting content (e.g. whether it occurs before or after the e-mail has been "received" by the intended reader).
Unlike in the federal laws, there is no exception in the California wiretapping law for ISPs. Even if there were, Google would be unlikely to qualify for it with their Gmail service, at least under the narrow formulation of the exception. Under a formulation like that in the Wiretap Act (§ 2511) (which exempts a service provider for interceptions "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service"), content analysis for the purposes of targeted marketing is not "a necessary incident" to the provision of e-mail service.
Data protection and privacy advocates in other countries have also voiced objections to Gmail, particularly in the EU. In April, Privacy Internationalfiled a complaintwith the UK Information Commissioner, outlining their privacy objections to the Gmail service.
The EU's Data Protection Directive (95/46/EC)affords strong privacy protections, exeeding those available in the United States. EU privacy advocates are very concerned that the Gmail service, which is of course available internationally, violates key principles and provisions embodied in the Data Protection Directive.
Generally, EU privacy advocates have argued that Gmail is a violation of closely-held data protection principles, such as responsibility for the security of personal information held by a provider of service (in its terms of service Google disavows all responsibility for security violations), confidentiality of communications between one party and another (the Directive's working group stated that "no third party should be allowed to read the contents of e-mail between two parties), and control over personal information (Gmail users are not permitted to use any device, manual or otherwise, to monitor, cache, or copy any content from the Gmail service).
Of course, the easiest thing you can do to prevent Google's invasion of your privacy is to not sign up for an Gmail account. In fact, this is what Google and other Gmail advocates have been saying in response to privacy complaints-simply use another e-mail service. Several other services which offer large storage capabilities without the privacy violations:
- Rediffmail(1GB + no content extraction)
- Walla(1GB + no content extraction)
- Spymac(1GB + no content extraction)
- Aventure-mail(2GB + no content extraction)
This solution is fine for now, but the larger risk is what happens when all the large-scale providers of e-mail start employing Gmail-like e-mail scanning and extraction practices.
Remember, since Gmail is scanning and extracting incoming e-mails as well, even if you aren't a Gmail user, your privacy may still be violated by Gmail. To avoid such scanning, keep an eye on the domain of e-mail addresses to which you are you are sending and replying.
If you get an e-mail from a Gmail account and you wish not to reply consider explaining something like this:
I have received your e-mail, but due to privacy concerns, I don't want to send my response to your Gmail account. Please give me another e-mail address where I can reach you. If you don't have another e-mail address, consider the following free e-mail accounts with generous storage which do not pose the same privacy risks:
- Rediffmail(1GB + no content extraction)
- Walla(1GB + no content extraction)
- Spymac(1GB + no content extraction)
- Aventure-mail(2GB + no content extraction)
For more information on the privacy risks posed by Gmail, see http://www.epic.org/privacy/gmail/faq.html.
As noted above, the Gmail service may look at cookies from previous Google searches in deciding which ads to target to you in Gmail. One way to "decrease" the privacy violation if you do choose to use Gmail is to decrease the amount of information your browser keeps about your previous interactions with Google websites. EFFproposes two possible solutionsto prevent "future linkability" (beyond deleting your Google and Gmail cookies each and every time you use Gmail and Google):
- Use two browsers. have one browser dedicated to checking your Gmail, which you never use for Google searches, thus preventing your Google search cookies from being linked to your Gmail account.
- Use an anonymizer.For example, download Anonymizer.com's free privacy toolbarwhich enables anonymous browsing and blocks and tracks cookie settings.
However, it is unknown whether using these methods will "de-link" you from any information Google has already collected about your searching and e-mailing habits.
Privacy groups have responded in various ways to Gmail. For example, EPIC signed an open letter to Google regarding Gmail and co-wrote a letter to the California Attorney General outlining possible violations of California wiretapping laws.
Legislative proposals to address Gmail have been introduced in in California and Massachusetts. In California, State Senator Liz Figueroahas introduced SB 1822, a bill that would directly affect Gmail's ability to continue in its current form. This bill would allow scanning for the purposes of ad placement of incoming, outgoing, and stored e-mail and other electronic messages only if the provider abides by certain conditions (does not retain any personally identifiable information, does not disclose any of this information to third parties, deletes messages in a timely manner upon request, etc.) and has the express consent of all parties to a communication. Exceptions are made for scanning e-mails for spam and viruses, and for businesses' provision of e-mail services to employees. The Massachusetts legislation, House Bill 1209, is not directed specifically towards Gmail, but is a general bill that would set up a "Special Commission on Privacy Concerns" that could consider data protection issues and threats to electronic and informational privacy, such as Gmail.
- Google bans Gmail sales, BBC News, July 2, 2004.
- The Trouble with Gmail, Security Focus, Jun 14 2004.
- Tightening the Reins on Gmail, Reuters, May 27, 2004.
- My Left Arm for a Gmail Account, Wired News, May 20, 2004.
- Does Gmail breach wiretap laws?, CNET News.com, May 4, 2004.
- Gmail accounts go up for bid, CNET News.com, April 30, 2004.
- Don't be afraid of the big bad Gmail, Salon.com, April 26, 2004.
- Legislator seeks to block Gmail, CNET News.com, April 22, 2004.
- State senator drafts Google opt-out Bill, The Register, April 13, 2004.
- Gmail likely to clear U.K. privacy hurdles, ZDNet, April 13, 2004.
- Google values its own privacy. How does it value yours?, The Register, April 13, 2004.
- Germans garotte Google Gmail over privacy, The Register, April 8, 2004.
- Google mail is evil - privacy advocates, The Register, April 3, 2004.
- Google: 'Gmail' no joke, but lunar jobs are, USA Today, April 1, 2004.
- Google launches e-mail, takes the Bill Gates defense, The Register, April 1, 2004.
- Open letterfrom thirty-one privacy and civil liberties organizations to Google urging them to suspend Gmail until its serious privacy issues are resolved (April 19, 2004).
- Letterfrom EPIC, Privacy Rights Clearinghouse and World Privacy Forum to California Attorney General arguing that Gmail violates the California Wiretap Statute (May 3, 2004).
- Letterfrom EPIC, Privacy Rights Clearinghouse and World Privacy Forum to Google founders S. Brin and L. Page urging suspension of Gmail (May 3, 2004).
- Responsefrom CA AG acknowledging Gmail's potential wiretap violation (June 4, 2004).
- Google's Press Releaseannouncing launch of Gmail service (April 1, 2004).
- Gmail Program Policies