EPIC logo

May 3, 2004

Attorney General Lockyer
1300 I St. Suite 1740
Sacramento, CA 95814

Re: Violation of California Civil Code § 631 by Google Gmail Service

Dear Attorney General Lockyer,

We write to urge your office to investigate Google's "Gmail" service. We believe that Gmail violates California Penal Code § 631, which governs eavesdropping on confidential communications. In light of California's heightened statutory and Constitutional privacy guarantees, we think it incumbent on the Office of the Attorney General to intervene to protect the integrity of individuals' e-mail communications. Below, we explain that Google's Gmail service represents an unprecedented invasion into the sanctity of private communications and that it violates California's wiretapping laws.

According to Google, Gmail "is a free, search-based webmail service that includes 1,000 megabytes (1 gigabyte) of storage."[1] In order to offset the cost from this amount of storage, Gmail displays contextual marketing to the subscriber that is based on the actual content of the e-mail communication: "Google will display targeted ads and other relevant information based on the content of the email displayed. In a completely automated process, computers process the text in a message and match it to ads or related information in Google's extensive database."[2] Gmail scans both the subscriber's e-mail and the communications sent by others to the subscriber.[3]

Last month, thirty-one privacy and civil liberties groups urged Google to suspend the Gmail service, noting that the scanning of confidential email for inserting third party marketing content violates the implicit trust of an e-mail service provider. [4] The groups argued that the e-mail scanning creates lower expectations of privacy in the medium and may establish dangerous precedents. Google, however, continues to operate the service in beta testing. It is available online at https://gmail.google.com/. A limited number of test user accounts have been issued to members of the public, including residents of California.

We believe that Gmail violates California's wiretapping laws, subjecting both Google and Gmail users to criminal and civil penalties. Accordingly, we respectfully request that your office investigate the Gmail service.

I. California Has Established Heightened Constitutional Privacy Protections that Address Public and Private Sector Collection and Use of Personal Information

We first note that California's citizens have voted to create expansive privacy rights. A 1972 amendment to Article I, Section 1 of the California Constitution established an inalienable right to privacy:

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.

Unlike privacy guarantees flowing from the federal Constitution, the California right protects individuals from privacy violations committed by both state actors and by private entities:

Common experience with the ever-increasing use of computers in contemporary society confirms that the [privacy] amendment was needed and intended to safeguard individual privacy from intrusion by both private and governmental action. That common experience makes it only too evident that personal privacy is threatened by the information-gathering capabilities and activities not just of government, but of private business as well. If the right of privacy is to exist as more than a memory or a dream, the power of both public and private institutions to collect and preserve data about individual citizens must be subject to constitutional control. Any expectations of privacy would indeed be illusory if only the government's collection and retention of data were restricted.[5]

The interplay between the creation of an inalienable right to privacy and the application of this right to the private sector is important. It requires Google to obtain the affirmative consent of individuals before violating their privacy. We argue in section II below that senders of e-mail to the gmail.com domain have no way of knowing of or consenting to having their communications scanned.

One specific problem intended to be solved by passing the 1972 amendment was "the improper use of information properly obtained for a specific purpose, for example, the use of it for another purpose or the disclosure of it to some third party…"[6] In this context, Google is properly obtaining communications for the provision of service, but then is processing them for an unrelated purpose that is unnecessary for actually providing e-mail service. We are aware of no other e-mail service provider that finds it "necessary" to scan the content of incoming and outgoing e-mails for target marketing purposes. This new, unrelated, and unnecessary use of the content of communications is the classic privacy invasion that the privacy amendment attempted to address.

II. California's Wiretapping Law Prohibits Google from Scanning Gmail Messages

In addition to Constitutional privacy guarantees, Californians enjoy strong protections against eavesdropping or the interception of private communications. In establishing these rights, the California legislature declared that:

…advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.

The Legislature by this chapter intends to protect the right of privacy of the people of this state.[7]

California Penal Code § 631 establishes expansive protections for "communications," which clearly includes e-mail messages.[8] Specifically, § 631(a) prohibits a broad range of activities where any person attempts to extract the meaning or content of a communication without consent of all the parties to the communication:

Any person who…willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($ 2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment in the state prison, or by both a fine and imprisonment in the county jail or in the state prison.

Google is willfully and without consent of all the parties to a communication extracting the content of messages in targeting contextual marketing. The action is willful because Google's Gmail was intentionally designed to engage in e-mail scanning. Google has failed to gain the consent of all parties to the communication because individuals directing e-mail to the gmail.com domain have no way of knowing that the company is extracting content from the messages, or consenting to such scanning. Finally, scanning the text of e-mails for marketing placement constitutes an attempt to "learn the contents or meaning" of the communication. Google depends on the actual content of the communication to make decisions regarding which marketing offers to display.

Google has attempted to mitigate privacy objections by claiming that since a computer analyzes the content of communication rather than a person, there is no invasion of privacy: "We serve highly relevant ads and other information as part of the service using our unique content-targeting technology. No human reads your email to target ads or related information to you without your consent."[9] We think this argument is irrelevant in light of the specific language in § 631. Again, that section prohibits reading or learning the contents of a message "in any unauthorized manner."[10] There is no distinction allowing a computer to perform this function, and in any case, it nonsensical to conclude that computer scanning is per se less invasive than human scanning. Computers possess nearly unlimited storage, scanning, and associative capacity, therefore, they are able to perform the same invasions of privacy as humans, possibly more so, considering how more efficiently computers are able to process data and perform key word searches.

III. Google Cannot Justify E-mail Scanning for Targeted Marketing on Exemptions to Wiretapping Law

Google may argue that Gmail e-mail scanning is necessary and acceptable under the "provider exemption" to the Electronic Communications Privacy Act or California's § 631. The federal exemption under the Electronic Communications Privacy Act provides that operators of communications services can:

intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.[11]

This exemption was crafted by Congress to allow service providers access to content of communications for the limited, necessary purpose of maintenance of the network. It specifies that wire service providers cannot use the exemption for general monitoring. Under this exemption, courts have allowed access to communications content to protect the service from harms such as fraud and theft.[12] Courts have specified that the exemption cannot justify monitoring for any purpose, as allowing broad monitoring under this exemption could eviscerate the protections of wiretapping laws. Instead, application of the exemption is subject to a reasonableness test, where monitoring is acceptable only for limited purposes.[13]

Scanning the context of individuals' e-mail for targeted marketing is not "necessary incident to the rendition" of the service.[14] We know of no other public e-mail service provider that engages in content analysis for the purposes of targeted marketing.

California law also recognizes that access to content by public utilities is acceptable where it is monitoring "for the purpose or construction, maintenance, conduct or operation of the services and facilities of the public utility."[15] This exemption does not apply to Google's Gmail because the company is not a public utility. Furthermore the California exemption, like the federal exemption, does not grant a wholesale license to snoop on content.[16] For the reasons articulated above, construing the provision broadly would eviscerate protections for the content of communications. It would also contravene the legislature's intent in passing the California law, which was to address advances in science and technology and their threat to personal liberties.[17]

IV. It Is Imperative That Google Suspend Gmail Because Users of the Service Could be Civilly and Criminally Liable Under Cal. Pen. Code § 631(a)

Section § 631(a) specifies that any person who "cause[s] to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($ 2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment in the state prison, or by both a fine and imprisonment in the county jail or in the state prison." Accordingly, if Google's Gmail violates § 631, its users could also be held liable. Private individuals harmed by Gmail users could bring suit under § 637.2, which contains a liquidated damages provision of $5,000 per violation.

We note that in the Gmail Terms of Use, Google requires subscribers to "indemnify Google, and its subsidiaries, affiliates, officers, agents, and employees from and against any third party claim arising from or in any way related to your use of the Service, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys' fees, of every kind and nature."[18]

It is one matter for Google to take on the risk of § 631, it is quite another for Google to expose its users to these risks and require them to indemnify the company from suit.

In conclusion, for the reasons articulated above, we urge the Attorney General to investigate the Google Gmail service for potential violations of Cal. Pen. Code § 631.

Respectfully submitted,
Chris Jay Hoofnagle
Associate Director
Beth Givens
Privacy Rights Clearinghouse
Pam Dixon
Executive Director
World Privacy Forum


Joanne McNabb, Chief
California Office of Privacy Protection
Sergey Brin, Co-Founder and President, Technology
Larry Page, Co-Founder and President, Products

[1] Google, About Gmail, available at http://gmail.google.com/gmail/help/about.html#about (last visited May 1, 2004).
[2] Google, Gmail Privacy Policy, available at http://gmail.google.com/gmail/help/privacy.html (last visited May 1, 2004); Google, Gmail Sneak Peek, available at http://gmail.google.com/gmail/help/screen2.html (last visited May 1, 2004).
[3] Katie Hafner, In Google We Trust? When the Subject Is E-Mail, Maybe Not, N.Y. Times, Apr. 8, 2004, G1.
[4] http://www.privacyrights.org/ar/GmailLetter.htm.
[5] Wilkinson v. Times Mirror Corp., 215 Cal. App. 3d 1034, 1043 (Cal. App. 1 Dist. 1989). See also Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 1 (Cal. 1994).
[6] White v. Davis, 13 Cal. 3d 757, 775 (Cal. 1975); see also Pitman v. City of Oakland, 197 Cal. App. 3d 1037 (Cal. App. 1 Dist. 1988).
[7] Cal. Pen. Code § 630 (2004).
[8] "'[C]ommunication' refers more broadly to the exchange of thoughts, messages or information by any means. Additionally, we note that in the federal wiretapping provisions, Congress expressly limited the application of its statute to the nonconsensual recording of oral communications. (18 U.S.C. § 2510(2).) No such similar express limitation is found in the privacy act." People v. Gibbons, 215 Cal. App. 3d 1204, 1208 (Cal. App. 4 Dist. 1989) (internal citations omitted).
[9] Google, Gmail Privacy Policy, available at http://gmail.google.com/gmail/help/privacy.html (last visited May 1, 2004).
[10] § 631(a)(emphasis added).
[11] 18 U.S.C. § 2511(2)(a)(i) (2004).
[12] United States v. Villanueva, 32 F. Supp. 2d 635 (S.D.N.Y. 1998).
[13] See e.g. United States v. Harvey, 540 F.2d 1345 (8th Cir. 1976).
[14] We note that this is different than scanning for spam or "unsolicited commercial e-mail." It is generally accepted that spam filtering may be necessary for provision of e-mail service because the volume of unwanted commercial messages could eliminate the effectiveness of the communications medium.
[15] Cal. Pen. Code § 631(b).
[16] The California Supreme Court has noted that, "Though the language employed (of § 631(b)) is different, it would appear that this section is consistent with the provisions of section 2511 of title 18 of the United States Code." People v. Mahoney, 47 Cal. App. 3d 699, Fn. 4 (Cal. 1975).
[17] Cal. Pen. Code § 630.
[18] Google, Terms of Use, available at http://gmail.google.com/gmail/help/terms_of_use.html (last visited May 1, 2004).

EPIC Privacy Page | EPIC Home Page

Last Updated: May 3, 2004
Page URL: http://www.epic.org/privacy/gmail/agltr5.3.04.html