Focusing public attention on emerging privacy and civil liberties issues

Gmail Privacy FAQ

Frequently Asked Questions

1. What is Gmail and and what privacy risks does it raise?
1.1 What is Google's Gmail?
1.2 What is your position on Google's Gmail?
1.3 What privacy risks are presented by Gmail?
1.4 When did this issue arise, and what has happened since then?
1.5 What other things has Google been doing that might affect my privacy?

2. Technical details about Gmail
2.1 How does Google's "content extraction" work?
2.2 What is "internal" and "external" e-mail information used in the analysis?
2.3 Will Gmail build profiles of subscribers and/or non-subscribers?
2.4 Why is Gmail different than spam filtering?
2.5 It's a computer, not a person reading your e-mail. What's the big deal?
2.6 What patents has Google filed for Gmail?


3. Legal details
3.1 What are the Federal wiretapping laws, and does Gmail implicate them?
3.2 What is California's wiretapping law, and why does Gmail implicate it?
3.3 Is there a "service provider exception" under California wiretapping law?
3.4 What legal objections have been raised in other countries?

4. What can you do?
4.1 Don't sign up for Gmail
4.2 Don't send e-mails to @gmail.com addresses
4.3 Reduce the possibility of tracking you through your cookies
4.4 What are YOU guys doing about it?

1. What is Gmail and and what privacy risks does it raise?

1.1 What is Google's Gmail?

Gmail is a web-based e-mail service offered by Google offering one-gigabyte (1000 megabytes) of e-mail storage to users, five hundred times the capacity offered by Microsoft's Hotmail (as of June 2004, although banner advertising-supported web-based e-mail services, including Hotmail and Yahoo! have or plan to increase their storage capacity in response to the competitive pressure of Gmail).

Gmail is supported by advertisers who buy keywords, much like the Google search engine's AdWordsadvertising program. Gmail uses "content extraction" (the term used in Google's patents) on all incoming and outgoing e-mail in order to target the advertising to the user. For example, if the user is having an e-mail conversation about applying for a job, Gmail might present the user with ads about online job search sites and resume writing services.

1.2 What is your position on Google's Gmail?

Gmail violates the privacy rights of non-subscribers. Non-subscribers who e-mail a Gmail user have "content extraction" performed on their e-mail even though they have not consented to have their communications monitored, nor may they even be aware that their communications are being analyzed. Subscribers to Gmail also face risks to their privacy; those risks are outlined below.

1.3 What privacy risks are presented by Gmail?

a. Non-Subscribers Do Not Consent to "Content Extraction."Subscribers consent to "content extraction" and analysis of their e-mail ("We serve highly relevant ads and other information as part of the service using our unique content-targeting technology," according to the privacy policy). But non-subscribers who are e-mailing a Gmail user have not consented, and indeed may not even be aware that their communications are being analyzed or that a profile may being compiled on him or her. (See 2.3 "Will Google Build Profiles of Subscribers and/or Non-subscribers?")

b. Unlimited Data Retention.While the prospect of never having to delete or file an e-mail is an attractive feature for space-hungry users, the implications of indefinite storage of e-mail communications presents several serious implications. Although Google has is held in high esteem by the public as a good corporate citizen, past performance is no guarantee of future behavior -- especially following Google's IPO when the company will have a legal duty to maximize shareholder wealth. Although Google currently saysthat they will not record the "concepts" extracted from scanned e-mails, they could decide to do so in the future and thereby create detailed profiles of users. Building such profiles on years of past communication in addition to current communications is made easier if users never delete e-mails. Additionally, communications stored for more than 180 days are exposed to lower protectionsfrom law enforcement access; with Gmail, many such e-mails could be made easily available to police.

c. Profiling Across Google Product Line.Google uses cookies to track users (and preserve preference across sessions) on the Google search engine. Gmail also uses cookies. Google's personal information-rich social networking service, Orkut, does as well. Although Google saidthat it does not cross-reference the cookies, nothing is stopping them from doing so at any time ("It might be really useful for us to know that information. I'd hate to rule anything like that out," saidGoogle co-founder Larry Page). Google retains a powerful ability to create incredibly detailed profiles on users, whether or not they do so today: e-mail addresses and "concept" information about a persons's friends, family and co-workers; the daily search terms typed into Google; and myriad personal information provided to Orkut. The Gmail privacy policyexplicitly allows such uses: "Google may share cookie information among its other services for the purpose of providing you a better experience." (See also 2.3 "Will Google Build Profiles of Subscribers and/or Non-subscribers?") Additionally, Google has extremely long cookie expiration dates that preserve the cookie until the year 2038 (see 1.5 What other things has Google been doing that might affect my privacy?)

d. Bad Legal Precedent.In the United States, violations of privacy with respect to the Fourth Amendment are based partly on whether the person had a legitimate expectation of privacy. If a major online e-mail provider such as Google is allowed to monitor private communications -- even in an automated way -- the expectations of e-mail privacy may be eroded. That is, courts may consider the service as evidence of a lack of a reasonable expectation in e-mail. Businesses and government organizations may thus find it easier to legally monitor e-mail communications. These effects are long-term and will undoubtedly outlive Google.

e. Insufficient Privacy Policy.Google can transfer all of the information, including any profiles created, if and when it is merged or sold ("We reserve the right to transfer your personal information in the event of a transfer of ownership of Google, such as acquisition by or merger with another company".) Also, Google can make unilateral changes to the policy and unless it deems them "significant," it may not even notify users ("If we make any significant changes to this policy, we will notify you by posting a notice of such changes on the Gmail login page.") Finally, as outlined above, the policy regarding retention is very broad: "...residual copies of e-mail may remain on our systems for some time, even after you have deleted messages from your mailbox or after the termination of your account." (These and the rest of the references to the privacy policyare based on the 6/28/2004version.)

Google changed the Googleprivacy policy on 6/28/2004 in order to complywith the California Online Privacy Protection Act. (Google should provide a "redline" version that shows the differences between the two policies, as it has done with the Gmail Program Policies.) The most significant change in the privacy policy is that Google more explicitly reserves its legal right to track users across Google products (" If you have an account, we may share the information submitted under your account among all of our services in order to provide you with a seamless experience and to improve the quality of our service") much like a similar provision in the Gmail Privacy Policy (see 2.3 "Will Google Build Profiles of Subscribers and/or Non-subscribers?"). Google claims that they do not currently track users or create profiles, nor does it intend to do so in the future. But if that is so, why does it need to explicitly reserve the right to do so?

Additionally, privacy policies may provide weak protection as other major online web service providers have unilaterally changed their privacy policies to the detriment of their users, including Amazon.com.

1.4 When did this issue arise, and what has happened since then?

April 1, 2004

  • In a press release, Google announced launch of the Gmail service. Many initially thought this release was part of Google's traditional April Fools joke. The service is only available to a limited number of beta testers, not yet to the general public.

April 6, 2004

  • Thirty-one privacy and civil liberties groups signed an open letterto Google, urging it to suspend the Gmail service until its serious privacy issues are resolved.

April 20, 2004

  • California State Senator Liz Figueroaadvanced an amended version of SB 1822, a bill concerning privacy of electronic communications.

May 3, 2004

May 6, 2004

  • The California State Senate Judiciary Committee held a hearingon Sen. Figueroa's bill, SB 1822. Click hereto watch a video of this hearing (requires RealPlayer).

June 4, 2004

  • CA's Attorney General respondedto the letter, acknowledging the potential wiretapping violation, and promising to look into the matter.

1.5 What other things has Google been doing that might affect my privacy?

It is common knowledge that Google's general motto and one of their "cherished core values" is "Don't be evil." (See Google's Jobs Page, left hand sidebar). However, many have recently come to question this assertion, criticizing Google's actions across a wide range of activities. The following is a brief list of some criticisms directed at Google's record on privacy in arenas other than Gmail:

  • Every time you visit a Google.com site, a cookie placed on your computer. This cookie is linked to your computer by a unique identifying number and enables tracking of all searches performed along with your browser type and IP address. This Google cookie does not expire until the year 2038 unlike most other major web sites which have a much shorter durations. Google claims that this cookie is required to set preferences for Google sites, but that you can still perform searches without the cookie. For more information, see the following sources:

  • In 2001, Google acquiredDeja.com's Usenet Discussion Service, providing Google with Deja.com's entire Usenet archive, dating back to 1995. Google integrated this database into their Google Groupsservice. Many were uneasywith Deja.com's service even before it was acquired by Google, because of the vast amount of information and messages contained in these archives, which nobody had really contemplated being amassed in such an accessible and searchable way. A Deja News executive even once stated: "We're positioned to become the largest content aggregator in the world." Now, with this service integrated into Google's site, the archive extends back to 1981 and encompasses over 845 million Usenet messages. Google has, however, made it possiblefor users to request that their posts be removed from this archive.
  • A new social networking site, Orkut, debuted in January, 2004, "in association with" Google. Google representatives have statedthat the site is affiliated with Google, developed by one of its engineers Orkut Buyukkokten during his obligatory one-day-per-week of personal project work, but is not part of Google "product portfolio." This site is a "trusted" network, meaning only those who are invited by a current member can join, and collects a massive amount of personal information about its members, who are encouraged to complete elaborate personal profiles to be shared with their friends and other Orkut users. One Orkut user was able to successfully mine the Orkut databases, creating the "Orkut Personal Network Geomapper," which allowed people to look up Orkut users and view their friends network. Google sent a cease and desist letterto the creator of this site, alleging that it violated Orkut's terms of service, and the Geomapper is no longer available. Finally, Orkut's Terms of Serviceinclude the following clause, which gives them broad rights to your information:

    By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non-exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials.

A similar clause in the Microsoft Passport policy spawned a huge negative reaction, prompting Microsoft to revise the policy. However, as of July, 2004, this clause remained in Orkut's terms.

2. Technical details about Gmail

2.1 How does Google's "content extraction" work?

While Google has not released technical details of how the Gmail e-mail "content extraction" and analysis works, the patent(#20040059712) filed with the US Patent and Trademark Officeprovides some clues. Gmail examines the entire content of the e-mail message including the header and addressing information (see 2.2for more details) in order to derive the the "concepts" contained in the e-mail. Relevant ads are then placed to the subscriber when the e-mail is displayed. Different ads may be served at different times depending on when the e-mail message is viewed, or re-viewed.

2.2 What is "internal" and "external" e-mail information used in the analysis?

"Internal e-mail information" and "external e-mail information" are both used in the scanning and analysis process, according to the patent(paragraphs 51-80). Internal e-mail information is the actual data contained within an e-mail message where as external e-mail information is data derivedfrom the internal information using Gmail's analysis algorithms (e.g. by looking at the IP of the sender and/or the timezone in the timestamp, the geographic location can be determined).

Internal e-mail Information External e-mail Information
Subject line ------
Body of the e-mail Concepts derived from body
Sender name ------
Actual sender e-mail address ------
Concepts from sender e-mail address (e.g. e-mail address based on hobby) ------
Recipient type (e.g. direct, CC, BCC) ------
Business card file (e.g. vcard) ------
Directory paths of attached files Concepts derived from attached files
Attached files (e.g. word processing files, pictures, etc.) ------
Information from a web page link included in e-mail Concepts derived from files web page links
Time e-mail was sent
Geographic location of sender
Geographic location of recipient
Information derived from search results of a query on extracted e-mail information (i.e. a Google search on the derived concepts)

2.3 Will Gmail build profiles of subscribers and/or non-subscribers?

Google has impliedthat it is not building profiles of Gmail or other Google service users ("[It] will not keep a log of which ads went to which users, nor will it keep a record of keywords that appear often in an individual's e-mail"), but nothing is stopping it from doing so. In fact, the Gmail patent(paragraphs 71-76) specifically describes profile-building features. The concept-building, according to the patent, may be based on the following:

  • Information about the sender, including information derived from previous interactions with the sender
  • Information about the recipient, including information derived from sender'saddress book or from previous interactions with the sender
  • Information about a recipient based on a profile or information about the sender (the example from that patent is: "Sender is a wine enthusiast and has recently searched for and/or browsed pages related to wine, suggesting that recipient may also be interested in wine")
  • Information from other e-mails sent by sender
  • Information from other e-mails received by recipient
  • Information from other e-mails having the same or similar subject text
  • Information about recipient from sender's contact information
  • Directory and file information based on the path name of attachments sent in previous e-mails (e.g. building an index of filenames on sender or recipient's computer)

As noted, the Gmail privacy policy does not prohibit Google from building such profiles (see 1.3c "Profiling Across Google Product Line").

2.4 Why is Gmail different than spam filtering?

From a technicalstandpoint, there is no categorical difference between Google "content extraction" and spam filtering-- each involves an automated process that analyzes the body and/or header information of e-mail messages. However, from a legal standpoint, there is a fundamental difference between filtering out unwanted junk e-mail and analyzing the content of private communications in order to target advertisements. (See 1.3d "Bad Legal Precedent") Additionally, Google may choose to create profilesof subscribers and the people with whom they e-mail, possibly cross-referencingother Google products (Google search engine, Orkut, etc).

2.5 It's a computer, not a person reading your e-mail. What's the big deal?

In some ways, having a person reading your e-mail to target the ads would be less privacy invasive. Unlike large computer systems, people do not have unlimited storage, memory and associative capability. But Google has the ability to build profilesof users based on their communications, unhindered by the Gmail privacy policywhich does not prohibit such actions. Additionally, Gmail's "content extraction" will make its privacy invasions continuous and automated, making it a difficult privacy problem to solve just as spam and telemarketing, both of which are also continuous and automated by computer.

2.6 What patents has Google filed for Gmail?

Google has filed three different patents:

[The primary Gmail patent] United States Patent Application 20040059712: "Advertisers are permitted to put targeted ads on e-mails. The present invention may do so by (i) obtaining information of an e-mail that includes available spots for ads, (ii) determining one or more ads relevant to the e-mail information, and/or (iii) providing the one or more ads for rendering in association with the e-mail."

United States Patent Application 20040059708: "The relevance of advertisements to a user's interests is improved. In one implementation, the content of a web page is analyzed to determine a list of one or more topics associated with that web page. An advertisement is considered to be relevant to that web page if it is associated with keywords belonging to the list of one or more topics. One or more of these relevant advertisements may be provided for rendering in conjunction with the web page or related web pages."

United States Patent Application 20040093327: "Advertisers are permitted to put targeted ads on page on the web (or some other document of any media type). The present invention may do so by (i) obtaining content that includes available spots for ads, (ii) determining ads relevant to content, and/or (iii) combining content with ads determined to be relevant to the content."

3. Legal details

3.1 What are the Federal wiretapping laws, and does Gmail implicate them?

The Electronic Communications Privacy Act (ECPA)was passed in 1986 as an update to the law governing the interception of electronic communication, including e-mail. Title I of ECPA (The Wiretap Act) ( 18 U.S.C. § 2511) governs communications "in transit."

The federal Wiretap Act only requires one of the parties to consent to the acquisition of the communication. However, the Ninth Circuit Court of Appeals has indicated (in construing the authorization provision of the Stored Communications Act) that an ISP will not be insulated from liability if it "procures consent by exploiting a known mistake that relates to the essential nature of his access." Theofel v. Farey-Jones, 341 F.3d 978, 983 (9th Cir. 2003). Therefore, even the Gmail subscriber herself has consented to the acquisition of her communication, thus negating the application of the Wiretap Act, only if Gmail has adequately revealed and explained the "essential nature" of their access to the e-mail communications.

3.2 What is California's wiretapping law, and why does Gmail implicate it?

The California wiretapping law, CA Penal Code § 631, provides criminal penalties for "[a]ny person who… intentionally taps, or makes any unauthorized connection… with any telegraph or telephone wire, line, cable, or instrument… or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained…"

As interpreted by the California courts, § 631 criminalizes "three distinct and mutually independent patterns of conduct": (1) intentional wiretapping, (2) willfully and without the consent of all parties reading/attempting to read or learn the contents or meaning of any communication while it is in transit or being sent from/received in California, and (3) attempting to use or communicate any information learned by engaging in the activities prohibited under (1) and (2). See Tavernetti v. Superior Court, 583 P.2d 737 (Cal. 1978), cited in Burns v. Nature's Best, 114 Cal. Rptr. 2d 881 (Cal. Ct. App. 2001).

From the currently available information on Gmail, it appears that the service does implicate the California wiretapping law, specifically the provision that criminalizes "reading or attempting to read or learn the contents or meaning of a message or communication" (part above). The elements and implications of the offense are as follows:

"willfully and without the consent of all parties to the communication, or in any unauthorized manner"

  • Google's actions are willful because the service is designed for the purpose of scanning and extracting the content of e-mail messages that pass through its Gmail system.
  • Google does not have the consent of all parties to each communication. While Gmail users arguably consent to scanning of their own e-mails, parties sending messages to Gmail users have no knowledge of Google's scanning and extraction, and have not consented to these actions.

"reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication"

  • Scanning of the text of e-mails and extracting, compiling, and using information from this text is an attempt to "learn the contents or meaning" of the communication.
  • While no human reads the content of e-mail passing through Gmail, the information extracted from these e-mails is available for human viewing in the form of keywords, advertisements, data, etc. Google claims that this information is collected without connections to personally identifying information and is viewed by humans only in aggregated form.

"while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state"

  • A legal "jurisdictional" issue exists as to whether the e-mail is "within" California.
  • The statute is violated only if the reading/learning occurs while the communication is in transit, passing over any wire, or being sent/received. However, no court has addressed what it means under California law for an e-mail message to be "in transit" or "being sent from, or received." It may turn on when in the path of the e-mails journey Google is scanning the e-mail and extracting content (e.g. whether it occurs before or after the e-mail has been "received" by the intended reader).

3.3 Is there a "service provider exception" under California wiretapping law?

Unlike in the federal laws, there is no exception in the California wiretapping law for ISPs. Even if there were, Google would be unlikely to qualify for it with their Gmail service, at least under the narrow formulation of the exception. Under a formulation like that in the Wiretap Act (§ 2511) (which exempts a service provider for interceptions "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service"), content analysis for the purposes of targeted marketing is not "a necessary incident" to the provision of e-mail service.

3.4 What legal objections have been raised in other countries?

Data protection and privacy advocates in other countries have also voiced objections to Gmail, particularly in the EU. In April, Privacy Internationalfiled a complaintwith the UK Information Commissioner, outlining their privacy objections to the Gmail service.

The EU's Data Protection Directive (95/46/EC)affords strong privacy protections, exeeding those available in the United States. EU privacy advocates are very concerned that the Gmail service, which is of course available internationally, violates key principles and provisions embodied in the Data Protection Directive.

Generally, EU privacy advocates have argued that Gmail is a violation of closely-held data protection principles, such as responsibility for the security of personal information held by a provider of service (in its terms of service Google disavows all responsibility for security violations), confidentiality of communications between one party and another (the Directive's working group stated that "no third party should be allowed to read the contents of e-mail between two parties), and control over personal information (Gmail users are not permitted to use any device, manual or otherwise, to monitor, cache, or copy any content from the Gmail service).

Specifically, privacy advocates have claimed that Gmail violates several specific provisions of the Data Protection Directive. For example, Gmail's Terms of Use indicate that in the event of account termination, copies of your information may remain on their servers indefinitely, implicating Article 6 of the Directive which states that data should be kept "no longer than is necessary for the purposes for which the data were collected." For more information, see Privacy International's complaint…

Finally, international advocates raise risks about the openness of Google's intentions, especially when it comes to their "unstable" Terms of Use and Privacy Policy (i.e. the Terms of Use state that "Google may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions." This provision contains no guarantee of notice of changes, stating elsewhere only that Google "may attempt to notify you via your Gmail address when major changes are made."

4. What can you do?

4.1 Sign up with a different large capacity webmail provider

Of course, the easiest thing you can do to prevent Google's invasion of your privacy is to not sign up for an Gmail account. In fact, this is what Google and other Gmail advocates have been saying in response to privacy complaints-simply use another e-mail service. For other email providers and privacy tools, see EPIC's Practical Privacy Tools page.

4.2 Don't send e-mails to @gmail.com addresses

Remember, since Gmail is scanning and extracting incoming e-mails as well, even if you aren't a Gmail user, your privacy may still be violated by Gmail. To avoid such scanning, keep an eye on the domain of e-mail addresses to which you are you are sending and replying.

If you get an e-mail from a Gmail account and you wish not to reply consider explaining something like this:

Dear Friend,

I have received your e-mail, but due to privacy concerns, I don't want to send my response to your Gmail account. Please give me another e-mail address where I can reach you. If you don't have another e-mail address, consider the following free e-mail accounts with generous storage which do not pose the same privacy risks:

For more information on the privacy risks posed by Gmail, see http://www.epic.org/privacy/gmail/faq.html.

Sincerely,

Concerned Citizen

4.3 Reduce the possibility of tracking you through your cookies

As noted above, the Gmail service may look at cookies from previous Google searches in deciding which ads to target to you in Gmail. One way to "decrease" the privacy violation if you do choose to use Gmail is to decrease the amount of information your browser keeps about your previous interactions with Google websites. EFFproposes two possible solutionsto prevent "future linkability" (beyond deleting your Google and Gmail cookies each and every time you use Gmail and Google):

  1. Use two browsers. have one browser dedicated to checking your Gmail, which you never use for Google searches, thus preventing your Google search cookies from being linked to your Gmail account.
  2. Use an anonymizer.For example, download Anonymizer.com's free privacy toolbarwhich enables anonymous browsing and blocks and tracks cookie settings.

However, it is unknown whether using these methods will "de-link" you from any information Google has already collected about your searching and e-mailing habits.

4.4 What are YOU guys doing about it?

Privacy groups have responded in various ways to Gmail. For example, EPIC signed an open letter to Google regarding Gmail and co-wrote a letter to the California Attorney General outlining possible violations of California wiretapping laws.

Legislative proposals to address Gmail have been introduced in in California and Massachusetts. In California, State Senator Liz Figueroahas introduced SB 1822, a bill that would directly affect Gmail's ability to continue in its current form. This bill would allow scanning for the purposes of ad placement of incoming, outgoing, and stored e-mail and other electronic messages only if the provider abides by certain conditions (does not retain any personally identifiable information, does not disclose any of this information to third parties, deletes messages in a timely manner upon request, etc.) and has the express consent of all parties to a communication. Exceptions are made for scanning e-mails for spam and viruses, and for businesses' provision of e-mail services to employees. The Massachusetts legislation, House Bill 1209, is not directed specifically towards Gmail, but is a general bill that would set up a "Special Commission on Privacy Concerns" that could consider data protection issues and threats to electronic and informational privacy, such as Gmail.

Resources

News Articles

Non-Profit/Advocacy Links

  • Open letterfrom thirty-one privacy and civil liberties organizations to Google urging them to suspend Gmail until its serious privacy issues are resolved (April 19, 2004).
  • Letterfrom EPIC, Privacy Rights Clearinghouse and World Privacy Forum to California Attorney General arguing that Gmail violates the California Wiretap Statute (May 3, 2004).
  • Letterfrom EPIC, Privacy Rights Clearinghouse and World Privacy Forum to Google founders S. Brin and L. Page urging suspension of Gmail (May 3, 2004).
  • Responsefrom CA AG acknowledging Gmail's potential wiretap violation (June 4, 2004).

Google/Gmail Links

Government/Legal Links