Slashdot Mirror
On The Privacy Subtleties Of GMail, Other Webmail
Brad Templeton writes "After talking with Google folks and learning about E-mail privacy law from EFF (join!) lawyers, I have written a new essay on the privacy subtleties of GMail and other advanced webmail applications. Some of the fear has been overdone, but there are surprising issues due to the fact that the ECPA, written almost 20 years ago, wasn't prepared for fancy e-mail offerings like GMail. I issue a call for Google to encrypt your mail to avoid these issues."
How will I read it?!
Homophobia, non?
"I issue a call for Google to encrypt your mail to avoid these issues"
No... I have a better idea, instead of getting the government involved if you don't like it then you can choose to use a email service more to your liking.
Me? I can't wait to use Gmail, and if I don't like it then I will stop using it. See how simple it is?
This article goes right to the heart of my query. Rather, the existence of this article does so. Is a geek one who revels in technology and the pursuit of coolness in new technology? Or is a geek someone who is wrapped up in figuring out how technology will be used inherently for evil purposes?
I like to think of geeks as the happy lot who wander the streets of Akihabara mesmerized by all the glitz and blinkenlights of the latest and greatest devices.
The article demonstrates a new strain of geeks which seems to revel in stymieng the technological process by handicapping it at every turn.
I imagine that any geek can encompass both forms, but I have a feeling that lately it is the boys who cry wolf that are taking over geekdom.
I have been pwned because my
Google doesn't have to show you their databases.
"Uh, yeah, sure.... we're encrypting your emails... we can't read them..."
Might also note (as others will) it would be incredibly difficult to search emails if they are encrypted. Real-time decryption for 1GB of data then searching for a specific string? Fehgettaboutit!
Doesn't excuse the phrasing in the article, though.
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
This is pretty rediculous if you ask me. People in America give away their privacy rights all the time, without any worry. Most of the YRO stories on slashdot are just about that. But when a half respectable company like google decides to provide a free service, which you aren't obligated to use people go crazy.
I don't understand it. If you can't handle an automated script putting some ads in your emails from a simple world relation algorithm, maybe you should just, not use it?
Nobody raised this size of a ruckus over Orkut's similar cookie features, especially considering they hold a far larger quantity of personal information than GMail ever will.
--
The last digit of pi is four.
From what I can tell of the post-9/11 legislation, it seems that for congress to even mention the ECPA, they'd have to remove both 1984 and The Colonel's Recipe just to be able to see the layer of dust covering it.
One word to all these gmail protesters: gohugatree!
Comment removed based on user account deletion
But what laws keep my web host from searching my home directory? The insertion of ads based on such a search is secondary, and less important. That's where all my email is, for a while anyway. Or does some standard contract cover this?
Jesus I have to go read that thing!
grammar-lesson free since 1999. (rescinded - 2005)
In other words, no more than they know if you click on a Google sponsored link right now.
So, umm, in that case, don't sign up for a free trial of Out if you don't want one? *shrug*
Honestly, MSN, Yahoo & co. can do all of this right now, should they desire, and they have very little incentive to tell us about it. Well, maybe in the UK it might be illegal, but if they exclude all people who are from it from the policy and never tell anyone... (as if that were meaningful considering how many fill in utterly false info there...)
Hell, look at this current snip from the MSN Privacy Policy, which governs Hotmail:
Where was this fuss over these terms? I at least trust Google more than MSN...
Hmm I don't think we need more laws, what we need is less laws, yet better defined...
What is all this fuss about?
People have been using webmail for years, and from what I've seen, it's become a great percentage of the email going back and forth. People leave a fairly good bit of mail there, going back pretty far if it's all text. The amount of space allocated has increased over time, which means they're being used... commonly... more and more as standard mail archives rather than just quickie anonymous email services.
All Google is doing is taking what people have already been doing, including many of the people on here, and expanding it beyond any reasonable sense of proportion.
And it will work. Because geeks love proportional reasonability failures.
Do not confuse "Freedom of Choice" with "Free Will".
RTFA
Tackiness aside, though, if there are privacy problems, they need to be addressed. Yes, I know that Gmail is the ultimate in "opt-in." Don't like it, don't use it. This should make privacy concerns a moot point: interesting to debate, but nothing to fume about.
But google is a huge service. If Gmail is launched, people will flock to it in droves. Not just geeks, but ordinary people who have no idea how much of their private lives are lived "in plaintext." The privacy of many, many people, even those who do not use Gmail, is at stake.
Imagine, for example, a phone company that halves your rates in exchange for being allowed to sell transcripts of your phone conversations. Don't like it, don't use it -- but what about my rights to privacy when I call you? The simple answer ("don't call people with NoPrivacyPhone") is no solution at all.
Protect your liberties. Donate to the ACLU
Its not like email is "secure" or private anyway (at least here in the UK) remember RIP? I know that the government getting hold of your email is different to some random (evil) company getting it, but if you need security you would be using PGP anyway. Considering the way we are monitored and tracked already I doubt this would make much difference. People should know that on the net you don't get something for nothing and 1gig is quite a lot even today IMO.
...but I don't like the idea of any company having gigabytes of my email, which it has conveniently filled with advertising
A person's email archive belongs on their own hard disk. I wouldn't trust all my personal mail to a 3rd party (even if it was a highly accessibly safe box).
These posts express my own personal views, not those of my employer
unpleasant? that sounds absolutely apropos. and a free magazine. hey!
Learn how to cryptographically sign your mail in Panther
From http://dictionary.reference.com/search?q=geek
geek ( P ) Pronunciation Key (gk)
n. Slang
1.
1. A person regarded as foolish, inept, or clumsy.
2. A person who is single-minded or accomplished in scientific or technical pursuits but is felt to be socially inept.
2. A carnival performer whose show consists of bizarre acts, such as biting the head off a live chicken.
Most slashdot users would fit 1A or 1B quite well. Me, I'm going for number 2.
The problem with Google encrypting email is that Google, Inc is a global corporation, with translations into over 20 languages. While the US export regulations regarding cryptography have been relaxed somewhat, these laws are different in every region. I spent some time as a paralegal, and I'd estimate that the kind of research required to roll out large scale global encryption on this scale would take many, many months at a minimum and cost well into the millions of dollars.
I doubt your privacy is worth that much to big old Google.
Such a mild invasion of privacy is the price you pay for free email with massive storage. To those who balk at the terms: how much would you shell out for a "secure" GMail?
I do not see any privicy issues if a program reads my email in a single pass and add ads as soon as it does not store the data, does not integrate and post-analyze the data, does not use the data for profiling, etc. Plus, you do not have to use gmail at all. However, if gmail raises privicy issues then what about anti-spam programs that read and analyze your email whether you want or not? Morever you do not even know if there is an anti-spam program when you send your email to foo@bar.net. Then what about censorship issues with anti-spam programs? If someone sends an offer for viagra to president@whitehouse.gov, and an anti-spam program stops it, is it an instance of anti-Consitutional censorship? I do not say that anti-Spam progams are evil but rather just making a point about to harsh fear of the beast that was not even born yet (officially).
If enithin kan gow rong it whil. (Murfey)
Cryptography has been a buzz word for years. Heck, I'd wager to say cryptography has been a buzzword longer than the web has.
From article
/. 's to do the same. But....
I've also consulted for Google on other matters and make surprising revenue from their Adsense program on my web site.
Im going to click everyone of those ads. I am asking other
I also ask that the author donate some of the revenue from his self promoting article to the Electronic Freedom Foundation!
Is how everyone's reactions would be different if this was Microsoft doing this?
"1gb email! They're just trying to corner the market and force all the other webmail companies out of business!"
"They can read your mail?! They're probably selling it to some clandestine government agency!" (at which point michael would pop up and post a link to his favorite article on the government buying large ram disks)
My point is, I wonder how much leeway Google is being given simply because they use linux and are a good search engine.
slashdot, news for crazed liberal socialist zealots
I know others have said it, but really, if people don't like it they don't have to use it. Nobody is being forced in the least. There are plenty of other free email providers. The big comeback to that so far has been, "but what if I have to send an email to someone on GMail". You can't pick the phone service provider for a person you call, just like you can't pick a person's email provider for them. If you are that paranoid and whatever you are sending needs to be soooo private, then I doubt you'll want to be sending to a free email address of any kind anyway. I swear, some people just bitch to hear themsevles bitch.
What if you use some of the same tactics spammers use and scramble words you know would trigger ads? Inserting superfluous letters into words, or just type in 1337 5p34k could get around the ads. If Google can't recognize any keywords, how can it serve you an ad?
"Well, it took an hour to write, I thought it would take an hour to read."
Not to start a /. flame war, but you will note my use of the imperative mood in beginning "imagine." Of course google is not selling your e-mail transcripts. I was demonstrating why communications providers should not be allowed to indiscriminately violate privacy even in an opt-in situation.
Meanwhile, can you try an experiment for us? Mail yourself from a different account a couple of short e-mails containing keywords-bad-to-advertise-on like (sorry for the gloom):
"abortion", "miscarriage", "car accident", "suicide", "funeral" /. is curious. Will gmail give users ads for anti-abortion websites, casket discounts, "Suicide items on ebay" (actual google text ad right now)?
Protect your liberties. Donate to the ACLU
But in the time I've been idly following this issue, it seems to me that the whole conflagration is over one small mention that your emails may last forever in their system even if you delete them.
Now , when first reading that, I just assume that this is standard ass-covering legal boilerplate. Stuff that conveys to the user," hey, you might have deleted it, and we might have deleted it, but, you know, *somewhere* on a partition of one of our many cluster machines, there *might* be a copy of your email that possibly could be read with forensic tools, so don't sue us in the unlikely event of this happening."
Is this the case? Is there more of an issue here?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Because we keep back-up copies of data for the purposes of recovery from errors or system failure, residual copies of email may remain on our systems for some time, even after you have deleted messages from your mailbox or after the termination of your account.
How is this any different from what all other email providers do? As they make backups, generally it gets stored to tape. Later on, you stroll through and delete it. It still exists on the tape.
When you are logged into your Gmail account, Google will display targeted ads and other relevant information based on the content of the email displayed.
How is this different from what Yahoo does? Targeted ads based on search entries.
Oh wait...Google is honest enough to tell us up front.
(a) (1) Except as provided in paragraph (2), a provider of e-mail or instant messaging services to California customers may not review, examine, or otherwise evaluate the content of a customer's outgoing or incoming e-mail or instant messages, unless that provider has a court order or is otherwise required by law to do so.
She is trying to outlaw gmail, though I think it also makes other things illegal. I don't know how google or others can index email unless they "review, examine, or otherwise evaluate the content". What other features does this make illegal? (spam is specifically exempted)
If you think *any* unencrypted e-mail is private, you're a fucking moron to begin with.
From the article:
"My e-mail contains the story of my life, and what's not in there is often recorded in my searches. "
I've often wondered what someone could piece together from just reading my e-mail. Add the information on what I search on, and wow. My first reaction to this statement was that you couldn't really tell *that* much from email alone...but then I started to really condsider how much more a statement like that becomes truth as we become more and more dependent on things like email- Some guy who works on your pipes may not have needed a net presence/email system in the past, but even 'non-tech' type professions are going to REQUIRE e-mail access/web search access...which in turn means that the privacy issues being brought up are problems in infancy; they will grow with us.
I don't see requiring Google to encrypt email as the answer...infact the gut reaction by most people will be that Gmail is not really that different than Yahoo, MSN, etc...the fact that Gmail is going to be free is great, and I'm looking forward to using it...anything that I'm overly worried about I'll encrypt myself.
"We are the music makers, and we are the dreamers of dreams."
Once you send someone any kind of letter, electronic or paper, it would seem to me that they can do as they please with it. Should they choose to let Google archive it until pigs fly, so be it. If you need to give a GMail user sensitive information, and they expect you to send it to their GMail account, politely let them know that they are what I and some of my friends refer to as "legally retarded"
V'z fher lbh jvyy svaq n jnl.
If my answers frighten you, stop asking scary questions.
You are weird.
Because Google would end up needing that key in order to compose the HTML page that's going to be sent to you, even if that page is going to be sent over HTTPS.
In short, what's the difference between storing it on the server compressed or plaintext... Google still can decrypt it any time they feel like it, you just have to trust them not peek either way you go.
I think they've clarified they privacy policy to a level that us geeks should easily be able to understand... When you hit "delete", more often than not in computer land, your data is not immediately rendered unrecoverable. In most operating systems, deleted files are ushered over to a "holding bin" for a final clear-out command to really get rid of them in case we want to change our mind. Once the OS finally lets go of the file, the file system often takes the short cut of just removing the index pointers to the file and/or marking the space as "unused", but leaving the data still spinning on the drive until something eventually wants to use that space... let's face it, a "quick format" doesn't have time to hit every track on the drive, it's taking a shortcut and that's what makes it "quick". So, really, they're just saying that in order to make their magical mega-system work, "delete" isn't going to mean "Expunge it all right away!" but simply "Put in the pile that'll be discarded the next time the garbage collection process comes by." Therefore, they'll need to keep your "deleted" e-mails for an undisclosed length of time... they don't intend on keeping it forever, although they have to word the privacy policy in a way that might be misread that way because to do less just wouldn't be being honest. If you don't have root access to the e-mail system where you work, you don't really know if "delete really means delete" on that system either. Your boss may in fact have access to your e-mail... you might as well assume that they do unless you know otherwise.
people just arn't happy enough that they will get a gig to sodomise with their mail, they want it encryted. as if the gig alone isn't enough of an expendature on google's part, now people want them to expend more computing power to encrypt their mail!
Q: know why when you log into most web based email services only your password gets encrypted and not your whole session?
A: it's a resourse wasting whore, that's why. it may not be an issue for us, but when a server is getting thousands of requests that must be encrypted, well it uses more cycles than HL2 will.
stop whining. privacy and security is important, but this isn't new. have a blog? and web based email? then chances are very good that tons of your "deleted" info is still on servers.
p.s. as for the EFF, i don't trust anyone's site that requires me to have cookies enabled just to get to their homepage. being so concerned with privacy, you'd think they'd know better.
I'm surprised at how few seem to be concerned with yet another (possible) invasion of privacy. What Brad describes is just another facet of the continuing erosion of our basic freedoms that so many have fought and died for (I'm talking real wars, not our current well-funded terrorist activity in Iraq). If you haven't heard of the Boiling Frog Syndrome, Google it.
The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
Personally I like the encryption idea and wish it was integrated into more webmail sites. Hushmail has a pretty interesting implementation of this, having all the email stored encrypted on the server and the user views their email locally by decrypting it with a java applet. I'm dissapointed more people aren't interested in encryption (if more people were maybe there would be more services like this).
Though I'm not sure if that could be implemented with gmail, how would you search and organize a gig of email without decrypting all of it?
I am surprised that you don't see the critical difference between what Google is planning and the more usual form of behaviour-tracking that goes on all the time, with or without our consent, by DoubleClick and their ilk, which is common as mud -- in fact I myself once developed a system for a client that had a behaviour tracking component. (Not proud of it, but just pointing out how ubiquitous it has become.)
The crucial difference is that -- at least from the terms described above in the MSN agreement -- these other services are not reading your mail. They are just watching what you click on, examining your behaviour, etc. I don't really approve of this, but it's an order of magnitude less of an infringement than a system that actual parses my mail and searches for keywords ... and as someone mentioned before, I don't have to be a Gmail user for this to happen; I just have to write an email to one. And if gmail takes off, that could end up being a high proportion of the email I send.
The assurance that no human being is going to read my mail is an insult to the intelligence. What is a parser if it's not the tool of its human designer? ... And in any case, what do I care if a (human) marketing drone assesses my email for targetting possibilities, or if it's a bot doing the same job? The bot is worse because it is way more efficient. The point here is not that I am afraid my data will be used for some illegitimate purpose. It is the expressly stated purpose that I am concerned about: of the use of my email to allow targetted marketing to identify me a potential market for Product X.
It seems to me that there may well be innovation in Gmail: but as far as I can tell, it's all aimed at the real Gmail customers, the advertisers, and none of it to the email user. The offer of 1G is in itself pretty outrageous. They are in effect saying: We will generously allow you file up to 1073741824 bytes of data which we will then regularly comb through and see how much crap we can sell you. Thanks Google, but no thanks.
[ UNSIGNED NOT NULL ]
Even exchange goes for under $8 a month now ...
Maybe I'm missing something too, but as others have pointed out (or will soon point out):
1. I don't own Google and none of you do either.
2. What Google do is their business, not ours.
3. What we do is our business, and we can opt to not use a Gmail account.
4. I can't see what kind of retard would want or need a GB for email no one ever looks at anyway. I like the storage but I would never use it for email - forget it, just forget it.
5. The same people who think this is not only cool but necessary are probably those that thought Expose was a new operating system - all because they're not capable of managing their own work.
6. There are lots of big companies who market excellent mass storage technologies. You'd probably be better off and with a more secure solution with them.
7. I'd be an idiot to entrust my email to a company like Google. They're going to let me search for my own email. Gee, but what exactly stands between my email and anyone else's search?
8. I really don't see the marketing point in it - from Google's standpoint. I like them but I fail to see how this is going to help them.
9. Most of what you'll read between now and Gmail is talking head tripe written by wannabes who want to get some e-zine real estate and have no better way to do it. All privacy concerns considered, it's the same old mish-mosh all over again, and frankly I think it's a shameful bore.
"I issue a call for Google to encrypt your mail to avoid these issues"
I though GMail was supposed to index your mail to make it searchable.
How will this work with encryption?
You would reduce GMAIL from "1G of emailsindexed by the internet's most popular search engine" to "1G of offline storage"
2) If the mail is encrypted on the Gmail server, then to decrypt it via the web interface you will need to store your certificate on the Gmail server, and supply the necessary password to access your private key.
3a) As soon as the server has a message encrypted, they can scan and stuff in the ads.
3b) Once they have the plaintext message content, you've lost any benefits of encryption.
So, how does encryption protect your privacy ?
Anyways, if you're a geek who likes new blinking things [and BTempleton is obviously a geek who likes Akihabara and new technologies] you might want those technologies to be widely used without interference from, say, Ashcroft. Note that he isn't saying "lets create great new laws to apply to these new technologies." He is asking "what happens when old laws get applied to great new technologies, and are there ways to get around any obvious upcoming problems?" ECPA already exists, and ASP style email storage could run into ECPA's limitations. Don't we want to think about this now, not later?
Remember that one of the EFF's first cases happened when the US government thought it could seize an entire BBS in order to investigate one user's email? Or that the US government wanted everyone to use weakened encryption with backdoors built in? Or that unchallenged yet idiotic patents hurt technological development?
Its the job of technologists / groups like the EFF to watch for potential crashes at the intersections of rights-reducing governments (or technology-ignorant governments) with great new technologies. And then, as in this case, suggest ways to prevent the intersection from ever happening (built in encryption could be valuable for that). Because otherwise, court cases are very expensive, and the technologists don't always win.
Also, Google isn't the government.
Ah, but this is a great premise for a novel -- by, say, Neal Stephenson and/or Bruce Sterling. (Or for that matter, the ghost of Philip K. Dick.)
-kgj
-kgj
If you don't trust Google to keep your email private, why should you trust them to encrypt your email without using an escrow key or some equivalent?
This is starting to sound not very original to me.
;)
Why not google setup an anti spam system we can all join in that is simply learning from the opted-in's input on what spam is?
[this is spam] button pressed more than 20% may trigger the deleting of all related spam comming into all of googles accounts
Well isn't it simple enough? Email is not private. If you want privacy, use GPG or PGP. If you don't want to use encryption, then you don't care about privacy and can be ignored.
Karma: It's all a bunch of tree-huggin' hippy crap!
For crying out loud! It's ridiculous NOT rediculous !!
ARRGGHH!
There - I feel better now.
Google's founders, from the overall feeling I get from using the site so often, and after everything I've read about the technology behind it, are big on web standards, open-ness, and FOSS. I hope they hold the same beliefs when it comes to reliable encryption.
/. fire up some https servers for their site as well. I'd appreciate the site more if I knew that my every post weren't being sniffed and recorded by spooks into that huge solid state RAM unit (how many terrabytes again?) for later use against me and fellow /.ers.
I issue a call to the Google founders to enable storage of a user's mail, via a user's PGP/GPG encryption key, and using the encryption technology of PGP/GPG. This is the only way that I can think of, of giving enough assurance as to the security of the email information.
Google founders, enable the email (all of it, for everyone) to be auto-encrypted upon receipt by your mail servers, via PGP/GPG encryption, for security purposes.
Doing this will hopefully, finally, give PGP/GPG the kick in the pants that it needs, and hopefully increase the installed user base, something sorely needed still today. And it will help spread security, privacy, and FOSS, to more people, something (FOSS, not privacy), that it appears you like to promote anyway.
btw, I'd like to see
>> I issue a call for Google to encrypt your mail to avoid these issues
:]
:]
> No... I have a better idea, instead of getting the government involved if you don't like it then you can choose to use a email service more to your liking.
You should have RTFA a bit more carefully, perhaps? Don't get me wrong, I intend to use gmail myself, when I can, so I'm not one of those who is completely spooked by gmail, but...
That specific comment about encryption in the article was about avoiding a 180 day provision in the law that would allow warrantless searches by the government on that data. The provision is something to the effect of saying that if it's been there 180 days, we're no longer 'wiretapping' and thus don't need the warrant to do wiretapping, though IANAL and I'm playing fast & loose with my understanding here. This affects all email providers, BTW, but Google seems to encourage the archiving moreso than other systems.
I understand that encryption would somehow avoid this provision (as the law was meant to address something *very* different than it would be applied to here--sattelite broadcasts are at issue here, I think) and thus avoid the problem.
I just don't like the thought of the government googling through all the old mail on a whim, even though I have nothing to hide, really. Of course, if I'm reading things right, they at least have to inform you about the searching they're doing. I have no idea if the PATRIOT Act could be used to get around that, however.
So I would like it if Google could encrypt things server-side somehow, even if it was just ROT 13. Actually, if ROT 13 were "good enough" legally to avoid the warrantless searches, ROT 13 has the advantage that you can just ROT 13 the keywords in the query, too, and search normally, pretty much... *hmmm*
Damn, it scares me to think that something that trivial is probably patentable these days, even if it's just a property of many simple character/byte/bit-shifting schemes... Oh well, hopefully this post would be prior art now, against any such inanity?
I'll be using Gmail as soon as it launches, and my privacy will be Ok. How? Because whenever I have an important e-mail communication, it is encrypted.
./ has stated the obvious. We are technical people. We don't fear encryption. So why are we worrying? What am I missing?
So what is the problem? Do you think Google will try to break the encryption of random Gmail users?
Ah. Now I remember. People are lazy and fear technology, so they won't use encryption with Gmail. Then don't use email at all! Even if your email is handled by yor ISP, instead of a webmail service, any network admin at your ISP can read it.
What surprises me is that no-one on
Google is now giving Gmail accounts to active users of its blogger.com service. As seen here (Ev, of Blogger)
Current use of encryption for email is terribly low: I remember when Whitfield Diffie was asked at a Computers, Freedom and Privacy Conference a few years back how many emails sent to him were encrypted. Because you'd expect him to be way up at the top of the list of people who get encrypted email... under 10% was his reply. Oh, and Zimmerman was also in the audience... same answer.
That depends. They could use a scheme where the key has to be on your local disk, and an applet or bean does the decryption on the client. This would be a boon for Google also, because they wouldn't be wasting their server power decrypting email for people who are too paranoid not to do it but too lazy to do it themselves.
The only real risk then is that if you lose the key, you lose your email, but copious warnings ("YOU MUST BACKUP THIS FILE. IF YOU LOSE IT, YOU WILL LOSE ALL YOUR EMAIL") should suffice.
Karma: It's all a bunch of tree-huggin' hippy crap!
Many people subscribe to the phone company's voicemail services. Aside from voicemail's annoying lack of searching and ad features, how is GMail any different? Shouldn't GMail be covered under the same laws in terms of privacy and warrants as voicemail?
aQazaQa
Why not use a trust-centric system like GPG to generate and rate the trust of your own certificates, instead of a backwards-trust-centric system like SSL or S/MIME? Part of the issue with SSL or S/MIME encryption is that it gives a single point of failure, a person only has to forge their identity to a single company in order to be completely trusted. At least with GPG you can see if they have multiple signatures, compare those signatures with other people you already trust, and work the network up from there.
Karma: It's all a bunch of tree-huggin' hippy crap!
Don't use it.
It's not like they will be reading your email. It should come as no surprise to privacy advocates that email servers store email, parsing through it every step of the way. It doesn't matter because it's a black box operation. What their web server does with it, like selecting ads more appropriate to my interests, doesn't offend me at all as long as my email doesn't appear before human eyes other than my own.
What should worry privacy advocates is that their email is never encrypted unless they do so manually. It goes across the internet as plain text, and can readily scanned and logged by anyone who wants along the way, like spammers, identity theifs, the government, etc. Most likely your password isn't even encrypted. If you use wireless, most likely that isn't encrypted either. The least of your privacy worries should be GMail deciding that you're interested in enlargement pills and home loans.
Someone should be wacked over the head with a clue bat. It seems to me, that the core issue here is, that someone (this "someone" being a script) is reading eveybodys mail.
Well... what the heck do they think Baysean filters does? A lot (most) of email providers offers spam filtering including Baysean filter. Guess what - they read your email! - in the same way that gmail does.
Sheesh.
Underholdning.info
I don't understand the "unpleasant situation" in the first place. Somebody who actually gets invited to a gay wedding probably is broad-minded enough to just laugh at accidentally getting a gay magazine in the inbox. For him, it probably just makes an amusing story to tell at the wedding...
Joe Sixpacks don't get invitations to gay weddings. Hence this situation doesn't happen with them. Simple as that.
Hence, I agree that the gay (or generally, sexual) aspect is irrelevant and wasn't in any way necessary in the article. The author should have discussed the overall annoyance of getting unwanted material, or the specific annoyance of getting quite personal and suggestive material just because some keywords appeared in an email you received. That can be annoying to anybody, whatever the context.
Mod parent up, market capitalism is what its called.
If you want government choose for you, and wipe your ass and tell you what to think then feel free to goto a country that has that kind of government.
Okay, this is just getting sickening. Google approaches it's IPO date and comes up with webmail. So, suddenly, it finds it's way into the 30 minute CNN/FOX treadmills, it's in all the papers, and there's not an IT news site without some big story on it.
Gee, someone at the AP sure has an interest in getting that IPO to skyrocket, huh?
Search engine + webmail =! news
Search engine + rumors + AP treadmill + IPO = lots of money for whoever is behind this big media push.
Please, don't be sheep. As soon as Google goes public, you guys are going to be crying about how cool Google was before all the banners and popups. Trust me, their business model will change for the worst. Right now, they are trying to get you to buy them and have got to be cool -- But soon, things will be different. There will be shareholder meetings and demands made to increase revenue. Then, Google will be just like AOL or Yahoo and you won't feel so excited about it anymore.
I'll be sure to link back to this thread in a few months when the first crappy news about Google breaks. Like when it becomes a whore to the share holders and advertisers.
Posters have previously commented that Google is likely to be able to afford 1GB storage per customer partly by, where the same attachment is held by more than one person, storing only one copy of that attachment on its servers, with a link from each email to the single copy.
My interest is in the likely tie-up of this system with their advertising strategy.
At its most benign, Google will be able, on behalf of "viral marketers", to trace all people who have been sent a copy of the attachment sent out, and send them further "personalised" emails/ give them adverts through the adbars in the email program.
If asked by RIAA or a record company to trace a specific mp3 file that they have found "in the wild", Google could do this, and provide the industry with the facility, at the least, to send such users emails saying "was the copy of xyz's latest song you bought an illegal copy? Why not legitimise your purchase by buying it from our store? Only 99p".
Interesting how people can having different opinions serious topics like Palestine/Israel but not about homosexuality. (im not talking pseudo-christian tv evangelists here)
Does everyone have to think the same way?
I have as much right to think that gay weddings are idiotic as I do thinking that the Mormon Church is a scam based on some huckster's 'translations' or that $cientologists who believe in Xenu and other Hubbard pulp fiction are seriously stupid.
You wouldnt think twice about questioning mormons and Xenuite practices but somehow butt-fucking is off limits?
What you do in your bedroom is your business and my opinion is mine. I wont tell you who to pork and you dont tell me what to think?
Ok?
dale
For over a decade, I've been using a mail reader that gives me all of the above plus many more features such as configurability and a powerful editor and without all the ads and privacy concerns.
It's called gnus.
If you have a decent mail reader, Gmail has nothing to offer you.
"Looks like you're trying to launder money. Would you like to open a bank account in Cuba?"
"Somebody thinks you're not much of a man. Would you like buy some pills?"
"If Gmail is launched, people will flock to it in droves."
No. Normal people get very attached to their e-mail accounts. I have and still use the same Hotmail account I've had for years. Of course I also use my own e-mail service but it's business. Normal people aren't going to see a need for 1GB of storage. Looks of geeks are going to want it because of the geek factor of owning such an address.
Even by Mills Voluntary Slavery argument you have exactly no argument against GMail. GMail undoubtedly requires an existing e-mail account which means you don't have to send your e-mail to the user's GMail account. Just send it to their alternate account.
If people want to sacrifice some liberty, privacy, whatever for a little usefulness, that's their business.
If you're worried about private information being stolen, don't send an e-mail. Write a letter or only devulge such information in person.
There are two ways to be anonymous. By hiding in the shadows or by hiding in the crowd. GMail is going to have waaaay too many people using it to worry about anyone looking at you.
The people who are worried about GMail are the same people who think everyone is looking at them when they walk down the street. Behind Google is a handful of people and an army of benevolent computers who don't talk around the water cooler. Guess which group is going to be watching your e-mail.
Ben
Work Safe Porn
I'm sick of all the bitching about Gmail. All the other freemail providers can do the same, and Google has never done anything against the interests of it's users before.
"Gee, but what exactly stands between my email and anyone else's search?"
The directory structure. In my case the search script goes into exactly directory looking through e-mails; the user who requested the search. I don't know if you've ever written scripts but it's incredibly easy to tell a script exactly where to go based on information that the client has no control over. Scripts don't accidently go some place they shouldn't have gone.
"I like them but I fail to see how this is going to help them."
Ad revenue. I run Google Ads on my main site and they work really really well.
"I can't see what kind of retard would want or need a GB for email no one ever looks at anyway"
I have a CD full of discussion group e-mails that cover over a year during a very life changing time in my life. Being able to search them would be handy. It's already public information so who cares if it's stored on a nonsecure server?
"You'd probably be better off and with a more secure solution with them."
You're making the mistake that everyone cares about (is as paranoid about) security as much as you. Some people prefer convienence and most aren't paranoid.
For my own service I offer security to and from the mail server for those who want to utilize it. Google will most likely do the same. If that's not good enough, oh well. That's the service that's offered. Take it or leave it. If you want a Fort Knox, ad free e-mail account you're going to have to cough up some money.
Nobody is stopping you from running your own secure mail server with all the features you want. That's exactly what I'm doing. I'm implementing features I want and since I have them, I make them available to other people as well.
"frankly I think it's a shameful bore"
Noted and dismissed. If it weren't for Google's prompting, my sig wouldn't have nearly as many adjectives to describe my e-mail service.
Ben
Work Safe Porn
why I'm getting a lot of ads for Ovaltine.
Ben
Work Safe Porn
Honestly I don't understand why everyone's getting their panties in a wad over this one. Sure some features of GMail might sound Big Brotheresque to some, but the solution is quite simple.....don't use it. It's not as though the entire concept of email is going to change with the introduction of Google's service. Things will stay the same for those who host their mail elsewhere.
And to take things one step further, don't send mail to people who do happen to *choose* to use GMail if you object to the system. Because after all this is what the issue should come down to....choice.
Joe Sixpacks don't get invitations to gay weddings. Hence this situation doesn't happen with them. Simple as that.
what if the invite is a spam and it gets flagged for ads? unless automated spam detection improves to 100%, how can any automated system possibly know which mails are "safe" to parse for ad-content delivery, and which mails are not?
Homophobia, non?
Pas du tout. More like homophobiaphobia (fear of homophobia).
This could be changed. Technologies have gone from public (non-private) to private and protected before. Consider the switch from party lines to private lines in the telephone system. Now that we live in the 21st century shouldn't we demand a similar switch for email?
Because privacy is, at its core, a fundamental human right. Every communication system we use should have privacy built in: if its not, there should be a very good reason why not. "Oh dear, it will take extra computational cycles" is not a good reason, not with the small footprint crypto already here. "Oh, Ashcroft doesn't want it" is even a worse reason.
Why is privacy a basic right? From the well-written essay by Canada's former privacy Czar
"If Parliament and the public at large have been slow to react, it is probably because for most people, most of the time, privacy is a pretty abstract concept. Like our health, it's something we tend not to think about until we lose it - and then discover that our lives have been very unpleasantly, and perhaps irretrievably, altered.
But though we tend to take it for granted, privacy - the right to control access to ourselves and to personal information about us - is at the very core of our lives. It is a fundamental human right precisely because it is an innate human need, an essential condition of our freedom, our dignity and our sense of well-being."
" ...A popular response is: "If you have nothing to hide, you have nothing to fear.
"By that reasoning, of course, we shouldn't mind if the police were free to come into our homes at any time just to look around, if all our telephone conversations were monitored, if all our mail were read, if all the protections developed over centuries were swept away. It's only a difference of degree from the intrusions already being implemented or considered.
"The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will -- indeed, the right to be anonymous except when we choose to identify ourselves -- is at the very core of human dignity, autonomy and freedom.
"If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy...
"...The bottom line is this: If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free. That sort of life is characteristic of totalitarian countries, not a free and open society..."
No, he just hates Canadians ;-)
Seriously though, that 'chap' is the chairman of the EFF, which makes it a particularly dissapointing comment...
Did you not read the sentences just before that?
"What if I want my email to be kept private, but through ignorance or lack of options, I email several people with Gmail accounts? My messages to these individuals are being scaned and archived without my consent."
That is, the grandparent was talking about mail that they might send to Gmail users, not them being a Gmail user.
If they encrypt it, how will they be able to use their lovely search capabilities (the only real reason for going with gmail despite the 1GB hype)? Unless they decrypt it every time I search for something. But then what's the point? Just sounds like an expensive use of CPU.
If you want secure but searcheable and indexable email put it on a box you trust. Gmail is hardly going to become a standard we must all support as the transmission and format of email remain the same - so you have no reason to use google's service if you don't want to. But the benefits of having google index and organise your mail all rely on google, or their machines, being able to read your mail. Otherwise the whole thing is a waste of time.
Once people start making good copycat programs you can host on your own servers or with people you trust more then your email will be a little more secure.
If you want encrypted email, you'll have to use old fashioned folder sorting for it to genuinely be secure.
The only way to boil a frog alive is to put a lid on your pot, otherwise he'll hop out when it starts getting hot. Have a look at snopes.
He tried to kill me with a forklift!
I'm pretty sure they won't. Google runs ads for spammers
Employee of Inrupt, Project Release Manager and Community Manager for Solid
'If need be, the mail can be held temporarily unencrypted before delivery to the user (because then it has ECPA protection) and thus indexed and tied to ads.'
As far as I know, your email is still protected as email, even *when* encrypted, so the real reason not to do it right away, is the latter: commercial issues; tying it to ads.
Google might be a good company, but the author is being overly apologetic, IMHO.
And I also do not understand his reasoning to doubt if Gmail would have the same protection as other mail, because it can be searched. The point seems absurd: G*mail* is still portayed as a *mail*service, isn't it? And people have the the expectation that it's for emailing, not for using it as a search/database.
When the prime function is email (which even google itself won't deny), then there is no reason why this emailservice would have lower legal protection then any other.
--- "To pee or not to pee, that is the question." ---
That's entirely laughable. If you think for one moment that the ECPA is going to stop someone with access and interest from reading your email, you're terribly naive. It might stop them from divulging that they read your email, and make them carefully search out plausible public sources for the information they gleaned from it before acting on any of it, but it sure as heck won't stop them from reading it.
Link here
To have a right to do a thing is not at all the same as to be right in doing it
How can so many supposedly technically competent people be bitching about this? Your email gets sent in plaintext. Where did you get your misguided expectation of privacy? If you wouldn't write it on the back of a postcard, you should not be writing it in email - that is one of the first rules of using the Internet. Is the problem that Google is telling you the truth? Would you rather they said nothing? Who do you trust - the company that tells you what they're doing with your email, or the company that says nothing?
If you want privacy, encrypt your mail. If you don't encrypt your mail, you do not have privacy.
Stop-Prism.org: Opt Out of Surveillance
Why not just encrty your text before using the gmail system?
There's that problem with junk mails. Let's assume that even the most intricate and smartest algorithms cannot reliably detect spam mails.How is Google gonna detect which Mails I like and which don't?
Maybe they are gonna keep statistics on the addresses their users write to in order to do that. Maybe it will even be necessary to do that or anything like.
I know you were kidding (hope you were kidding), but - HushMail's free/premium Web email service encrypts email both on their servers, and from your browser to their servers.
Once it gets sent out to another server, it's (potentially) a different story. Most email is still sent unencrypted; HushMail gives you the option of sending as plain-text or sending encrypted (PGP/GPG compatible, I believe).
The main point relevant to this story: a compromise to HushMail's server's will not result in someone else reading your email. It also means, you'd better not forget your passphrase, or your stored emails become irretrievable random-looking gibberish!
OK, so I'm not the only one here running my own mail server. A low-powered linux box on my network with a webmail server, always on, that retrieves my POP3, hotmail, and Yahoo! mail and puts it in one place for me and only me to access. No ads, no Patriot act searches, full control. So, there's some cool features in Gmail from the sounds of it, but it doesn't sound like anything that couldn't be integrated into a personal webmail installation.
Where's the "free" part at Thawte?
Sig it.
Why would Brad Templeton give anything to the EFF? It's obviously something he doesn't care about.
The Tao that can be spoken is not the one eternal Tao
your isp doesnt have a *personal* spam filter for you. That would be a waste of time. New users don't want to receive tons of spam until they've trained their own personal filter. There is one global mail filter that identifies and marks spam, for all users.
-
...if your initial connection to the webmail service is through a normal http (non-secure) connection! I have a couple webmail email accounts (for backup access) and every single one prevents initial connection via https! Or, if I can connect securely to put in my name and password, it shifts me to a regular connection to view and enter my email.
Don't get me wrong, I like the Gmail idea, but I think the initial connection to ANY email server is just as important to security.
Imagine receiving your weekly, subscribed too, email business newsletter promoting online business opportunities (ie non-spam).
Alongside this email will be google paid ads for competing products.
Enigmail is not actually developed by Mozilla, but by a third party. And it further relies on external gpg/pgp binaries.
I found it very interesting when it was discussed in my film class how the "evil scientist" character in literature/film didn't really appear (frakenstein excepted) until after WWI and the whole chemical weapons debacle. This was further enhanced by nuclear weapons.
I think people DO see technology as demonic. Just look at the curses people level at their computers. Unless it's a cute little mac...who could that hurt, right?
Well, you could always encrypt/decrypt your email locally and cut-n-paste it. I for one would prefer that to any encryption offered by the email provider.
I get concerned about my privacy when it is violated without my consent ... e.g. when I have no choice. ... they are not being sneaky about it, and you can opt to get your email on elsewhere.
...
GMail, in terms of privacy 'violations' (can't comment on the legal ramifications the article brings up) is perfectly fine
Nothing is free; make no mistake, you are paying for the Gig-o-storage; just not with $$, but by consenting to having your mail 'read', and ads presented in context.
The key point here is that you have a choice; everyone gets to decide whether it is a fair trade for themselves. Noone is being coerced; nothing shady is happening. Move along, nothing to see here
I understand why you would want to encrypt email. But in most cases is there really much of a point?
:)
When it is encrypted no one can read it, so it is reasonably safe from prying eyes but it is also useless to the intended recipient.
Once it isn't encrypted the recipient can now read it. They can also print it out, tell everybody about it, publish it in the paper, and/or forward it to a million of their closest friends, heck their email program could even do it for them
If you are worried about a stranger reading your email I suspect the greatest threat is once the email reaches its destination and no encryption is going to help there..... Yes, it would help when the data is on someone elses computer, but if you don't physically control the data, is the data really yours anymore, no matter how well encrypted it is?
the DoJ sucks ;-)
;-)
But that wouldn't still explain Gmail having less protection then the other mailservices. Even outlook has a function to search; does that give the DoJ the right to snoop in it because it's a 'searchengine'?
Besides...how *do* they know you have read those emails before they have actually seized them, and how can they seize them (without a warrant) with the excuse that it's in a 'lower legal' status if they actually have no right to do so, if the emails are not read?
It's sort off the chicken&egg problem. One that I hope will will make scrambled eggs out of their reasonings.
As for the EFF...the moment they will sponsor Freenet, I will donate something to them
--- "To pee or not to pee, that is the question." ---
So we've ended up in this strange zone where email could be encrypted as a matter of course, but it isn't. There is no inherent reason why email has to be public, but by our design (or lack thereof), this major massive system of communications is public, and for what benefit?
I'm not saying that people must be forced to use encryption, but that the ability to choose it should be there. To me choice means the two alternatives are sitting there, equally available... If there were big "Send: This is Private" and "Send: This is Public" buttons. Right now the "choice" is "Send" vs "Spend hours retrofitting your system and writing to your recipient to explain to them how to read your email, and getting your grandpa to use it- just give up trying to go there..."
As an analogy, if I say "lets start building doors and doorjams with locks built in," I don't think that equals "force everyone to lock their door." To me it means "make it as easy to choose to lock your door as keep it unlocked."
Imagine an alternative history where we on "Exchange-Dot" are talking about telephone design...
- "Phone calls are on party lines, anyone can listen" (Score: 3 Just Delightful)
- Of course phone calls are public- if you want privacy send a telegram. Get over it (Score 5: A Pearl of Wisdom)
- "If you want privacy, get a private line and ask the person you wish to call to install a private line too."(Score: 2)
- "But what if I know I might want to talk with more than that one person, wouldn't it be better if all phones were private lines? What if my elderly aunt cannot easily get a private line?"(Score 3: Quite)
- "What, have you something to hide? What type of gentleman are You? (score 0: Moderately Scandalous)
- "You should just refuse to talk with people on party lines: if your dear Aunt in Toledo is unable to install a private line then she isn't worthy of conversation" (Score: 1)
- "You have the right to a private line, but demanding all lines are private? How about we let people choose?"(Score: 1)
Now an influential company - GoG&G - is proposing a massive new rollout of telephone availability. And a Mr. B. Templeton, chairman of the Telephonic Frontier Foundation asks GoG&G to consider designing private lines right into the system. He's the sort of person who wants widespread private phone calls, writing:"The key to deploying private phone calls is to make it happen with close to zero involvement by the user... The reason is that I converse with tons of people, not just my closest Bell/linux-using electrophilosopher friends. If I want my conversations to be private, I have to get the general public using private lines...."
It, in retrospect, wouldn't be such a bad request for consideration by Google / GoG&G.
Above quote from UXN Spam Combat via the CF13 homepage, my comprehensive solution to unwanted email.
Case closed.
Besides, only dumb, clueless spammers would send their crap to
The whole uproar over GMail's focused advertisements is a tad silly, especially when you have voice box politicians calling for an outright ban. Does California ban supermarket "VIP" cards that track consumer purchases? If not, what's the difference here? In my neck of the woods (North Carolina) the supermarkets provide "discounts" in exchange for tracking your spending habits. Given enough information, they'll even provide you focused print ads.
My girlfriend borrowed my supermarket card the other day and ribbed me because the printed coupons had things like "tums", "pepto", "Gino's pizza rolls", and the like in sharp contrast to her's which generally had things like "mix green salads", "orange juice", etc. We're living with this type of advertising day to day already. Government shrills need to find something useful to rant about like, say, continued increses in property and sales taxes, polution, government waste, etc.
I don't see anyone up in arms over these pratices - why is it when we attach the word "internet" to every day things people get their panties in a bunch?
I've been using lycos mail for several years now and it really feels like they have already begun to keyword target ads based on the content.
When I have a lot of spam, I see garish ads for all sorts of things, but then I delete the spam and I start seeing regular name brand ads. I am very suspicious.
Also, the content of the emails seem to target proper names that I have mentioned in emails. Of course random sampling of such names over such a large number of spam might yield the same result, but I am a little suspicious that Lycos could be parsing the emails and collaborating with spammers. Not so sure about the spam, but the ad targeting seems obvious.
This is great, someone mod this up please.
If I don't want spyware on my system, and I know about the issues I can CHOOSE not to install Kazaa or similar. But the vast majority of people out there may not be aware that spyware exists or its potential for abuse, to them Kazaa is just a way to get something for nothing.
Isn't it right to protect people from corporations taking advantage of their ignorance?
In the perfect capitalist model where everyone has perfect knowledge and can make rational decisions weighing up the relative importance of privacy and conveniance then its OK to leave it to market forces to decide. But the world doesn't work like that.
Having a click through license or privacy policy doesn't really work either.
At the very least these discussions serve to make more people aware of the implications of having that much personally sensitive information potentially available to marketers, governments and corporations.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
So according to this article, the protections of the ECPA expire if your email resides on someone else's server for more than 180 days. Did anyone else read that statement and immediately start wondering about their IMAP accounts?
http://www.thawte.com/email/
OK, this just proves the frog is more intelligent that the US public...
The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
notwithstanding the hoopla surrounding the gmail privacy concerns, lets say many people do indeed sign up for the service.
just spare a thought for the recepients of mails sent using gmail!!!!
So, completely separate from the issue of using SSL for secure transport we need a easy-to-use, transparent Web client so that encrypted attachments in your Google inbox may be viewed by recipients.
As earlier posters have mentioned, public key encryption use is not widespread. Yes, corresponding nerds have gone to key signing parties, verified ASCII armor, have strong pass phrases, and know how many links away they are in a web of trust. But 98% of the computer using public, and that includes at least 70% of my correspondants, have absolutely no clue about how to handle encryption.
What they need is for my GMail attachment to include a reference to download a Java viewer/application that helps them to setup a public key, read, search, email etc.
The important thing is that it would have to be done on top of the GMail interface. Of course it would be nice if it could be used for other free email account interfaces, too, such as hotmail.
Another advantage of this technology would be that spam filtering could be reinforced as users decide that only messages coming from a certain verifiable senders are worthwhile, etc.
"Provided by the management for your protection."