Slashdot Mirror


On The Privacy Subtleties Of GMail, Other Webmail

Brad Templeton writes "After talking with Google folks and learning about E-mail privacy law from EFF (join!) lawyers, I have written a new essay on the privacy subtleties of GMail and other advanced webmail applications. Some of the fear has been overdone, but there are surprising issues due to the fact that the ECPA, written almost 20 years ago, wasn't prepared for fancy e-mail offerings like GMail. I issue a call for Google to encrypt your mail to avoid these issues."

18 of 298 comments (clear)

  1. grr. by SinaSa · · Score: 5, Insightful

    This is pretty rediculous if you ask me. People in America give away their privacy rights all the time, without any worry. Most of the YRO stories on slashdot are just about that. But when a half respectable company like google decides to provide a free service, which you aren't obligated to use people go crazy.

    I don't understand it. If you can't handle an automated script putting some ads in your emails from a simple world relation algorithm, maybe you should just, not use it?

    Nobody raised this size of a ruckus over Orkut's similar cookie features, especially considering they hold a far larger quantity of personal information than GMail ever will.

    --
    --
    The last digit of pi is four.
    1. Re:grr. by LostCluster · · Score: 4, Insightful

      Just because the masses (morons) are constantly giving it away, does not mean we should continue to do it.
      I'm all for the use of gmail. Sounds great to me, but I'd like to be able to delete old emails permanently if I should choose to do so. What's wrong with that?


      Because rarely in Information Technology does "Delete" really mean "purge this beyond recognition from the system right now!" We all know that in most modern OSes, "Delete" just sends the file to a holding bin from which it can be "Undeleted". When we mistakenly delete something at the office, it can often still be recovered from a backup tape or backup server.

      So, it's no surprise that Google's going to be using some caching, indexing, and mirroring that's going to be a little bit slow on the uptake when somebody hits delete... it'd be rather hard for them to run GMail without doing things that way. I highly doubt they want to keep every e-mail that "passes through" and then gets deleted. Still, they're not going to make you any promise as for how long your delete request will take to process, just so that they're on the safe side should something ever go wrong they won't be caught breaking their promise.

      Why does everybody take the most paranoid view when interpreting a pretty friendly privacy policy?

  2. Re:No... by Jameth · · Score: 5, Insightful

    Why do people always call out, "Just don't use it!" If the minority who saw the truth just ignored the majority product throughout history, we'd be fucked. The minority fighting for change has vastly improved the world on a regular basis.

    Also, Google isn't the government. Read what you are replying to.

  3. Re:No... by metlin · · Score: 5, Insightful

    Why call Google to encrypt your mail? If you are that concerned, you could go ahead and encrypt it yourself.

    And if you are not bothered to do it on your own, or are not concerned enough about security, then you have no business complaining about Google.

    Like the parent poster said, if you do not like Gmail, do not use it. What did you expect? Somebody off the street to come and give you an e-mail account with the coolest features for free with almost nothing from your side? Well guess what, in real life there is no such thing as free lunch.

    And as for the "masses" out there, there's probably way more information floating around in the form of spyware and the like that gather data, than through something like Gmail.

    This is the problem if you are the biggest guy around - everyone finds some reason or the other to pick on you.

    He is right about the freak-out factor, but then for all you know, its probably a ploy from competitors to put Google at a disadvantage (you never know!).

    And besides, if you are that concerned about secure information, plain e-mail is akin to sending confidential information on a postcard.

    If you want confidentiality, encrypt your stuff. Why should Google do it for you? If you are that concerned, go ahead and do it yourself.

    Encryption is a serious resource overhead - and encrypting for a very large number of people/subscribers (which Google will most certainly have) for very large amounts of data (which again, Google does and will have) is going to be a serious drain of resources.

    And it is true - now even for the simplest things, Google is getting picked on. Despite the fact that they are perhaps the most benign (yet) of all the corporates out there. I guess people need someone to rant about. And sugarcoat it all with, "I love Google, but..."

  4. Re:What is a geek? by Jameth · · Score: 4, Insightful

    I think this is occuring because geeks are the ones who actually understand technology. As such, they feel that they are the only ones who see the danger.

    To the masses, technology is divine. They don't realize that technology as often demonic as it is angelic.

    Of course, this particular technology isn't very demonic and people are just having fits for fun these days, but the general shift towards conscientious geeks is a good and proper thing which often functions for the benefit of all.

  5. free or not, Gmail is not good... by sdedeo · · Score: 5, Insightful
    As far as I can tell, Gmail's biggest problem is this: "Dear son, your grandma died suddenly. Details on the funeral ASAP. Call me." On the right hand side, google text ads hawking caskets, flowers, funeral homes. It's tacky, to say the least, and I have little respect for people who are willing to let ads into their private lives to this degree.

    Tackiness aside, though, if there are privacy problems, they need to be addressed. Yes, I know that Gmail is the ultimate in "opt-in." Don't like it, don't use it. This should make privacy concerns a moot point: interesting to debate, but nothing to fume about.

    But google is a huge service. If Gmail is launched, people will flock to it in droves. Not just geeks, but ordinary people who have no idea how much of their private lives are lived "in plaintext." The privacy of many, many people, even those who do not use Gmail, is at stake.

    Imagine, for example, a phone company that halves your rates in exchange for being allowed to sell transcripts of your phone conversations. Don't like it, don't use it -- but what about my rights to privacy when I call you? The simple answer ("don't call people with NoPrivacyPhone") is no solution at all.

    --
    Protect your liberties. Donate to the ACLU
    1. Re:free or not, Gmail is not good... by edhall · · Score: 4, Insightful

      I've learned of the deaths of people close to me via email, twice. I also first learned of the cancer that ultimately killed my father, and my mother's alzheimers, via email. People use email for the same sort of things they used to use snailmail and even phone calls for, and that includes delivering bad news.

      I spent an hour or so yesterday going through news about the Columbine 5th aniversary. (There's a family connection that ties me to the tragedy.) Twice I encountered Google-based ads for shooting schools -- not exactly what I wanted to see. I hope their ad selection for email is a bit more sensitive.

      Another thing: you and I know quite well that keyword-based ads are just the result of some algorithm and not some faceless person perusing the text. But I suspect that a significant fraction of the public is going to find it creepy even if Google manages to avoid the negatives. Five years from now when direct exposure to AI-based phenomena is more common this won't be as much of an issue. But it might be one now.

      -Ed
  6. Re:No... by zhiwenchong · · Score: 5, Insightful

    Personally I don't have issues with Gmail... in fact I'm looking forward to getting an account.

    However, if one is really concerned with privacy, I have to say that the "don't use it" argument dosn't really cut it. While one may not use Gmail directly, invariably one will need to send mails to people with Gmail accounts some time or the other, and the contents of the those mails will end up in Gmail servers.

    One might argue that email is inherently public anyway, so sending mail to Gmail address is no different from sending mail to any other email address. (anyone with a packet sniffer in the correct place can peek into the contents of your mail). Well, sure... okay.

    But don't keep repeating the cliched "don't use it" credo. It isn't really as simple as that.

  7. everything has a price... by NCraig · · Score: 5, Insightful

    Such a mild invasion of privacy is the price you pay for free email with massive storage. To those who balk at the terms: how much would you shell out for a "secure" GMail?

  8. What about anti-Spam programs by $0.02 · · Score: 5, Insightful

    I do not see any privicy issues if a program reads my email in a single pass and add ads as soon as it does not store the data, does not integrate and post-analyze the data, does not use the data for profiling, etc. Plus, you do not have to use gmail at all. However, if gmail raises privicy issues then what about anti-spam programs that read and analyze your email whether you want or not? Morever you do not even know if there is an anti-spam program when you send your email to foo@bar.net. Then what about censorship issues with anti-spam programs? If someone sends an offer for viagra to president@whitehouse.gov, and an anti-spam program stops it, is it an instance of anti-Consitutional censorship? I do not say that anti-Spam progams are evil but rather just making a point about to harsh fear of the beast that was not even born yet (officially).

    --
    If enithin kan gow rong it whil. (Murfey)
  9. What I wanna know by andih8u · · Score: 4, Insightful

    Is how everyone's reactions would be different if this was Microsoft doing this?

    "1gb email! They're just trying to corner the market and force all the other webmail companies out of business!"

    "They can read your mail?! They're probably selling it to some clandestine government agency!" (at which point michael would pop up and post a link to his favorite article on the government buying large ram disks)

    My point is, I wonder how much leeway Google is being given simply because they use linux and are a good search engine.

    --


    slashdot, news for crazed liberal socialist zealots
  10. Can't emphasize it enough by Seven001 · · Score: 5, Insightful

    I know others have said it, but really, if people don't like it they don't have to use it. Nobody is being forced in the least. There are plenty of other free email providers. The big comeback to that so far has been, "but what if I have to send an email to someone on GMail". You can't pick the phone service provider for a person you call, just like you can't pick a person's email provider for them. If you are that paranoid and whatever you are sending needs to be soooo private, then I doubt you'll want to be sending to a free email address of any kind anyway. I swear, some people just bitch to hear themsevles bitch.

  11. Gmail - What privacy concerns? by YrWrstNtmr · · Score: 4, Insightful

    Because we keep back-up copies of data for the purposes of recovery from errors or system failure, residual copies of email may remain on our systems for some time, even after you have deleted messages from your mailbox or after the termination of your account.

    How is this any different from what all other email providers do? As they make backups, generally it gets stored to tape. Later on, you stroll through and delete it. It still exists on the tape.

    When you are logged into your Gmail account, Google will display targeted ads and other relevant information based on the content of the email displayed.

    How is this different from what Yahoo does? Targeted ads based on search entries.

    Oh wait...Google is honest enough to tell us up front.

  12. Re:No... by LostCluster · · Score: 4, Insightful

    But don't keep repeating the cliched "don't use it" credo. It isn't really as simple as that.

    Actually, it is. If you're not prepared to trust Google handling e-mail, just who exactly are you going to trust? You don't own an end-to-end wire leading to anybody else in the world. You're just going to have to trust that your ISP or your phone company isn't tapping your connections.

    Google's got a rather straight-forward privacy policy posted, and they've even clarified it with an FAQ to try to calm the extraordinary fears over GMail. If you don't still trust Google to do what they say they're going to do... you don't particularly belong on the Internet. How do you know that Carnivore isn't capturing every packet being sent to you right now under some PATRIOT Act secret warrant signed personaly by John Ashcroft?

  13. Re:not comparable by Xenographic · · Score: 5, Insightful

    The anti-spam and anti-virus scripts already parse all of your mail. This is simply a different bit of parsing.

    Also Google can and most likely will, due to the outcry as well as their own code of ethics, limit how much an advertiser can infer from what ad you clicked.

    Ideally, it would be no more than anyone gives away by clicking ads in the search results (and I note that you need never click these ads if you don't want to...). This is something no one had a problem with before, after all, however much it told them about your searches (and we all should know by now that every single worthwhile log parsing scripts pulls out the keywords people visit your site via... right?).

    Honestly, I'm more worried about the warrantless search provisions and such this could fall prey to. Even so, I trust Google far more than the other services which are undoubtably now copying them for this.

    Honestly, I'd almost like them to patent a few provisions of this (provided the patent was narrow enough) and simply keep others from copying Google and doing the whole service badly, in a way that would be horrible from a privacy standpoint...

  14. Server-side encryption is useless. by scrod · · Score: 5, Insightful

    If you don't trust Google to keep your email private, why should you trust them to encrypt your email without using an escrow key or some equivalent?

  15. Because Google might actually listen? by geekotourist · · Score: 5, Insightful
    If you're the sort of person who wants more encryption used in email i.e.:
    "The key to deploying encrypted mail is to make it happen with close to zero involvement by the user. This is hard, and requires some security compromises that have made cryptographers uneasy in the past.

    However, I have come down to the view that getting encryption widely deployed, even with some minor flaws, is better than getting perfectly designed encryption (if that's even possible) that hardly anybody uses.

    The reason is that I exchange mail with tons of people, not just my closest linux-using nerd friends. If I want my mail to be private, I have to get the general public encrypting. This is a particular concern with new laws just passed granting U.S. law enforcment the power to read the "header" of a message -- including the subject lines of E-mails without a warrant. In addition, other nations have always had such powers, and on top of it all, most ISP backbones and mail servers are poorly secured from snooping by almost any system cracker trying to invade your privacy...
    Then you'll ask the technology companies most likely to listen to a request to add easy-to-use encryption to their product. Whatever Google could come up with might be much better than the poor-UI, hard to install, barely any use email encryption systems currently around. Just a nice, clean button saying "I feel Private" or somesuch thing.

    Current use of encryption for email is terribly low: I remember when Whitfield Diffie was asked at a Computers, Freedom and Privacy Conference a few years back how many emails sent to him were encrypted. Because you'd expect him to be way up at the top of the list of people who get encrypted email... under 10% was his reply. Oh, and Zimmerman was also in the audience... same answer.

  16. Wake up by Underholdning · · Score: 4, Insightful

    Someone should be wacked over the head with a clue bat. It seems to me, that the core issue here is, that someone (this "someone" being a script) is reading eveybodys mail.
    Well... what the heck do they think Baysean filters does? A lot (most) of email providers offers spam filtering including Baysean filter. Guess what - they read your email! - in the same way that gmail does.
    Sheesh.