Slashdot Mirror
On The Privacy Subtleties Of GMail, Other Webmail
Brad Templeton writes "After talking with Google folks and learning about E-mail privacy law from EFF (join!) lawyers, I have written a new essay on the privacy subtleties of GMail and other advanced webmail applications. Some of the fear has been overdone, but there are surprising issues due to the fact that the ECPA, written almost 20 years ago, wasn't prepared for fancy e-mail offerings like GMail. I issue a call for Google to encrypt your mail to avoid these issues."
This article goes right to the heart of my query. Rather, the existence of this article does so. Is a geek one who revels in technology and the pursuit of coolness in new technology? Or is a geek someone who is wrapped up in figuring out how technology will be used inherently for evil purposes?
I like to think of geeks as the happy lot who wander the streets of Akihabara mesmerized by all the glitz and blinkenlights of the latest and greatest devices.
The article demonstrates a new strain of geeks which seems to revel in stymieng the technological process by handicapping it at every turn.
I imagine that any geek can encompass both forms, but I have a feeling that lately it is the boys who cry wolf that are taking over geekdom.
I have been pwned because my
Comment removed based on user account deletion
"People in America give away their privacy rights all the time"
Just because the masses (morons) are constantly giving it away, does not mean we should continue to do it.
I'm all for the use of gmail. Sounds great to me, but I'd like to be able to delete old emails permanently if I should choose to do so. What's wrong with that?
You want what with that?
But what laws keep my web host from searching my home directory? The insertion of ads based on such a search is secondary, and less important. That's where all my email is, for a while anyway. Or does some standard contract cover this?
Jesus I have to go read that thing!
grammar-lesson free since 1999. (rescinded - 2005)
In other words, no more than they know if you click on a Google sponsored link right now.
So, umm, in that case, don't sign up for a free trial of Out if you don't want one? *shrug*
Honestly, MSN, Yahoo & co. can do all of this right now, should they desire, and they have very little incentive to tell us about it. Well, maybe in the UK it might be illegal, but if they exclude all people who are from it from the policy and never tell anyone... (as if that were meaningful considering how many fill in utterly false info there...)
Hell, look at this current snip from the MSN Privacy Policy, which governs Hotmail:
Where was this fuss over these terms? I at least trust Google more than MSN...
What is all this fuss about?
People have been using webmail for years, and from what I've seen, it's become a great percentage of the email going back and forth. People leave a fairly good bit of mail there, going back pretty far if it's all text. The amount of space allocated has increased over time, which means they're being used... commonly... more and more as standard mail archives rather than just quickie anonymous email services.
All Google is doing is taking what people have already been doing, including many of the people on here, and expanding it beyond any reasonable sense of proportion.
And it will work. Because geeks love proportional reasonability failures.
Do not confuse "Freedom of Choice" with "Free Will".
...but I don't like the idea of any company having gigabytes of my email, which it has conveniently filled with advertising
A person's email archive belongs on their own hard disk. I wouldn't trust all my personal mail to a 3rd party (even if it was a highly accessibly safe box).
These posts express my own personal views, not those of my employer
I have no secrets - I do, however, have sensitive information such as usernames and passwords sent to my email. So long as google isn't giving away my sensitive data to third party customers or the government without my knowledge and consent I'll be happy with their email service. I don't mind if they want to offer me cheap plane ticket every time the word flight is in one of my emails. If the ads are intrusive I'll be sure to leave them and find a service that is more acceptable to me.
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
Learn how to cryptographically sign your mail in Panther
The problem with Google encrypting email is that Google, Inc is a global corporation, with translations into over 20 languages. While the US export regulations regarding cryptography have been relaxed somewhat, these laws are different in every region. I spent some time as a paralegal, and I'd estimate that the kind of research required to roll out large scale global encryption on this scale would take many, many months at a minimum and cost well into the millions of dollars.
I doubt your privacy is worth that much to big old Google.
What do I have to hide? Nothing. But our country was founded by people who experience tranny and sought to take the power of tranny from the government. Let's not give it back to them. We could lose our freedom at anytime. We are just one bad administration from martial law. We must remain vigilant if we wish to remain free.
Yeah, I guess I'm funny like that.
From article
/. 's to do the same. But....
I've also consulted for Google on other matters and make surprising revenue from their Adsense program on my web site.
Im going to click everyone of those ads. I am asking other
I also ask that the author donate some of the revenue from his self promoting article to the Electronic Freedom Foundation!
What if you use some of the same tactics spammers use and scramble words you know would trigger ads? Inserting superfluous letters into words, or just type in 1337 5p34k could get around the ads. If Google can't recognize any keywords, how can it serve you an ad?
"Well, it took an hour to write, I thought it would take an hour to read."
But in the time I've been idly following this issue, it seems to me that the whole conflagration is over one small mention that your emails may last forever in their system even if you delete them.
Now , when first reading that, I just assume that this is standard ass-covering legal boilerplate. Stuff that conveys to the user," hey, you might have deleted it, and we might have deleted it, but, you know, *somewhere* on a partition of one of our many cluster machines, there *might* be a copy of your email that possibly could be read with forensic tools, so don't sue us in the unlikely event of this happening."
Is this the case? Is there more of an issue here?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
From the article:
"My e-mail contains the story of my life, and what's not in there is often recorded in my searches. "
I've often wondered what someone could piece together from just reading my e-mail. Add the information on what I search on, and wow. My first reaction to this statement was that you couldn't really tell *that* much from email alone...but then I started to really condsider how much more a statement like that becomes truth as we become more and more dependent on things like email- Some guy who works on your pipes may not have needed a net presence/email system in the past, but even 'non-tech' type professions are going to REQUIRE e-mail access/web search access...which in turn means that the privacy issues being brought up are problems in infancy; they will grow with us.
I don't see requiring Google to encrypt email as the answer...infact the gut reaction by most people will be that Gmail is not really that different than Yahoo, MSN, etc...the fact that Gmail is going to be free is great, and I'm looking forward to using it...anything that I'm overly worried about I'll encrypt myself.
"We are the music makers, and we are the dreamers of dreams."
My girfriend (now my wife) proposed to me by email.
It happens.
useta work at a service provider, had to sift through logs troubleshooting. search for "NAK" looking for protocol failures, turns out there's lotsa instant messages saying "i'm naked".
Yes, I have read the article. Have the moderators? I think not!
To quote from the article (to save the moderators from actually having to read it): "The most obvious step Google could take would be to encrypt a user's e-mail, searching index and other associated data, so it can only be accessed using the user's password, and of course that password should not be stored when an e-mail session is over."
Nowhere in this quote does it say or imply that the government is involved with this encryption. In short, this is merely a call to Google to encrypt your email. Voluntarily. Without resort to government coercion to force them to.
Please read the article. Then read the post I replied to. Then read my reply. You will see that it is completely apropos and on topic.
Don't blame me, I didn't vote for either of them!
Maybe I'm missing something too, but as others have pointed out (or will soon point out):
1. I don't own Google and none of you do either.
2. What Google do is their business, not ours.
3. What we do is our business, and we can opt to not use a Gmail account.
4. I can't see what kind of retard would want or need a GB for email no one ever looks at anyway. I like the storage but I would never use it for email - forget it, just forget it.
5. The same people who think this is not only cool but necessary are probably those that thought Expose was a new operating system - all because they're not capable of managing their own work.
6. There are lots of big companies who market excellent mass storage technologies. You'd probably be better off and with a more secure solution with them.
7. I'd be an idiot to entrust my email to a company like Google. They're going to let me search for my own email. Gee, but what exactly stands between my email and anyone else's search?
8. I really don't see the marketing point in it - from Google's standpoint. I like them but I fail to see how this is going to help them.
9. Most of what you'll read between now and Gmail is talking head tripe written by wannabes who want to get some e-zine real estate and have no better way to do it. All privacy concerns considered, it's the same old mish-mosh all over again, and frankly I think it's a shameful bore.
"I issue a call for Google to encrypt your mail to avoid these issues"
I though GMail was supposed to index your mail to make it searchable.
How will this work with encryption?
You would reduce GMAIL from "1G of emailsindexed by the internet's most popular search engine" to "1G of offline storage"
I disagree.
Also, Google isn't the government.
Ah, but this is a great premise for a novel -- by, say, Neal Stephenson and/or Bruce Sterling. (Or for that matter, the ghost of Philip K. Dick.)
-kgj
-kgj
Many people subscribe to the phone company's voicemail services. Aside from voicemail's annoying lack of searching and ad features, how is GMail any different? Shouldn't GMail be covered under the same laws in terms of privacy and warrants as voicemail?
aQazaQa
gmail would be parsing private emails that are sent to your email address and targeting ads to you based on the keywords it selects.
Um, if you're so worried about it, why don't you just keep using a pop client? That's what I'm doing, and I've got *much* more than 1GB of storage for my email. I've also got plenty of tools to search my email with (grep comes immediately to mind) when I want to search it, and I don't think Google can search my email *that* much better than I can already. I've got context in my head that Google doesn't have, and all I need is tools to narrow down possibilities.
The real question is, what value does GMail add that I don't already have on my system? The answer, so far, is not much, if any. And any advertisements they add greatly detracts from the overall value of the service to me.
If they're already engaging in proper disclosure of what they're doing, I'd like them to add something that shows what a referer field in your http header will look like when you *do* click a context-based ad in your inbox, along with a regular referer that would be shown when you click on ad on their adsense pages and their adwords.
People don't understand how much information is already being transmitted by http, and I'd like to see more of that being shown as part of 'proper disclosure'. But other than that, I don't see how Google's service is so great.
Like what I said? You might like my music
My point is that in 1986, the government did declare that E-mail had that expectation of privacy, and that a warrant would be needed to get it, just as for phone calls or letters. We have not lost that -- yet. If more people believe as you do we will lose it. That would be a shame.
The issue with enhanced webmail is that the DoJ believes it goes beyond the definitions of an email service that has the expectation of privacy, and could indeed bring about the "email is public" regime you describe.
Has it been over a year since you last donated to the Electronic Frontier Foundation
I indicate in the article that indeed, you can just not use it. The issue in question is that millions of people will use it, if Google is as successful as their track record indicates, and what that means for the privacy of their email, and of mine when I send to them.
Of course we have a right and a duty to explore these issues, and to make people aware of them, and to argue for improvements in the design of systems to make things better for everybody.
As I write at the end, privacy is peculiar among the rights in that you don't worry about it much until after it has been violated. Privacy remains only when some are willing to worry about it beforehand.
Has it been over a year since you last donated to the Electronic Frontier Foundation
How is a text ad worse than a banner ad?
I still have a printout of a news story about a child being killed in a burning house, with an IOMega banner for CD-Recorders, saying "Burn, Baby, Burn".
Unfortunate coincidences are going to happen, no matter what.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This could be changed. Technologies have gone from public (non-private) to private and protected before. Consider the switch from party lines to private lines in the telephone system. Now that we live in the 21st century shouldn't we demand a similar switch for email?
Because privacy is, at its core, a fundamental human right. Every communication system we use should have privacy built in: if its not, there should be a very good reason why not. "Oh dear, it will take extra computational cycles" is not a good reason, not with the small footprint crypto already here. "Oh, Ashcroft doesn't want it" is even a worse reason.
Why is privacy a basic right? From the well-written essay by Canada's former privacy Czar
"If Parliament and the public at large have been slow to react, it is probably because for most people, most of the time, privacy is a pretty abstract concept. Like our health, it's something we tend not to think about until we lose it - and then discover that our lives have been very unpleasantly, and perhaps irretrievably, altered.
But though we tend to take it for granted, privacy - the right to control access to ourselves and to personal information about us - is at the very core of our lives. It is a fundamental human right precisely because it is an innate human need, an essential condition of our freedom, our dignity and our sense of well-being."
" ...A popular response is: "If you have nothing to hide, you have nothing to fear.
"By that reasoning, of course, we shouldn't mind if the police were free to come into our homes at any time just to look around, if all our telephone conversations were monitored, if all our mail were read, if all the protections developed over centuries were swept away. It's only a difference of degree from the intrusions already being implemented or considered.
"The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will -- indeed, the right to be anonymous except when we choose to identify ourselves -- is at the very core of human dignity, autonomy and freedom.
"If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy...
"...The bottom line is this: If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free. That sort of life is characteristic of totalitarian countries, not a free and open society..."
Link here
To have a right to do a thing is not at all the same as to be right in doing it
I know you were kidding (hope you were kidding), but - HushMail's free/premium Web email service encrypts email both on their servers, and from your browser to their servers.
Once it gets sent out to another server, it's (potentially) a different story. Most email is still sent unencrypted; HushMail gives you the option of sending as plain-text or sending encrypted (PGP/GPG compatible, I believe).
The main point relevant to this story: a compromise to HushMail's server's will not result in someone else reading your email. It also means, you'd better not forget your passphrase, or your stored emails become irretrievable random-looking gibberish!
So we've ended up in this strange zone where email could be encrypted as a matter of course, but it isn't. There is no inherent reason why email has to be public, but by our design (or lack thereof), this major massive system of communications is public, and for what benefit?
I'm not saying that people must be forced to use encryption, but that the ability to choose it should be there. To me choice means the two alternatives are sitting there, equally available... If there were big "Send: This is Private" and "Send: This is Public" buttons. Right now the "choice" is "Send" vs "Spend hours retrofitting your system and writing to your recipient to explain to them how to read your email, and getting your grandpa to use it- just give up trying to go there..."
As an analogy, if I say "lets start building doors and doorjams with locks built in," I don't think that equals "force everyone to lock their door." To me it means "make it as easy to choose to lock your door as keep it unlocked."
Imagine an alternative history where we on "Exchange-Dot" are talking about telephone design...
- "Phone calls are on party lines, anyone can listen" (Score: 3 Just Delightful)
- Of course phone calls are public- if you want privacy send a telegram. Get over it (Score 5: A Pearl of Wisdom)
- "If you want privacy, get a private line and ask the person you wish to call to install a private line too."(Score: 2)
- "But what if I know I might want to talk with more than that one person, wouldn't it be better if all phones were private lines? What if my elderly aunt cannot easily get a private line?"(Score 3: Quite)
- "What, have you something to hide? What type of gentleman are You? (score 0: Moderately Scandalous)
- "You should just refuse to talk with people on party lines: if your dear Aunt in Toledo is unable to install a private line then she isn't worthy of conversation" (Score: 1)
- "You have the right to a private line, but demanding all lines are private? How about we let people choose?"(Score: 1)
Now an influential company - GoG&G - is proposing a massive new rollout of telephone availability. And a Mr. B. Templeton, chairman of the Telephonic Frontier Foundation asks GoG&G to consider designing private lines right into the system. He's the sort of person who wants widespread private phone calls, writing:"The key to deploying private phone calls is to make it happen with close to zero involvement by the user... The reason is that I converse with tons of people, not just my closest Bell/linux-using electrophilosopher friends. If I want my conversations to be private, I have to get the general public using private lines...."
It, in retrospect, wouldn't be such a bad request for consideration by Google / GoG&G.