A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Google's GMail Highlights General Privacy Concerns
(2) Background on Web Email and GMail
(3) Policy Concerns Associated with Content Searching
(4) Policy Concerns Associated with Third-Party Email Storage
(5) CDT's Preliminary Recommendations
Google's proposed GMail service, announced recently, has received widespread attention and attracted a good deal of privacy criticism. Two specific features of Gmail -- its searching of the content of its users' email in order to serve targeted ads and its offer to store on Google's servers enormous volumes of old email -- do raise privacy concerns. However, Google has been quite clear about these features, giving potential users the ability to weigh the pros and cons of the service. Moreover, it is important to note that most of the privacy concerns associated with Gmail are the same as or similar to concerns posed by other similar services, albeit heightened because of the magnitude of what GMail is proposing.
Simply put, on the content searching issue, ISPs and other service providers are already using machines to scan the contents of email, especially to block spam. As to the risks of remotely storing email, users and policymakers need to be aware that, under current statutory and caselaw, any records stored on the server of a third party - documents, calendars, email - do not enjoy the same privacy protection as materials stored in one's own home or on one's hard drive.
In this Policy Post, CDT offers some preliminary recommendations to Google and other providers of similar services. We also renew calls that we have made over the years for legal reforms that will extend stronger privacy protection to personal materials stored with Web-based services.
For several years, various companies have provided email service on the Web to consumers who agree to receive ads while they are looking at incoming mail and to allow ads to be appended to their outgoing mail.
In many ways, these services exemplify the democratizing potential of the commercial Internet. They are open, flexible, globally available, and, in most cases, free. Individuals can set up multiple accounts for different purposes. In the context of concerns over workplace privacy, CDT has suggested that individuals in the U.S.utilize these free accounts instead of work email addresses when sending personal email because, under current law, an employer can monitor email sent and received over the employer's system.
Last week, the Internet search company Google announced that it was testing a new Web e-mail service of its own called GMail. The service has three features that distinguish it from other free email services:
Generally speaking, all email communications in the U.S. are protected by the Electronic Communications Privacy Act (ECPA), which requires a court order for government interception of email in transit or in storage incident to transmission. Generally, ECPA prohibits service providers from reading the email of their customers unless the customer has given consent. One exception, however, allows ISPs to scan the content of their customers messages in order to "protect the rights or property" of the service provider. For years, under this authority, ISPs have been scanning the content of messages to look for spam and email infected with viruses, among other purposes. This is legal under ECPA despite the fact that the ISP may not have received the direct consent of the sender of the email, because the service is doing so to protect its rights or property (i.e., its servers).
However, all ISPs should probably also be very clear in their terms of service and their privacy policies as to what they are doing to scan the contents of email. And since Google's searching of contents goes beyond spam detection, Google will have to get very explicit consent from GMail users.
Google's practice raises the interesting question of whether users need to be concerned about machines reading their email, if no human ever sees anything. In 2000, the FBI defended its Carnivore device, placed in ISPs to search the emails of many customers looking for those to or from a designated target, by arguing that only the machine rather than a person was looking at the emails of innocent people.
Regardless of whether customers will put faith in the fact that a machine rather than a person is scrutinizing their email, GMail should be based on explicit prior consent, whereas the FBI, in carrying out interceptions, does not give notice to the person or persons whose messages are being scanned or recorded.
Google's "evolving" privacy policy for GMail explains that the only information it will use in serving ads is the name and login, collected directly from the user, and the content of the particular email with which a given ad will be associated. Google states that it will not ask for demographic information upon enrollment in GMail, nor will it be compiling user profiles based on email content. According to the policy, content information will not be shared with third parties for marketing purposes.
Google has also said that it currently plans to use the same cookie for its web search engine, GMail and all other Google services to provide users a single sign-on. This raises the concern that correlation of data between services will be very easy if Google ever decides to move in this direction. One story quotes a Google official as saying that the company may in the future want to correlate search engine usage with email content. Google's policies currently state that this correlation could only be used to help improve GMail, not other Google services. Many other Web services also use single sign-on for multiple services, although no others have suggested that they intend to use the contents of emails to the extent Google has. Since the cookie's only benefit to the user is the single-sign on, users that don't want the convenience can simply block the cookie without other impact to service. New cookie controls in browsers offer users even greater ability to block all cookies from Google or delete the cookie regularly, although only advanced users are likely to protect their privacy in this way.
One other area of consideration are state laws on wiretapping. A number of states have laws that require the approval of all parties in a communication. It is unclear how this would apply to the kind of scanning that would occur with GMail.
For a number of years, CDT has raised concerns about the low standards under which government agents and civil litigants can get access to personal information stored on a third party server.
ECPA was written in 1986 before the World Wide Web even existed. At the time, Congress was focused on protecting the privacy of communications in transit, not on the protection of stored data. DOJ argued that data stored with a third party did not enjoy the protection of the warrant clause of the Fourth Amendment. ECPA adopted a two-tiered rule: email in transit or in storage incident to transmission for 180 days or less may be obtained by the government only pursuant to a search warrant issued under the probable cause standard of the Fourth Amendment. Email in storage for more than 180 days loses this protection and becomes a stored record that may be obtained with a mere subpoena, issued on a very low standard, normally without any review by a judge. In neither case is the user entitled to contemporaneous notice that his email is being seized by the government. Moreover, the DOJ argues that once an email is opened by the recipient, it loses the protection of a communications and becomes a mere stored record, no matter how recent it is.
Also, under current federal law, ISP customers are not entitled to notice when email is subpoenaed in civil lawsuits. This means that individuals in divorce cases and other civil disputes are able to subpoena records held by an ISP or any other third party with no notice to the owner of the email account.
Google has also pointed out that residual copies of email may remain on its systems, even after the user has deleted them from his or her mailbox and even after a user has terminated the account. Again, this is true of all email systems, but highlights the limitations of ECPA in the area of third party storage.
CDT has recommended a series of improvement to ECPA that would update the law to take into account the nature of Web-based services:
For more background on the law and CDT's recommended reforms, see Executive Director Jim Dempsey's April 6, 2000 testimony on "The Fourth Amendment and the Internet"
CDT is still examining the complex issues related to GMail. Based on our preliminary research, we offer the following recommendations:
With full notice, Internet users should be able to decide whether to accept scanning of their email in return for free services. Consumers should be fully aware of the implications of using a system that scans messages as a requirement for using that system. All service providers should be very explicit about their practices in scanning emails for any purpose.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.06.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 10.06 Copyright 2004 Center for Democracy and Technology
