By Doug Miller, SafeGov.org

Many of us have been following a legal case being fought in California in which 10 plaintiffs are suing Google over its practice of scanning the content of private Gmail messages for the purposes of showing ads related to the content of the user’s email.

The plaintiffs and many privacy organizations claim Google “unlawfully opens up, reads, and acquires the content of people’s private email messages” and this violates California’s privacy laws and federal wiretapping statutes. Google states that it has always done this and “all users of email must necessarily expect that their emails will be subject to automated processing.” Google also states that the revenue gained by delivering context-sensitive ads to Gmail users enables it to offer a free service. In fact, Google was just awarded a patent related to scanning the content of emails, ranking the content and matching ads to the content.

For anyone who has ever read Google’s terms of service or privacy policy, this admission by Google should come as no surprise. It is pretty clear it scans all content and input from users of Google services, including personal information that is required in order to use the service, and amasses all of this information in a master profile that is used to determine your interests, location and demographic information. Google’s business model is based on using that information to then sell ads to companies who want to get their products and services in front of potential customers who are most likely to buy. This model has worked well for Google. Based on this practice it has built itself into a $50B a year advertising powerhouse. Some users would also argue it works well for them. In exchange for being exposed to ads that actually may be relevant to what they are interested in, they get to use Google services such as Gmail and YouTube for free. So Google asks: where’s the harm? The harm may be that this practice may be illegal. And that’s what this precedent setting case is all about.

Where’s the Harm?

There may be other indirect forms of harm when you think about how Gmail is used. If a lawyer or doctor, using a non-Gmail system sends a private message to a customer that uses Gmail and that email gets scanned, has client-attorney privilege been violated or has personal healthcare information been inadvertently disclosed to a third party. While Google would argue that no humans are involved in the scanning, it is clear that humans do see the results of this scanning. For example, imagine a co-worker happens to see a big ad for DUI legal services on your Gmail screen or the recommendation that your psychiatrist join Google+ is shown to your friends.  The disclosure of private emails sent by non-Gmail users, who never agreed to Google’s terms, to Gmail users is a key part of this case. As Texas attorney Sean Rommel states, “The injury is two-fold: the privacy invasion and the loss of property. Google is taking people’s property because they can get it for free as opposed to paying for it.”

We may never know the full extent of the scanning that takes place in Gmail as Google has asked the court to redact information related to scanning in court documents. However, the Electronic Privacy Information Center (EPIC) has created a Gmail Privacy FAQ that provides a lot of useful information and is a “must read” for anyone who uses Google Gmail.

The Questions That Have Not Been Asked

According to the Washington Post, Google attorney Whitty Somvichian said “it’s ‘inconceivable’ that someone using a Gmail account would not be aware that the information in their email would be known to Google.” Google has also stated “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Finally, Google has also stated that the scanning of email helps to pay for the costs of running a free service.

Now let’s tie in the fact that Google provides Gmail as a service for businesses, schools and governments as part of its Google Apps program. We have asked the scanning question before and the answer back has been, these customers do not see ads when they use Gmail (unless they chose to enable ads). But that is not the question in this case. Here are the questions that should be asked (and answered):

Does Google scan the private content of Gmail messages used by Google Apps customers? 

Should Google Apps customers have a legitimate expectation of privacy since they have handed over their information to Google?

Private Gmail contacts are used by Google to recommend friends in Google+
(names and photos blurred)

Google has also argued in the past that Google Apps customers are bound to a different privacy policy when they use the service. Maybe this is the case for a small number of Google Apps users but for the rest of us, the standard Google Privacy Policy determines our privacy rights as highlighted on Google’s own Enterprise Privacy Center – which clearly links to the consumer-oriented privacy policy. If you are a consumer using Google’s services or a paying Google Apps customer, you should really read this policy to make sure you are ok with the terms. This policy allows Google to collect and “combine personal information from one service with information, including personal information, from other Google services” and use the combined information to improve services and display “more relevant search results and ads.” Google is arguing you agreed with these terms when you chose to use its services. But what if your institution is using Google Apps? Have you really been given a choice whether your private information can be shared with Google?

What about Education Users?

Another troubling aspect of this case is Google’s insistence that it has a right to mine private emails and show relevant ads in order to offset the costs of running its free services. So how does this impact education users of Gmail? Google Apps for Education is offered to schools for free therefore it seems likely that Google is scanning these emails and is monetizing the information to help offset the cost of offering the free service.  Google states that by default it does not show ads to kids who use Google Apps but in fact, kids always do see ads when they use other Google services such as Google Search or YouTube. So the question then is:

Does Google scan the content of our kids’ emails and monetize that information through advertising on ad-based services such as YouTube?

According to the Google Privacy Policy, it is allowed to do this. But again the question should be asked: under the current COPPA and FERPA laws, is this legal? And as parents, are we ok with our kid’s private information and communications being shared with a school-sponsored Google Apps program?

Landmark Case

This is definitely a case worth watching and the outcome will not just impact Google but will set the rules for any online company that uses private user information to make money. But will this case go far enough? Should we be looking beyond consumers and also look at how private business, school and government information is also being used and whether these practices are legal as well?

Doug Miller has worked in the enterprise and government IT space for over 25 years. For the past 8 years, Doug has been the principal consultant with Milltech Consulting, a company focused on business and technical consulting in the areas of interoperability, migration and competitive strategy.