Does Gmail breach wiretap laws?

Three nonprofit groups alleged this week that Google's forthcoming Gmail service violates California wiretapping laws--but lawyers who specialize in privacy law were skeptical of the claim.

In a letter sent to California Attorney General Bill Lockyer on Monday, the Electronic Privacy Information Center argued that Gmail must be shut down because it "represents an unprecedented invasion into the sanctity of private communications." Gmail provides one gigabyte of Web-based mail storage in exchange for context-sensitive advertising that appears on the right side of the screen.

"We believe that Gmail violates California's wiretapping laws, subjecting both Google and Gmail users to criminal and civil penalties," said the letter, also signed by the Privacy Rights Clearinghouse and the World Privacy Forum. "Accordingly, we respectfully request that your office investigate the Gmail service."

Stewart Baker, a partner at Steptoe & Johnson who advises technology clients on surveillance-related topics, said EPIC's analysis was flawed. "This is a pretty Luddite notion that if the machine reads my mail, then I've been wiretapped," Baker said. "That would set (Web based) services back quite a ways."

The attempt to pull the plug on Gmail, sent just days after Google published its plans for an initial public offering, claims that the free e-mail service violates Sec. 631 of California's criminal code. That section applies to any person or business who "in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit."

Baker said that because Gmail's terms of use authorize it to review the contents of stored e-mail, any wiretapping allegation would be difficult to make. "There is an effort--we saw it with DoubleClick; we saw it with Intel--to create a dead zone around a technology, to make people think it's dangerous to go there," Baker said. "I think this is a losing strategy. But their view would be that it creates privacy sensitivity. It may slow down the technology, and it's good publicity too."

A spokesman for Lockyer said: "We have received the letter, and we'll review it and decide on an appropriate course of action." The spokesman said he could not recall any previous incident in which the state had forcibly shut down a company's service on privacy grounds. Google did not immediately respond to requests for comment.

A closely allied collection of nonprofit groups has been campaigning fiercely to shut down Gmail, even though the free service is not yet open to the public. EPIC gave an award last month to a California state senator who introduced a bill to block Gmail, and Privacy International has asked government agencies to shut it down. Last week, EPIC raised the question of the FBI's involvement in the design of Gmail, which Google immediately denied.

Jim Harper, a lawyer who runs the privacy advocacy Web site Privacilla.org, said Gmail is legal because it reviews only stored e-mail and does not meet the "in transit" definition of a wiretap. In addition, the relatively dumb computer program that matches keywords doesn't meet the California law's "read" or "learn" requirements.

"It's ridiculous," Harper said. "Is a faxed letter that is copied and used in different ways also subject to this interpretation? Maybe there's some future set of computers that comprehend in the way we can agree on, but we're not there yet in artificial intelligence...(The anti-Gmail) groups are intellectually rootless opponents of commerce and progress."

Guess who Stewart Baker is?

Stewart A. Baker was the National Security Agency's top lawyer from 1992-1994, where he promoted the key escrow system for the Clipper chip. EPIC, on the other hand, was a key opponent of the Clipper chip. It's curious that Declan McCullagh quotes Baker as his preferred expert on privacy issues, and notes that Baker said that "EPIC's analysis was flawed" on the issue of machine scanning of email. (What does McCullagh feel about Baker's advocacy of key escrow? After all, it's even smaller than a machine -- it's a tiny, little chip! How harmless!)

The point that McCullagh misses in all of his pieces on Gmail, is that those without Gmail accounts who end up sending mail to someone at gmail.com haven't consented to anything. Nothing in the Gmail privacy policy applies to those without accounts, and Google has yet to state that they won't be saving the incoming email addresses, and associating them in their database along with the keywords they'll be extracting from those incoming emails.

It's time for CNET News.com to take McCullagh off of the "Gmail is wonderful" beat. He's not very competent at hiding his pro-Google colors.

[heslingaj]

Do you understand e-mail?

E-mail is not private. It hasn't ever been, and as long as it is not sent encrypted, it won't ever be. Gmail is no different than any other e-mail system based on server message storage (and there are many others).

When you send an e-mail message, you are consenting for it to travel, in plain text, between any number of servers on its way to its destination. It's like sending a postcard through the mail. Any number of people could intercept and read it along the way.

You want privacy; you don't use e-mail or you use secure e-mail. The anti-Gmail crusaders need to take a deep breath and focus on actual technological threats to privacy, of which there are many. It's technologically ignorant to focus privacy attacks on Gmail, and it's bad public policy to start hysterically crying for government to investigate and ban new technological services that will offer significant benefits to consumers. If the "privacy" zealots and demagogues succeed, the only real losers will be the rest of us.

[Remo_Williams]

One point struck me.

I have no problem with GMail use, if you consent as a user to have your email scanned in exchange for 1 Gb of space. However, the previous comment has the missing piece to the equation: do I imply consent if I email a GMail user? I would say "no".

The idea of cleartext email not having an expectation of privacy is well-established. However, SMTP relays are authorized to "read" the email, much the same way a postman is protected if he accidentally scans your postcard while dropping it in your mail slot. He's authorized to deliver the mail.

The same is not true for some indicting normal and expected email flow. I have a right to expect my email is not scanned by SMTP admins for their amusement, but I would be remiss in not encrypting sensitive email. No one has the right to take a $20 bill from your car's dashboard, but you're negligent to some degree if you leave it out in the open with the windows rolled down.

The first person to successfully integrate Winzip or WinRAR encryption into the top five mailers wins the prize. Transparent encryption will make all of this a moot point (I'll leave key exchange to someone else)

Remo

[JSanguancheu]

Do these people have nothing better to do???

If people know how the service works and agree to it through the authorization when registering, what's the problem here??

If people don't read and just click YES then it's their own fault.

Where else do you get 1Gb of storage space for free?!

There's a cost to everything.

Stop wasting taxpayer money and find something more useful to campaign for.

JS

[smkatz]

no consent issues/spam filters

Every single spam filter in existence on AT&T Worldnet, AOL, Yahoo, and Hotmail all access and parse your e-mail.

They have to..

Furthermore, how could the SMTP process work without Google recieving the messages?

The problem with regulating this is two-fold:
1. There is nothing intrinsically wrong with Google's idea. (Most messages on Gmail don't display ads.)
2. This could have disastorous effects should it be allowed to set a precedent.

3. To rebuff the consent argument, I have the right to record my telephone conversations and you need not know about it. (This may not be true in California..) *however* the Internet is a completely different animal.. you have no expectation of privacy when sending someone an e-mail. It goes *unencrypted* across many computers. I have the right (as Steve Jobs demonstrated with his handling of RealNetworks) to forward this letter to the New York Times.