
Google sued for data-mining students' email - sp8
http://nakedsecurity.sophos.com/2014/03/18/google-sued-for-data-mining-students-email/
======
facepalm
What do they mean by "Google is reading our mail" \- has Google reached
sentience?

Just to display it on GMail, one of Google's servers has to read the mail. If
they claim that Google has achieved sentience, the implications could be very
far reaching...

I mean perhaps this lawsuit will clarify when algorithms will be considered
sentient.

~~~
throwaway2048
the exact same arguments could be applied to the NSA

~~~
facepalm
Except that the NSA doesn't have a website for checking my mail and I am not
explicitly sending my mail to them.

~~~
throwaway2048
your post had nothing to do with that, you claimed google wasnt "reading"
email because it was all automatic scripts, behind some facetious rhetoric.

The situation with the NSA collecting and reading email is no different,
specificly in terms of datamining the contents.

~~~
facepalm
I wasn't claiming anything, I am asking what it is supposed to mean. It's
interesting that a machine reading something can be described as the action of
a juristic person. I do think the implications would be that web mail becomes
impossible.

What exact part of "reading" is a privacy violation?

------
not_paul_graham
_The plaintiffs are seeking payouts for millions of Gmail users. The financial
damages would amount to $100 per day of each day of violation for every
individual who sent or received an email message using Google Apps for
Education during a two-year period beginning in May 2011._

So assuming at least 1 million users, they are seeking:

1,000,000 users * $100 per user * 365 days per year * 2 years = ~ $73 billion
in damages.

I'm not commenting on whether data-mining on Google's part was right or wrong,
but why isn't there any limit to the amount that companies can be sued for?

It seems impractical for the people suing to sue for around 73 billion dollars
when the product/service is essentially free.

~~~
ronaldx
The cost of the product is surely irrelevant here: If the product damages your
life (in an unexpected way), you should be able to sue to recoup those
damages.

In this case, presumably the individuals may have been signed up to Google
Apps for Education without their direct consent (or, it was an unstated
requirement of their courses to sign up).

Also note: companies have access to liability insurance to cover them for
being sued out of existence. Google presumably have a budget for lawsuits.

~~~
Tomdarkness
My experience with Google Apps is when you create a new user the first time
they log in they are presented with the T&Cs they have to agree to before they
can use the account.

~~~
prawn
If this Apps for Education platform is targeted at children, are many unable
to consent to terms perhaps?

~~~
svenkatesh
Apps for Education targets Universities.

~~~
dalke
Quoting from the article: "Apps for Education is used by K-12 schools and
institutions of higher education throughout the world..."

Go to the Apps for Education page at Google, select "Customers", choose "K12"
and it lists 10 primary and secondary education school systems as profiled
"customer stories".

For example, "Saline Area Schools is a suburban/rural public school district
of 5,450 students K-12 located in southeast Michigan, about 50 miles west of
Detroit." ... "Encouraged by the success with faculty and staff, the Saline IT
team will soon roll Google Apps out to their 3,200 students in grades 5-12."

[https://docs.google.com/file/d/0B5AOHQcS-
cAeODQ3MGVkNGEtNzJm...](https://docs.google.com/file/d/0B5AOHQcS-
cAeODQ3MGVkNGEtNzJmNS00MTE5LTliZmEtZjNiZGRmODZiM2Fm/edit?pli=1)

~~~
svenkatesh
This is the full list of places where they're used:
[http://www.google.com/enterprise/apps/education/customers.ht...](http://www.google.com/enterprise/apps/education/customers.html)

Most are universities.

~~~
dalke
That is "not the full list". That is a list of "customer stories", and
certainly a subset of the full list.

In fact, it's the site I suggested you visit. Next, use the pull-down under
"all types" to see that the three targets are "K12", "Organization", and
"University".

------
account99282
_The suit maintains that, because such non-Gmail users who send emails to
Gmail users never signed on to Google 's terms of services, they can never
have given, in Google's terms, "implied consent" to scan their email._

This. One victim is the private mailing list: There's always at least one sap
who subscribes using google mail.

My personal hope is that suits like this will one day push them to discontinue
gmail.

~~~
thaumasiotes
But this is nonsense. The sender doesn't need to consent; the recipient has
all the legal power over his mail. If I want to engage a company to keep files
on all my paper mail, and all associated metadata, there's nothing you can do
to stop me.

~~~
e12e
> If I want to engage a company to keep files on all my paper mail, and _all
> associated metadata_ , there's nothing you can do to stop me.

(my emphasis)

Well, in Norway I could report the company for storing personal data without a
license to do so. Essentially any database (even list of phone numbers[1])
that contains personal data (name, contact information, any other information)
is regulated. The laws have been somewhat modernized, so that it is assumed
that it is ok for a school to give out (and keep) contact information to
households/parents of a class -- or for a business to keep a database of
customers, for example -- but you most certainly are not allowed to "just keep
a lot of data on people because you can".

If you were to do it as a private person, you would most likely never get
caught, of course -- but as a business you'd essentially be committing a crime
-- and could face (rather steep) fines.

This is why Norway (along with a few other European countries) have taken a
rather dim view of Facebook -- and note that with Facebook, users _do_ consent
in general (barring the shadow profiles, information uploaded by users
regarding non-users etc).

------
driverdan
Original, non-blogspam article:
[http://www.edweek.org/ew/articles/2014/03/13/26google.h33.ht...](http://www.edweek.org/ew/articles/2014/03/13/26google.h33.html)

Original HN post:
[https://news.ycombinator.com/item?id=7427368](https://news.ycombinator.com/item?id=7427368)

------
Houshalter
If you send an email to a gmail user of course you are consenting for their
email service to process the email. Things like spam filtering and preloading
images depend on this.

~~~
onion2k
You could be consenting for the email service to do _reasonable_ processing on
each individual email (eg filtering and preloading). Sending an email doesn't
necessarily have to give the receiving agent permission to build a profile for
the specific sender that maps all the emails they send to the service to
multiple, separate recipients on to a single graph.

Also, with Google's "Google Apps for Business", a user can use their own
domain for their email. Sending someone an email doesn't inform the sender
that they could be contributing to a Google profile.

~~~
magicalist
You can send me an email and I can do quite a bit with it at that point,
regardless of what you want me to do with it. That includes generating ads for
me to look at to pay for my free email. You might have a copyright claim, but
the implied license you give by sending me that email would go quite far.

~~~
onion2k
I wouldn't argue that the recipient, eg the Google email account holder, has
much claim on how Google profiles him. He has chosen to use Google's service.
I'm talking about the _sender_.

For example I use onion2k@myemailprovider.com to send emails to
alice@gmail.com, bob@gmail.com and charlie@gmail.com. Google now have a
profile for onion2k@myemailprovider.com with a graph that includes nodes for
alice@, bob@ and charlie@ and edges for the relationships between the four
people, and links to anything we've discussed. If david@gmail.com then sends
an email to onion2k@myemailprovider.com Google know that david@ has a second
order link to alice@, bob@ and charlie@ _despite the fact that they have never
communicated or informed Google of this relationship_ , because Google have a
profile based on onion2k@myemailprovider.com - an address that Google might
not have a justifiable reason to be building a profile on.

Whether or not you believe that is a reasonable use of data is up to you. Some
people think it's not.

~~~
magicalist
I don't understand. Any email provider can reconstruct that kind of
relationship. What's special about Google in that case?

~~~
onion2k
Google aren't special in this case. They're simply the one we know do data
mining on email for their ad network, so they're the one we're talking about.
If it came to light that other email providers who also run ad networks (or
share data with ad networks) were doing the same thing then people would ask
the same questions of them.

------
Zenst
Firstly the EULA (which nobody reads) does cover this and then the aspect of
you get what you pay for and again their choice compeletely how they wish to
spend thier money, or not in this case as it is a free service they are using.

Also the cusomised ad advertising is an option you can opt out of, so once
again I'm not understanding the issue here beyond grabbing some headlines for
mistakes that were avoidable on many levels.

~~~
lumpygravy
_Also the cusomised ad advertising is an option you can opt out of, so once
again I 'm not understanding the issue here beyond grabbing some headlines for
mistakes that were avoidable on many levels._

As far as I understood from previous coverage and reading the privacy policy,
the point is that e-mails are mined even if ads are turned of for the domain.
The resulting profiles are then used for showing contextual advertisements in
services that are not in Google Apps (e.g. Google search and Google+).
Google's lawyers have also admitted that this is true. IANAL, but reading the
privacy policy and the ToS for Business accounts, it seems to be the same
there.

Of course, you can completely opt out of interest-based ads, both on Google
services as on Google ads across the web. But I assume that profiles are still
built, if not used.

A related problem is that persons sending e-mail to a GMail address (which
could be hidden behind a non-gmail domain) never consented to the ToS and
their e-mails are profiled. To which Google's reaction was: "all users of
email must necessarily expect that their emails will be subject to automated
processing." [1] IMO there is a difference between scanning e-mail for spam
and viruses, and using the content to build a profile of the sender or
receiver.

[1] [http://www.theguardian.com/technology/2013/aug/14/google-
gma...](http://www.theguardian.com/technology/2013/aug/14/google-gmail-users-
privacy-email-lawsuit)

~~~
Oletros
Do we have a proof that Google profiles non Gmail users?

Take into account that process the email is not the same that profiling that
user

~~~
Zenst
May be based upon the assumption that if Facebook did it, then Google must
also do it.

------
LammyL
It is really interesting how people get so concerned when google "reads" their
email to target ads at them, but they expect google to "read" their email to
filter spam. The machine act of text processing of the email is same in both
cases, yet only one is offensive to users.

