

Google says e-mail users should have no legitimate expectation of privacy - bonchibuji
http://www.scribd.com/doc/160041493/Google-Motion-061313

======
simonw
The "a person has no legitimate expectation of privacy in information he
voluntarily turns over to third parties" quote has been massively taken out of
context by everyone who is covering this story.

The overall case appears to be about people complaining that Google scanning
their emails and showing contextual ads is a privacy violation.

Most of this document is an explanation of why that shouldn't hold (Gmail
users agreed to this when they signed the ToS, automatic scanning is essential
for things like spam filtering and full-text search, legislating against this
will kill innovation in online services etc).

The section that contains the "expectation of privacy" quote is in reply to
part of the case which suggests that, while Gmail users may have accepted the
ToS, non-Gmail users who send an email to a Gmail user have NOT accepted that
ToS and hence are having their privacy violated.

The counter-argument presented is that, if you send a letter to someone and
they allow their assistant to open it, you shouldn't be surprised by that. The
analogy is that if you send an email to someone who has chosen to use a
specific email provider, and that email provider automatically scans your
email in some way, you shouldn't be surprised either.

As I read it, the "third parties" in the troublesome quote aren't Google
themselves - they are the recipients of your email who happen to be using
Gmail. You've turned over your information voluntarily to the recipient of
your email, they can then chose to allow it to be automatically processed by
the email provider they have an agreement with (without this violating your
expectations of privacy).

I call bullshit on the whole story.

~~~
antr
I see your point, it's clear and has plenty of logic to it. Then I guess that
the same argument will apply to my medical records, tax returns, GPS
coordinates of my car, GPS coordinates of phone, my pay-per-view TV
consumption, the who/when/where of the phone calls I make, etc.

Trust is vital in any economy that wants to function. This Google argument
will make me trust no one.

------
nisdec
Quote: "...they nonetheless impliedly consent to Google’s practices by virtue
of the fact that all users of email must necessarily expect that their emails
will be subject to automated processing.

Just as a sender of a letter to a business colleague cannot be surprised that
the recipient’s assistant opens the letter, people who use web-based email
today cannot be surprised if their communications are processed by the
recipient’s ECS provider in the course of delivery.

Indeed,“a person has no legitimate expectation of privacy in information he
voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735,
743-44 (1979)..."

I think this is a good summary.

~~~
runarb
Agree. The sender has no guarantee that the recipient haven't handed over
authority to open and read mail to somebody else. It is not necessarily
anything wrong with that.

At my office my secretary reads most of my snail mail, and at home I have
authorized my girlfriend to do the same. Gmail reads my email. In all cases my
reasons are the same; I am having a hard time keeping up with all the mail
that comes in and want someone to filter out what is relevant.

------
Shooti
Unless I'm missing something Google didn't "say" that, it was an explicit
quote from another court case (see PDF's Page 19).

------
hack37
Talking about privacy. Why use services like Scribd ? A simple link to the pdf
file hosted somewhere else would have suffice. I then can do my searches
locally without them tracking exactly what I do (who views what, who searches
what). SASS (Service as Software Substitute) is evil...

~~~
eitland
And even if you trust scribd isn't it just a usability nightmare or am I
missing something?

------
hrkristian
Should there not be a larger emphasis here on the nature of the service? It's
not humans reading the mail, and the gathered data -as far as I know- does not
enter the hands of a third party.

------
jkl32
Anyone still using Google services since the NSA revelations is an idiot. I'd
like to see them bankrupt after their betrayal of their do-no-evil and open
source roots.

~~~
txutxu
I still use google services.

I'm conscious of what happens, much before the NSA revelations this year.

I use 8.8.8.8 for DNS on some networks (for external resolution and for
nagios) knowing perfectly that each request is registered and extrapolated.

I use an apple macbook air for some tasks, even if I know I've no control over
many privacy issues in such machine.

On the other side, I've had offline networks for some data I didn't want never
go out of my firewall. The only conection of such networks, was a 2TB USB
disk, to update the mirrors of the software that such networks did need.

When I want to make something online not related to myself, I start from the
beginning: using hardware not related to me or my credit card, and using an
internet connection not related to me or my bank account.

I trust certain things, don't care about certain things, and care about others
(i.e. my webcams and micros are always with duck tape, since invented,
bluetooth? disabled, 3D in the browser? disabled, external fonts in the
browser? disabled, etc).

Should I wear an "I'm an idiot" t-shirt ?

~~~
jkl32
Yes. It's worse that you don't even have ignorance as an excuse.

~~~
txutxu
I don't seek any excuse.

I don't like cars, but I need to use one. I don't like the effects of our
civilization in the nature, but at the end I'm part of it to cover my basic
needs. And the same happens with internet and widely known services.

I don't approve unconstitutional surveillance, but I, from Europe, can't
change such _facts_

You may think I'm an idiot because I don't have ignorance as an excuse for use
certain services. I may think I'm not, because I don't need the media and news
to know what is going really.

You may feel superior just by calling people idiot. I respect your though
level, it's your life.

We think in different ways.

------
venomsnake
So - encrypt everything and send the keys trough snail mail? They can't read
legally the mail right?

~~~
dredmorbius
PKI specifically means you don't have to rely on secure key transfer.

Encrypt everything, and post your public key on any keyserver you choose.
There is very little sensitive information in a public key (though it can tie
you socially to another party, in a cryptographically strong manner, for those
who are concerned about such things).

But the point is that an out-of-band _and_ secure key transfer isn't required.

~~~
amboar
However, each party needs to be sure that the identity of the other is who
they expect, I.e. that a MitM is not occurring. Sometimes the best way to
achieve that is an out-of-band key exchange

~~~
dredmorbius
Correct.

An out-of-band key exchange, or OOB verification of messages, would work.
You'd start with messages of low criticality.

In Snowden's case, he didn't even identify himself to Poitras until they'd
been communicating for some months.

------
bonchibuji
See page 28

------
mtgx
It's like Google is asking their users to leave their service. How about
creating a Lavabit-like solution instead, Google, instead of telling users
that "if you use our service, you have no expectation of privacy"?

~~~
cheald
I'll take "Because Google's entire business model around email is processing
it to serve relevant ads next to it, which requires that they be able to read
it" for $1000, Alex.

~~~
toyg
They could still do that in a secure way, client-side, if they wanted: when
content is displayed in-browser, javascript could parse it, send home relevant
words (on an encrypted channel), and receive relevant ads. The server would
have to ensure that data is not saved, or it's anonymously aggregated right
away -- you'll have to trust their word on that, but that'll always be the
case.

Computationally expensive, maybe, but it's 2013 and browsers can take a bit of
abuse. It wouldn't cover people using POP/IMAP, but Joe Average doesn't bother
with that geekery anymore. Obviously it would take some time to implement, but
it _could_ be done.

~~~
codeka
They'd also have to do spam filtering client side, parsing the MIME to extract
inline images, attachments and so on, sanitize the HTML to protected against
XSS attacks, process it for full-text search, filtering into labels, auto-
forwarding and really absolutely everything that happens to an email. They
_all_ involve "reading" the email.

~~~
toyg
To be fair, that's all stuff that "real" email clients already do.

