I was not thrilled about this, more of the principle of the thing than for any major harm caused by that particular disclosure. http://www.kalzumeus.com/2006/07/28/googles-lawyers-admit-to...
If Google checks its spam logs to ensure a mass mailing wasn't classified as spam, is that really equivalent to Microsoft's action?
Checking spam logs is a lot more benign than rummaging around through a specific user's email.
If the NSA only checks the logs of people to see if they received an email is it ok because they were just looking for "terrorists"?
I find the old companies can do what they want just use someone else fallacy very tired.
I can't simply change my email address that is something easier said than done. This isn't myspace were talking about or some dating service. This is my online identity and more and more my real life one at that.
Google already deliberately violates the RFPs defining the expected behavior of their SMTP server by rewriting your headers when they want to. If they feel entitled to change your outgoing email messages, the other stuff shouldn't be too surprising.
Regarding being surprised, I'm not.
Monitoring for a "read bit" on the message is the only way to confirm proper delivery.
Not sure why it surprises many people that Company X has access to the data stored on their servers especially when no explicit contract has been signed stating otherwise.
"Google said that their users should assume that anything electronically sent through Google’s servers is fair game to used for ads, or other purposes."
To put it bluntly, Google says, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties."
So nope it is within the context unless there is a legal requirement to use users data for ads or other purposes.
Also: Thanks for sharing that. Another nail in the coffin.
foo@bar:~$ dig -t mx kalzumeus.com
;; QUESTION SECTION:
;kalzumeus.com. IN MX
;; ANSWER SECTION:
kalzumeus.com. 3600 IN MX 20 alt1.aspmx.l.google.com.
kalzumeus.com. 3600 IN MX 10 aspmx.l.google.com.
kalzumeus.com. 3600 IN MX 30 alt2.aspmx.l.google.com.
kalzumeus.com. 3600 IN MX 50 aspmx3.googlemail.com.
kalzumeus.com. 3600 IN MX 40 aspmx2.googlemail.com.
Puh-lease? Fanboyism? That's uncalled for/the wrong tone, really.
The only corroborating evidence is drunk hearsay. The supposed fallout is implied. I mean, he just knows that Google read his mail - but he doesn't have any solid ideas if his source who he has a direct relationship was fired?
No matter what one wants to think of Google, there is not a single ounce of meat on this story.
Arrington's exact quote, "shown an email that proved that they were the source" actually doesn't say it was an email between Arrington and the source, although I'm fairly sure that's what was meant.
Edit: To be fair, I suppose we should consider that the average guilty person isn't going to do well when confronted with specific, correct accusations, even if the evidence was faked or incorrect.
I'd like to agree. If this was true, this would be very shocking news for me and a lot of other people. I work for one of the many startups, which use google docs and google mail. If Google would be willing to look at journalist's emails to "find a leak". How could any company trust them not to look at their secret communication? Especially if they had a real interest in doing so at some point, so they wanted to launch a competing product, invest in a competitor or acquire the company in question?
But even assuming the most vile malice on Google's part, the vast, vast majority of the data people store on their services just isn't interesting to them (except to algorithmically process to serve ads).
1) He had a huge scoop on his hands but he passed because he was worried about the safety of his business. Something a journalist shouldn't even think about. Unprofessional and proof of a big conflict of interests.
2) He never run the story on TechCrunch because he knew the source was drunken bullshit and couldn't be used for anything that aspired to be called "reporting". Therefore: this post is bullshit because it's based on that same source
2 - The fact the source communicated with you using a non Gmail account is of minor importance, because you were communicating with a Gmail account with a source working at Google breaking a story about Google. It is not very smart. Really.
2 - Did the source get fired ? If not, there is a good chance "they" were lying: It's not like a company will keep an employee leaking stuff (if the story was "that" major).
3 - Did you address the source by their name in your correspondance, or talked about any identifying details ? Meeting place ? Phone numbers..
Most people don't just realize how much info they're giving away because they're accustomed to talking in a certain way.
This is important to the story. If the source had communicated using their work (Google) email, then you could argue that Google hadn't accessed the reporter's Gmail account, but had instead invoked their (possible) employment agreement terms and read the Google employee's email. Without insider knowledge, no one could know for sure.
On the other hand, since the source used a non-Google email account, the only two possible ways that Google could know are: 1) if they read the reporter's emails or 2) if they have access to non-Google email services to read emails of arbitrary accounts.
Was the source using a Google laptop? Was he or she using a Google network? Was the non-Google email service using SSL "several years ago" when this happened?
If the source used Google equipment and unencrypted email service, then the message is in plaintext on Google's network. No need to open Arrington's Gmail to read it.
It's much more likely that they either 1) read Arrington's mailbox or 2) keylogged the crap out of the Google laptop the guy likely used. The latter method is not foolproof, whereas it's known that Google does have the capability to use the former. Occam would see 1 as the most realistic explanation.
Read a wrongful termination case where an employee's abusive outgoing emails were accessed/grounds for dismissal. Employee lost.
From the article:
>A little while after that my source was no longer employed by Google.
It is very curious though. What was in those e-mails that could possibly identify the source. He works at Google, a tech company. The reporter works at TechCrunch (that covers tech companies). If anyone should know they must take extra care not to leave traces, it's a guy working for Google and another working for TecCrunch. It was reckless.
Even assuming his drunken source was accurate and truthful, there are other explanations for how Google could access the source's email.
This event happened "a few years ago", when Yahoo, Hotmail and AOL weren't protecting their email with SSL. Google could easily watch unencrypted traffic crossing its internal network and flag sensitive communications.
If they're not doing this, they should be. They don't have to read Arrington's Gmail to get his source's unencrypted communications with a non-Gmail provider, as long as his source was using a Google computer or a Google network.
- choice A: Google is logging all unencrypted communications from their staff (a rather vast amount of information altogether, I suspect, given how Google employees throw data around), in order to be able to go back retrospectively and wade through it to find leakers
- choice B: Google grepped through Gmail to find the leaker, which they have a complete legal right to do and has a marginal cost of zero.
Personally, i use my own smtp server to do all of my mail. It is not completely secure since the nsa can see everything, but its better than trusting google or hotmail.
So basically he's ok with screwing over potential sources because he didn't want to be assed to change his email provider? Classy.
What? It is pretty clear from the article that his response was to change his e-mail provider.
You are referencing what happened after the fact.
So, no, he's not ok with screwing over potential source
Assumptions are forbidden. Trust that a company he just wrote about won't read his e-mails is beyond comprehension.
And that cost someone their job and, probably, he's burned: Any employer will phone Google to get their opinion. I don't know if they agreed to keep it secret, but I'm pretty sure there will be a part where you'll have: "Off the record ? We fired him/her because he/she leaked a story to TechCrunch" in that phone call.
And yes, I'm pissed.
I mean, just ask yourself .. If you were Google and someone broke a major story about you, and he uses Gmail .. Wouldn't you want to sneak a little peek ?
I wouldn't do that if I were a child. That's just like invading a country, and using its postal services to transmit sensitive information: It is just ... I can't picture that.
No, I wouldn't but I guess I was taught differently. On a business note, it is a clear signal to everyone that gmail is not a service you can use if you have ANY business dealings with Google. If you are tempted by this then you would be tempted to look behind the scenes of anything involving Google.
A cop in a dark alley with a shady guy won't think :"I'm a good guy who's been well raised. I don't stab or shoot people.. This fellow citizen must be an upstanding one, let me just turn my back to him". If a cop thinks that way, he chose the wrong profession. I used the word naïve, but at that level of naïveté, it's being a stupid person or someone who doesn't want to live.
* I understand that sarcasm was implied
Are you saying that it's 'normal' that companies log everything going out over smtp/submission and log it?
Even if that is
- legal (really?)
- part of the contract (no idea why that'd be okay)
that sounds like something you shouldn't do, period. I'm reasonably sure that this would never work in Europe, for example.
Also typically you do those kind of correspondences from home.
They're certainly able to, and have the keys, but they're not allowed.
Privacy laws should be created (or interpreted) to provide similar protection for the privacy of our data stored by a service.
But the main point is: an apartment is not an information system. Throughout history, governments have spied on information systems and systems providers will too. Hell, spouses spy on each other, given the chance.
It is simply common sense to limit the attack surface you present by hosting your own mail server - or not to care.
The only people who get "free" gmail, are people with an @gmail.com account, which in these days seems to be an awfully bad approach - makes it hard to switch your email to another provider if you run into issues with the old one.
in my case, alternatives and other solutions are generally too high-effort for me to bother with.
I'd bet most people who know but don't care feel similarly.
Privacy and email do not mix, and maybe never will. Attacking the victims of the NSA spying does nothing to stop the NSA from doing the spying.
I am not a lawyer, and I'm not the one making the call for my clients on any potentially legal matters. Would appreciate to hear the thoughts of those with experience in this area.
My gut feeling is that, although users may have signed T&Cs allowing this, UK/EU courts would hold that there is a reasonable expectation of privacy around the mailbox, and so the Regulation Of Investigatory Powers Act 2000 (RIPA) would apply . This means that such a host couldn't go digging themselves into the email.
However, a potential route in could be via getting the source to make a subject access request under the Data Protection Act 2000 (DPA) into the organisation, supplying their external email address, in response to which there would be a very tenuous grounds to release the mail. However:
1. I'm fairly sure that this would be considered a misreading of the DPA, and hosted mail would be considered information held by the client, rather than the host
2. There's such an obvious claim here that all of this would have happened under duress, and that's a huge can of worms....
So in conclusion, I suspect the only way to legally get at such an email within the UK/EU would be via working with law enforcement, or via one of the two parties to the discussion providing it.
 Most of the relevant acts of UK law are descended from common EU legislation, and apply broadly across the EU, hence the repeated use of UK/EU here
 Unless you're working in certain very strict offices with clear Security Operating Procedures (SyOPS) and regular training, UK/EU courts are likely rule that even corporate email systems can be considered to hold personal communications protected under RIPA
from the article: "The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account."
Which leads me to believe "they" didn't do it from work.
 - http://silentcircle.wordpress.com/2013/10/30/announcing-the-...
Same goes for Hangouts for that matter. As soon as TextSecure is fully cross-platform, I'm switching completely to it.
> if a decent looking/working e-mail client with end
> to end encryption appears this year, I'll move to it
> almost immediately.
> So if Google wants to keep me as a Gmail users,
> they'd better enable the DarkMail protocol 
> or something similar in their e-mail client.
> As soon as TextSecure is fully cross-platform,
> I'm switching completely to it.
This means any startup even open to acquisition should probably avoid hosting private communications with likely buyers including Microsoft, Google and Facebook. When millions of pounds may be on the table it just isn't worth the risk that somebody in the big company decides they want an advantage in the negotiation.
There doesn't seem to be any mechanism to have them do so :-(
Personally, I would have said "fuck you" and walked away. They are never available to speak to when you need them. Even when being helpful and reporting bugs, they don't even acknowledge having read it. They always need to come to you. No, fuck that, help your customers for a change.
I know this is semi off-topic, but it so bugs me about Google (and basically most other major tech firms) that this is the knee-jerk reaction to reading the story, instead of the actual point.