Hacker News new | comments | ask | show | jobs | submit login
About that time Google spied on my Gmail (uncrunched.com)
248 points by uptown on Mar 21, 2014 | hide | past | web | favorite | 124 comments

Google also had a class-action suit by AdWords advertisers many years ago. They settled. This required messaging all members of the class. Typically this is handled by postal mail. Google also delivered messages over email and, in the bargain, decided if your email address ended in gmail.com they'd take a peak at certain information in your Gmail account to make sure you had gotten it. We know they did this because Google's lawyers bragged about it to the court in a legal filing.

I was not thrilled about this, more of the principle of the thing than for any major harm caused by that particular disclosure. http://www.kalzumeus.com/2006/07/28/googles-lawyers-admit-to...

> they'd take a peak (sic) at certain information in your Gmail account to make sure you had gotten it

If Google checks its spam logs to ensure a mass mailing wasn't classified as spam, is that really equivalent to Microsoft's action?

Checking spam logs is a lot more benign than rummaging around through a specific user's email.

Its a line they crossed. You dont have the right to decide where that line is for other people. You can reason it into the benign all you like the fact is they were snooping in a targeted way.

If the NSA only checks the logs of people to see if they received an email is it ok because they were just looking for "terrorists"?

They have the right because it's their service. No one is forcing you or anyone else to use their email service. If you don't like it, you're free to move to another email service. Or better yet, do what I did and just have it go straight to your own domains email.

I'm sorry but I still have a right to privacy no matter whom the service belongs to. Companies cannot overturn my rights simply because they own the service. They are a carrier whether they like it or not and have to adhere to certain standards at the very least on social responsibility grounds.

I find the old companies can do what they want just use someone else fallacy very tired.

I can't simply change my email address that is something easier said than done. This isn't myspace were talking about or some dating service. This is my online identity and more and more my real life one at that.

"have to adhere to certain standards"

Google already deliberately violates[0] the RFPs defining the expected behavior of their SMTP server by rewriting your headers when they want to. If they feel entitled to change your outgoing email messages, the other stuff shouldn't be too surprising.


Honestly I dont trust google in the slightest. They probably have more I formation on me and my peers than any other entity in the world. I'm not saying they are utterly untrustworthy or inherently evil, I simply dont just don't trust anyone that much.

Regarding being surprised, I'm not.

If there is a sadder moral standard than "might makes right", I am unable to bring it to mind.

Your statement is correct, but not relevant. Even if they had total market dominance, it would be a stretch to compare them to somebody using physical violence, and they certainly don't go out of their way to lock you into using gmail (compared to Yahoo, for instance, who didn't let me set up email forwarding without upgrading to a paid account).

Physical violence isn't the only form of might. "Might" is a synonym for power. And ownership, which is what squintychino claims justifies their actions, is certainly a form of power.

For what its worth I understood.

Please stop the meme that surveilance and spam filtering are equivalent. Thanks.

Checking if a message is marked spam or not isn't the best way to confirm a legal delivery. Say, I setup my Gmail to forward all mails to my thunderbird or outlook but when it gets there, the respective clients accidentally filter the specific message as spam, what then?

Monitoring for a "read bit" on the message is the only way to confirm proper delivery.

If you forward your mail to thunderbird, then gmail would have no knowledge of how you marked it.

If you are using IMAP, it keeps the status of the message synced with the server.

That wasn't the only case, there was one incident where Google employees were caught sniffing users accounts [1]. Also Google have themselves said not to expect any privacy on GMail [2].

Not sure why it surprises many people that Company X has access to the data stored on their servers especially when no explicit contract has been signed stating otherwise.

[1] http://www.wired.com/threatlevel/2010/09/google-spy/

[2] http://phandroid.com/2013/08/13/gmail-privacy-concerns/


To quote from the article:

"Google said that their users should assume that anything electronically sent through Google’s servers is fair game to used for ads, or other purposes."

To put it bluntly, Google says, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties."

So nope it is within the context unless there is a legal requirement to use users data for ads or other purposes.

And if you read the actual motion[1], you'll see that's referring to people that send email to people with gmail accounts, not the account holders themselves. Quoting Smith v Maryland didn't exactly endear them to me in that case, but it is certain true that "Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery." Sorry, but if you send an email to me, I'll treat it as I see fit, including letting my email provide run ads on it to pay for my service, and no, that "confidentiality notice" you included has absolutely no legal power over my email account.

[1] http://www.scribd.com/doc/160134104/Google-Motion-to-Dismiss...

Is that (part of) the reason why your profile lists no gmail address, but directs us to your own domains instead?

Also: Thanks for sharing that. Another nail in the coffin.

Substantially all of my business email goes over Google systems. I like their company a lot. I also like several banks and insurance companies. Google institutionally believes, and attempts to convince other people, that it is intrinsically more trustworthy than e.g. banks and insurance companies. It has been a while since I have treated those statements as anything more than the self-serving PR of a Fortune 500 company.

Puh-lease, keep your fanboyism in check.

  foo@bar:~$ dig -t mx kalzumeus.com

  ;kalzumeus.com.                 IN      MX

  kalzumeus.com.          3600    IN      MX      20 alt1.aspmx.l.google.com.
  kalzumeus.com.          3600    IN      MX      10 aspmx.l.google.com.
  kalzumeus.com.          3600    IN      MX      30 alt2.aspmx.l.google.com.
  kalzumeus.com.          3600    IN      MX      50 aspmx3.googlemail.com.
  kalzumeus.com.          3600    IN      MX      40 aspmx2.googlemail.com.

Okay, I should've done that myself.

Puh-lease? Fanboyism? That's uncalled for/the wrong tone, really.

What I find most interesting is that it reads ASP Mail eXchange, where ASP is Microsoft's. Or perhaps I'm misreading it.

Microsoft might have the ASP programming language.. the ASP, the combination of three letters has nothing to do with Microsoft!

Wow,fan boys's are crazy, I mean this is like 9/11 conspiracy theories kinda crazy. What next? Today is the 21st, Microsoft is on One Microsooft way?

The privacy policy exerpt you included is misleading; it's the section relating to third-party businesses. The full privacy policy [1] states that Google can process your gmail internally for almost any purpose relating to Google's business.

[1] https://www.google.com/intl/en/policies/privacy/

Please note the publication date of the post, in 2006. This was the privacy policy in place at the time. https://www.google.com/intl/en/policies/privacy/archive/2005... I do not believe that I was unfair in describing either the letter or intent of their privacy policy.

Didn't expect that from you, patio11...take a "peak"?!

Uh uh. So we have something being stated as plain fact which, if true, would have been a major, major story by a journalist not exactly known for holding back in his reporting - yet the particular story was never reported as such (the bit about scaring sources is BS, he could just switch channels which he did anyway).

The only corroborating evidence is drunk hearsay. The supposed fallout is implied. I mean, he just knows that Google read his mail - but he doesn't have any solid ideas if his source who he has a direct relationship was fired?

No matter what one wants to think of Google, there is not a single ounce of meat on this story.

He risks legal action for libel, given the definitive title of his post "ABOUT THAT TIME GOOGLE SPIED ON MY GMAIL" compared to the indecisive evidence presented.

His "evidence" could just as easily be explained by the fairly common practice of fingerprinting inside information to catch leakers.

And also, I suppose, the fairly common practice of faking an email from an employee to a journalist to show to the employee before he's fired?

"Fantastic job on integrating the psychiatric profile and semantic analysis, everyone. It looks like we were so accurate that we independently faked the exact same email he actually wrote!"

Arrington's exact quote, "shown an email that proved that they were the source" actually doesn't say it was an email between Arrington and the source, although I'm fairly sure that's what was meant.

Edit: To be fair, I suppose we should consider that the average guilty person isn't going to do well when confronted with specific, correct accusations, even if the evidence was faked or incorrect.

No matter what one wants to think of Google, there is not a single ounce of meat on this story.

I'd like to agree. If this was true, this would be very shocking news for me and a lot of other people. I work for one of the many startups, which use google docs and google mail. If Google would be willing to look at journalist's emails to "find a leak". How could any company trust them not to look at their secret communication? Especially if they had a real interest in doing so at some point, so they wanted to launch a competing product, invest in a competitor or acquire the company in question?

Evidence or not, if you find yourself in a situation where a company would gain a significant competitive advantage over you by accessing your communications, it would be just be prudent not to voluntarily store all of that information on that company's servers.

But even assuming the most vile malice on Google's part, the vast, vast majority of the data people store on their services just isn't interesting to them (except to algorithmically process to serve ads).

Exactly. To simplify, this Arrington post leaves only two possible scenarios:

1) He had a huge scoop on his hands but he passed because he was worried about the safety of his business. Something a journalist shouldn't even think about. Unprofessional and proof of a big conflict of interests.

2) He never run the story on TechCrunch because he knew the source was drunken bullshit and couldn't be used for anything that aspired to be called "reporting". Therefore: this post is bullshit because it's based on that same source

1 - And this is the most important: Assume your e-mails are being read. I have taken this many, many, many years ago before there were even leaks about NSA or Google/Microsoft collaborating or something from Fravia+. He wasn't wrong. If you don't know who that is, you're missing out.

2 - The fact the source communicated with you using a non Gmail account is of minor importance, because you were communicating with a Gmail account with a source working at Google breaking a story about Google. It is not very smart. Really.

2 - Did the source get fired ? If not, there is a good chance "they" were lying: It's not like a company will keep an employee leaking stuff (if the story was "that" major).

3 - Did you address the source by their name in your correspondance, or talked about any identifying details ? Meeting place ? Phone numbers..

Most people don't just realize how much info they're giving away because they're accustomed to talking in a certain way.

> The fact the source communicated with you using a non Gmail account is of minor importance

This is important to the story. If the source had communicated using their work (Google) email, then you could argue that Google hadn't accessed the reporter's Gmail account, but had instead invoked their (possible) employment agreement terms and read the Google employee's email. Without insider knowledge, no one could know for sure.

On the other hand, since the source used a non-Google email account, the only two possible ways that Google could know are: 1) if they read the reporter's emails or 2) if they have access to non-Google email services to read emails of arbitrary accounts.

Those aren't the only two possible ways Google could see non-Google email.

Was the source using a Google laptop? Was he or she using a Google network? Was the non-Google email service using SSL "several years ago" when this happened?

If the source used Google equipment and unencrypted email service, then the message is in plaintext on Google's network. No need to open Arrington's Gmail to read it.

The message passed in plaintext on the network. Were they sniffing and logging all traffic before the whistleblowing happened? Unlikely.

It's much more likely that they either 1) read Arrington's mailbox or 2) keylogged the crap out of the Google laptop the guy likely used. The latter method is not foolproof, whereas it's known that Google does have the capability to use the former. Occam would see 1 as the most realistic explanation.

Occam isn't strong enough evidence to assert "near certainty" as Arrington did, with a title that definitive.

The real question would be if Google logs all unencrypted email traffic across their networks. Otherwise, it would be hard to go back in time to see what was sent.

Hugely important. Even without any employment agreement terms, "employers probably [have] the legal right to read employee email messages sent using their equipment and network."


Read a wrongful termination case where an employee's abusive outgoing emails were accessed/grounds for dismissal. Employee lost.

>Did the source get fired ? If not, there is a good chance "they" were lying: It's not like a company will keep an employee leaking stuff (if the story was "that" major).

From the article:

>A little while after that my source was no longer employed by Google.

I think the parent is questioning the ambiguity here. Did the employee leave voluntarily? Were they fired or 'forced to resign?' If they left Google on good terms, then it does seem unlikely.

I was referring to the lying part and the "I'm not 100% certain comment".

It is very curious though. What was in those e-mails that could possibly identify the source. He works at Google, a tech company. The reporter works at TechCrunch (that covers tech companies). If anyone should know they must take extra care not to leave traces, it's a guy working for Google and another working for TecCrunch. It was reckless.

The facts as Arrington presents them don't justify being "nearly certain that Google accessed my Gmail account".

Even assuming his drunken source was accurate and truthful, there are other explanations for how Google could access the source's email.

This event happened "a few years ago", when Yahoo, Hotmail and AOL weren't protecting their email with SSL. Google could easily watch unencrypted traffic crossing its internal network and flag sensitive communications.

If they're not doing this, they should be. They don't have to read Arrington's Gmail to get his source's unencrypted communications with a non-Gmail provider, as long as his source was using a Google computer or a Google network.

So, let's pull out Occam's Razor:

- choice A: Google is logging all unencrypted communications from their staff (a rather vast amount of information altogether, I suspect, given how Google employees throw data around), in order to be able to go back retrospectively and wade through it to find leakers

- choice B: Google grepped through Gmail to find the leaker, which they have a complete legal right to do and has a marginal cost of zero.

Do you really think the communications of googlers is "vast" by google standards? Do you think their internal websites are as big as the internet?

Indeed. If the razor has to be applied I'd go with A because it's simple and feasible enough solution for a company like Google and because B would imply virtually zero levels of corporate worries about the eventual PR downfall. The fact that It's Arrington we're talking about here and not your next-door blogger, reinforces the probability of A being the simpler choice.

No way. It would require poring through so much more raw data to take raw tcp traffic, structure it somehow and pull out email messages (option a). Compare that against going through structured data in the gmail storage system (option b). Option B is much, much simpler.

... they should be?

I think there are differing expectations of privacy. I don't think there's anything strange or even untoward about employers tracking internet activity on their machines and their networks. It would not surprise me to be sacked for eg. browsing porn while at work, even if I did it from my phone or laptop instead of a company computer.

Before more people come in to defend Google, ive known for quite awhile that theyve been snooping their own employees emails. Before gmail went live nearly 10 years ago, there were beta accounts one could get. The only way you could get one was via invitation, and people were willing to pay money for those invites. This one girl i knew who worked at google decided to sell her invites to people. She was selling them to friends. Some how google found out about this. It was against company policy for people to be selling these invites. But, they found out she was and fired her. Thr rumor was they somehow pieced the info back to her. But unless the forced a confession out of these people, we surmised it was because she was sending all of these invitees paypal links for payment. She even told us later thats the only way they could have k own she was selling invites to gmail. So, yeah, not surprised by this at all.

Personally, i use my own smtp server to do all of my mail. It is not completely secure since the nsa can see everything, but its better than trusting google or hotmail.

What the Google employee did was just plain dumb and reckless and pointless to the point where I could totally believe that she bragged about it to a coworker, or otherwise failed to be totally discreet about it and got caught. No email snooping required. Seriously, the degree of stupidity that you just described is utterly mind-boggling on so many different levels. Wow.

Aren't invites tied to the inviter? Seems like buying an invite, and figuring out the inviter would be the simple way to identify the person. No snooping required. (Unless you consider the invite algorithm snooping).

Those invitations were all tied to the inviter; all Google had to do was identify any single invitation or an account created with one and that would lead them directly to the employee misusing their invites.

"I certainly freaked out when this happened, but I never said anything about it because I didn’t want people to be afraid to share information with TechCrunch."

So basically he's ok with screwing over potential sources because he didn't want to be assed to change his email provider? Classy.

> So basically he's ok with screwing over potential sources because he didn't want to be assed to change his email provider? Classy.

What? It is pretty clear from the article that his response was to change his e-mail provider.

A fair point. I guess I feel as if he had some sort of responsibility to let his potential sources know about these risks, but didn't because it wasn't in his self-interest. That's actually exactly what he says, come to think of it.

I think the OP is assuming that it would have been common sense to do so in the first place and they are assuming the journalist was just too lazy to take that protective step.

You are referencing what happened after the fact.

I can confirm this, we switched to Rackspace hosted email.

you didn't quote the next sentence: "But I became much more careful to make sure that communications with sources never occurred over services owned by the companies involved in the story."

So, no, he's not ok with screwing over potential source

That's frigging opsec 101 ! You're breaking a story about Google using your Gmail account.. How the hell did this seem a "normal" thing to do ? Especially from a guy working at TechCrunch ! (Tech savvy).

I would imagine he thought Google would never read a journalist's e-mail.

Being naïve is a luxury a journalist can't afford. Not when the identity of his source and his career are at stake.

Assumptions are forbidden. Trust that a company he just wrote about won't read his e-mails is beyond comprehension.

And that cost someone their job and, probably, he's burned: Any employer will phone Google to get their opinion. I don't know if they agreed to keep it secret, but I'm pretty sure there will be a part where you'll have: "Off the record ? We fired him/her because he/she leaked a story to TechCrunch" in that phone call.

And yes, I'm pissed.

I mean, just ask yourself .. If you were Google and someone broke a major story about you, and he uses Gmail .. Wouldn't you want to sneak a little peek ?

I wouldn't do that if I were a child. That's just like invading a country, and using its postal services to transmit sensitive information: It is just ... I can't picture that.

"I mean, just ask yourself .. If you were Google and someone broke a major story about you, and he uses Gmail .. Wouldn't you want to sneak a little peek ?"

No, I wouldn't but I guess I was taught differently. On a business note, it is a clear signal to everyone that gmail is not a service you can use if you have ANY business dealings with Google. If you are tempted by this then you would be tempted to look behind the scenes of anything involving Google.

Maybe you wouldn't. But you can't risk your source's identity because you assume everyone was brought up in a good house. It's good to be good. It may be okay to be naïve if you're the only one involved, but if there's someone's job at stake, it's your duty to be a parnaoid son of a bitch. If not for yourself, then for the other person you try to protect.

A cop in a dark alley with a shady guy won't think :"I'm a good guy who's been well raised. I don't stab or shoot people.. This fellow citizen must be an upstanding one, let me just turn my back to him". If a cop thinks that way, he chose the wrong profession. I used the word naïve, but at that level of naïveté, it's being a stupid person or someone who doesn't want to live.

That's only half of the equation though. What if his potential sources are using gmail? He says he wasn't willing to share this important information because he didn't want to scare away sources. In doing so he prevented sources from taking the same security steps he was taking himself.

I would imagine most sources don't just blurt out the information. I would expect some back and forth which would probably give him the time to warn the other person.

He did say that going forward he wouldn't use accounts controlled by a company in question (e.g. a Google story would have no communication go through Gmail / Google Apps accounts).

I wouldn't describe it as 'classy', but I would say it is demonstrative of his journalistic dedication and integrity.

* I understand that sarcasm was implied

An alternate, but maybe not more plausible explanation, is that the employee sent the email on the Google office network and the traffic was being logged anyway.

The employee used a non-google account according to the article.

Are you saying that it's 'normal' that companies log everything going out over smtp/submission and log it?

Even if that is

- legal (really?)

- part of the contract (no idea why that'd be okay)

that sounds like something you shouldn't do, period. I'm reasonably sure that this would never work in Europe, for example.

In the US you should assume a company examines/logs everything over their network, not just email. There's a whole "data loss prevention" industry.

Legal, doesn't have to be part of the contract (though I'm sure it helps)


It is both legal and required by US law. If a company doesn't have a "system of record" that keeps track of all emails generated by employees, the company can lose their defenses against a wide array of possible legal troubles.

Normal? I have no idea. Possible? Certainly.

Your email is sitting on a machine that they have full permission to. Their EULA explicitly gives them permission to access your account (often for any reason).

Also typically you do those kind of correspondences from home.

It is beyond me why people with a high technological competence use Gmail. I know it is convenient, but then please stop bitching that Google or the NSA will read your mails.

I'm going to stick with the landlord analogy. It needs to be possible to use a 3rd party service without them being allowed to spy on you, the same way it's possible to rent an apartment without the landlord being allowed to spy on you.

They're certainly able to, and have the keys, but they're not allowed.

Privacy laws should be created (or interpreted) to provide similar protection for the privacy of our data stored by a service.

If you rent an apartment, you pay for it. If you use Gmail, you don't. Google somehow has to make money from something, so there is a incentive to mine your data.

But the main point is: an apartment is not an information system. Throughout history, governments have spied on information systems and systems providers will too. Hell, spouses spy on each other, given the chance.

It is simply common sense to limit the attack surface you present by hosting your own mail server - or not to care.

I certainly pay google a fee for my Gmail account, as do most people I know who use Gmail, so don't be so certain of the "If you use gmail you don't pay for it."

most Gmail users dont.

I'm pretty sure that everyone who uses Google as the email manager for their domain now have to pay google - that includes business, universities, individuals, etc...

The only people who get "free" gmail, are people with an @gmail.com account, which in these days seems to be an awfully bad approach - makes it hard to switch your email to another provider if you run into issues with the old one.

NSA is a given if you are using the internet, and it seems like Google _may_ be a given depending on your circumstances (i.e. did you just steal their stuff, etc.). So what else should be stopping this person with high technological competence from using Gmail? And what alternative do you use that's better? Really curious.

End-to-end encryption is a possible solution. Assuming there is standard for encryption that hasn't been broken yet.

I mean, personally, I have nothing worth looking at.

in my case, alternatives and other solutions are generally too high-effort for me to bother with.

I'd bet most people who know but don't care feel similarly.

hosting your own email solves exactly nothing. Email still goes over (mostly) unencrypted channels and will, eventually, land in someone's gmail account anyway. Where Google and/or the NSA will read it. Worse still, you're now no longer hiding in the crowd. You have a giant blinking neon sign saying "I'm putting my mail where you can't get it."

Privacy and email do not mix, and maybe never will. Attacking the victims of the NSA spying does nothing to stop the NSA from doing the spying.

As an exercise, I'm trying to think through what UK law would say about doing similar with hosted email within the UK for EU residents[1].

I am not a lawyer, and I'm not the one making the call for my clients on any potentially legal matters. Would appreciate to hear the thoughts of those with experience in this area.

My gut feeling is that, although users may have signed T&Cs allowing this, UK/EU courts would hold that there is a reasonable expectation of privacy around the mailbox, and so the Regulation Of Investigatory Powers Act 2000 (RIPA) would apply [2]. This means that such a host couldn't go digging themselves into the email.

However, a potential route in could be via getting the source to make a subject access request under the Data Protection Act 2000 (DPA) into the organisation, supplying their external email address, in response to which there would be a very tenuous grounds to release the mail. However: 1. I'm fairly sure that this would be considered a misreading of the DPA, and hosted mail would be considered information held by the client, rather than the host 2. There's such an obvious claim here that all of this would have happened under duress, and that's a huge can of worms....

So in conclusion, I suspect the only way to legally get at such an email within the UK/EU would be via working with law enforcement, or via one of the two parties to the discussion providing it.

[1] Most of the relevant acts of UK law are descended from common EU legislation, and apply broadly across the EU, hence the repeated use of UK/EU here

[2] Unless you're working in certain very strict offices with clear Security Operating Procedures (SyOPS) and regular training, UK/EU courts are likely rule that even corporate email systems can be considered to hold personal communications protected under RIPA

I knew a person in Facebook who actually looks into other people's private photos. When one of my friend was supposed to chat with this guy and send her photos for traditional 'arranged' Indian marriage, this Stanford educated guy told my friend that he had already seen her profile and other pictures in Facebook. The surprise was all her pictures were private at that point!

That is not possible, even to get to a photo id you have to fill in a form with the bug ID you're investigating, which is then audited by internal security team.

Or, you know, his source lied?

Alternately, he is lying. It sounds crass to outright say such a thing, but it is suspiciously convenient that Arrington draws attention to himself under the pretext of having explosive information relating to a current hot story, all with mysterious unnamed sources.

It's especially amusing given how he ends the article. "I'd have said this before, but it would have hurt my bottom line, because it would have more fully informed sources of the risks they were taking."

If it means anything, a lot of people internally at Techcrunch knew about this incident as well - as did a few people outside. It's just being made public now.

True story ahead, and I can't figure out how Google did this to me. About a year ago, I noticed a picture of myself on my Google profile. I never gave them a picture. I don't even have my real mug on Facebook, but somehow Google got into my pictures on my Ipad and took a jpeg? I immediately deleted it. I still can't figure out how they got into the ipad file?

Google Mail/Google+/etc. will upload your contact info (All your contacts stored on your device), therefore if you've had your own photo added to your own offline contact, you can be quite sure it was taken from there.

I knew a person in Facebook who actually looked into other people's private photos. When one of my friend was supposed to chat with this guy and send her photos for traditional 'arranged' Indian marriage, this Stanford educated guy told my friend that he had already seen her pictures in Facebook. The surprise was all her pictures were private at that point!

Or maybe Google accessed his (the leaker's) account? Both actions would be equally offensive but there's no smoking gun here. Maybe this guy left his email logged in when he took a bathroom break... maybe he "lost" his phone which had the email account in question setup.

> Or maybe Google accessed his (the leaker's) account?

from the article: "The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account."

Which leads me to believe "they" didn't do it from work.

A non Google email account can be accessed from anywhere. Maybe Gooogle installed a keylogger on his work computer? Maybe they broke into his house and accessed it what way? Nothing about that statement, or the article proves that Google read the reporter's email and not the leakers.

I'm thinking that if Google was recording logins at work that info would probably be a story.

Once again: if a decent looking/working e-mail client with end to end encryption appears this year, I'll move to it almost immediately. So if Google wants to keep me as a Gmail users, they'd better enable the DarkMail protocol [1] or something similar in their e-mail client.

[1] - http://silentcircle.wordpress.com/2013/10/30/announcing-the-...

Same goes for Hangouts for that matter. As soon as TextSecure is fully cross-platform, I'm switching completely to it.

  > if a decent looking/working e-mail client with end
  > to end encryption appears this year, I'll move to it
  > almost immediately.
Thunderbird and GPG work with Gmail today.

  > So if Google wants to keep me as a Gmail users,
  > they'd better enable the DarkMail protocol [1]
  > or something similar in their e-mail client.
Gmail doesn't have a desktop email client. If encryption were added to the Android clients, then the web interface would become useless and the whole point of Gmail (being a web-based email system) would be moot.

  > As soon as TextSecure is fully cross-platform,
  > I'm switching completely to it.
The TextSecure wiki[1][2] describes a fairly wonky encryption protocol involving two shared symmetric keys instead of using public key encryption, so I have little confidence in their system's ability to withstand analysis by state-level actors. You're better off using GPG and email.

[1] https://github.com/WhisperSystems/TextSecure/wiki/Protocol [2] https://github.com/WhisperSystems/TextSecure/wiki/Using-Text...

The also talk about asymetric keys in [1]. And moxie from text secure is highly regarded in crypto circles.

I'd really like to see a public statement (hopefully a denial) by Google about this. As a matter of policy large tech companies often don't discuss how they track down leakers, or even permit speculation about it.

If you are not causing embarrassment or other harm (in Google's view) you are probably pretty safe unless you are entering or likely to enter a major business deal with Google. In those circumstances I wouldn't want to risk Google reading internal communications.

This means any startup even open to acquisition should probably avoid hosting private communications with likely buyers including Microsoft, Google and Facebook. When millions of pounds may be on the table it just isn't worth the risk that somebody in the big company decides they want an advantage in the negotiation.

Isn't this the sort of thing PGP/GPG was designed for?

It would be great if everyone used PGP/GPG, but there's something missing for it to get widespread adoption. It probably needs to be easier and more user friendly somehow. Perhaps there's an opportunity for someone to do something here.

Especially important since it is clear the two had physical contact at some point, which is one of the best ways to exchange and verify keys.

I can't believe Arrington would not have posted a techcrunch article when and if this had happened. This seems just another attention grabbing article.

Blatant hearsay

I'd use, and pay for, cloud services such as storage if they offered end-to-end encryption. I do a lot of work for clients under NDA, and there's no way I can use any of the current crop of cloud drives.

I would actually _like_ Google to read my mail on my request so that I can prove that my brother's gmail address is really his. (he had it hijacked)

There doesn't seem to be any mechanism to have them do so :-(

Out them. You're not helping anybody by not naming names.

Not quite. He is helping himself by raising his profile.

Same story if I use Google Apps for my company?

Is this about a googler's wife?

do no evil

> a Google employee, approached me at a party in person

Personally, I would have said "fuck you" and walked away. They are never available to speak to when you need them. Even when being helpful and reporting bugs, they don't even acknowledge having read it. They always need to come to you. No, fuck that, help your customers for a change.

I know this is semi off-topic, but it so bugs me about Google (and basically most other major tech firms) that this is the knee-jerk reaction to reading the story, instead of the actual point.

You missed the words just before: "my source, a Google employee, approached me at a party". You don't say "fuck you" to a source.

Oh, yeah oops, I was trying to read too fast. You're totally right of course.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact