GoogleMail and Privacy Issues

The controversy surrounding Google’s new G-mail system is truly astounding. Just in case you’ve been living under a rock for the last couple of months, here’s the deal. Google has developed a free web-based email service which allows each user to store up to 1 gigabyte of email. But as we know, nothing is truly free, so in exchange, Google would like to display targeted banner advertisements when the email is viewed on their system – similar to what’s done right now when users use the Google search engine.

However, there’s been a privacy backlash because Google’s system would scan the contents of each message for the purpose of generating context-sensitive ads to display. Reading about your cousin’s trip to Miami, well then Google might want to display a banner ad promoting a travel package to the sun spot.

Google describes the process as follows: “Google will display targeted ads and other relevant information based on the content of the email displayed. In a completely automated process, computers process the text in a message and match it to ads or related information in Google’s extensive database. No human reads your mail to target ads or other information without your consent.” This sounds similar to the process used by AOL, Yahoo, MSN and others to scan incoming email for viruses and spam. So what’s the fuss all about?

Sure, some of the provisions in Google’s Terms of Use sound scary – “[you] agree that Google may monitor, edit or disclose your personal information, including the content of your emails, if required to do so in order to comply with any valid legal process or governmental request (such as a search warrant, subpoena, statute, or court order), or as otherwise provided in these Terms of Use and the Gmail Privacy Policy.” However, is this any worst than the rights that Bell reserves in its Sympatico Terms of Use which state “you agree that Sympatico has the right to monitor the Sympatico Network electronically from time to time and to disclose any information as necessary to satisfy any law, regulation or other governmental request, to operate the Sympatico Network or any of the Services properly, or to protect itself or its users in accordance with Sympatico’s Privacy Policy”.

In their privacy policy, Google promises that they will “never share your personally identifying information with any advertiser as part of this service, unless you specifically ask us to do so”. Likewise, some of the obligations Bell agrees to assume pursuant to its privacy policy may limit some of the broad disclosure rights mentioned above when personal information is involved.

If you’re concerned about confidentiality, don’t use Google mail as your primary email service. But then, you probably wouldn’t want to use AOL, Yahoo!, MSN, Sympatico or other external email services either. However, Google mail could still be a great place to archive useful information such as articles you’ve read in online newspapers and magazines.

Hopefully all this attention on Google mail will cause the industry to re-evaulate what confidentiality obligations service providers should be assuming. In any event, there are more important privacy issues to worry about. For instance, how many professionals, including lawyers, have signed up for Blackberry or similar services based on contracts which lack a contractual obligation of confidentiality? We caution clients to sign confidentiality agreements and we spend time arguing over the contents of confidentiality obligations contained in contracts we review for them. But how many of us take steps to ensure that appropriate confidentiality obligations cover the private emails that are replicated from our law firm servers onto the externally located systems? I won’t even mention the uncapped indemnities that many service providers insert in their contracts.

Also consider how many professionals continue to exchange confidential emails without using commonly available and inexpensive public key certificates to encrypt the contents? Almost all popular email programs support a feature called S/MIME which allows the sender to digitally “sign” the messages they send using a “public key” they attach to their messages. The public key can also be used by recipients of their messages to authenticate the sender and can also be used to send them back encrypted messages which can only be decrypted using a “private key”. Private/public key combinations can be obtained from Verisign for as little as $10 per year.

And since we started with a focus on Google mail, one of Google’s other services might be a good place to end this piece. How many of us routinely use Google’s search engine to look for personal and work related information? These searches are saved by Google along with the IP address from where they originated and any associated Google cookie identifier stored on the user’s computer. This information may not necessarily be considered “personal information” because Google does not have sufficient information to tie it back to a particular person – that would require asking your ISP to match up the dynamic IP address assigned to your computer. But how dynamic is an IP address in the world of always-on DSL and cable modem broadband connections? The same IP address may be assigned to a particular home for weeks or months at a time (and most business users often have a fixed/static IP address assigned to them). Then there’s the Google cookie on your computer. Prudence dictates taking out the trash periodically – if you’re using Internet Explorer, select Tools, Internet Options and then Delete Cookies.

Note: The above appeared as a Bits & Bytes article published by Law Times on May 17, 2004.