Skip to main content

Should Gmail users expect any privacy? Untwisting Google’s claim

gmail acts to sort out new scam using non latin characters

Reading tech news headlines Tuesday night and this morning, you likely came across a few which boldly stated that Google believes you have “no legitimate expectation of privacy” while using Gmail, according to a recent court filing by the company. Okay, Google did argue that in a motion to dismiss a lawsuit. But the argument that you have no “expectation of privacy” isn’t Google’s – that gem belongs to the Supreme Court. Oh, and Google’s lawyers weren’t even talking about Gmail users when they said that.

Google’s ‘no expectation’ argument

This story stems from a class-action lawsuit filed against Google in California, which claims that Google violates wiretap laws and other state and federal legislation through its scanning of user emails for various purposes, including spam filtering, spell check, and targeted advertising. In its 39-page motion to dismiss the lawsuit, Google cites a 1979 Supreme Court decision, Smith v. Maryland, one of two court decisions which established that law enforcement may access some electronic communications without a warrant, something now known as “third party doctrine.” It is Smith v. Maryland from which Google extracted the “no legitimate expectation of privacy” quote.

Related Videos

From Google’s filing, under a section concerning non-Gmail users (i.e. people with whom Gmail users contact), which, as The Verge points out, is a key distinction:

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’ Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems.”

The court may in fact decide that Google’s citation of “no legitimate expectation of privacy” is irrelevant; third party doctrine only applies to cases involving the government, not private companies. Plus, the courts have ruled that the contents of emails – but not the subject, To, From, CC or BCC fields – enjoy Fourth Amendment protections.

Public advocacy group Consumer Watchdog, which was the first to bring this case into the Web ether on Tuesday, blasted Google for its “stunning admission” that it does not believe users should expect their emails to be private, and argued that Google’s assertions are “wrong-headed.”

“Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office,” said John M. Simpson, Consumer Watchdog’s Privacy Project director, in a statement. “I expect the Post Office to deliver the letter based on the address written on the envelope. I don’t expect the mail carrier to open my letter and read it.  Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?

(For the record, Google has repeatedly asserted that “no humans read your email or Google Account information in order to show you advertisements or related information.” Only an “automated algorithm” does that.)

Right though Simpson may be, the Smith v. Maryland decision is not Google’s trump card in this case.

The fine print

Google goes on to argue that its email scanning practices are simply part of its “ordinary course of business,” and should therefore be exempt from state and federal wiretap laws, as well as the 1986 Electronic Communications Privacy Act. Furthermore, because this scanning is so integral to any (free) email service, to rule in favor of the plaintiffs “would effectively criminalize routine practices that are an everyday aspect of using email.” Finally, says Google, the court should reject the plaintiffs’ complaint because Gmail users give their consent to automated email scanning (for whatever purpose) by agreeing to Google’s Terms of Service and Privacy Policy.

Indeed, Google’s terms state that Gmail users agree that “advertisements may be targeted to the content of information stored on [Google’s] Services, queries made through [Google’s] Services or other information.” Google’s Privacy Policy also states that user data may be used to “provide, maintain, protect, and improve services (including advertising services) and develop new services.”

Of course, Google is not the only email provider to scan users’ emails for advertising purposes. Yahoo started doing so earlier this year. Microsoft, however, claims that it only scans emails for spam filtering, virus checks, and other service quality purposes.

Google is stealing your ‘actual thoughts’

In opposition to Google’s motion, plaintiffs in the case claim (pdf) that Google is twisting the argument at hand to make the case more favorable for itself. The plaintiffs state that they do not oppose “normal web-mail processing for SPAM, viruses, spellchecking, routing and delivery, storage, and/or the placement of email messages in a user’s inbox.” Instead, say the plaintiffs, Google is using its system “to capture the authors’ actual thoughts (‘thought data’) for Google’s secret use.” (Emphasis theirs)

“Google creates and uses this ‘thought data’ and attaches it to the messages so Google can better exploit the communication’s ‘meaning’ for commercial gain,” reads the plaintiffs’ opposition. “Google collects and stores the ‘thought data’ separately from the email message and uses the ‘thought data’ to: (1) spy on its users (and others); and, (2) amass vast amounts of ‘thought data’ on millions of people (secret user profiles). Google’s attempt to describe its ‘thought data’ mining generically as ‘automated processing’ or ‘automated scanning’ improperly rewrites Plaintiffs’ allegations.”

Google did not immediately respond to our request for comment on allegations of spying on users and its creation of “secret user profiles.” Update: A Google spokesperson tells us that the company is “not commenting on the plaintiffs’ response to our motion to dismiss.” So we’ll have to wait for another day to find out if Google really does have those secret user profiles.

Update 2: After an initial refusal to comment on the plaintiffs’ opposition, a Google spokesperson sent this statement from the company: “We take our users’ privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail – and no matter who sends an email to a Gmail user, those protections apply.”

No one to blame but yourself

As you can see, there’s a lot going on here. So lets get something straight: This case is not about law enforcement, the NSA, the FBI, or any other government agency spying on your emails. Instead, this case is about a private company collecting user data for whatever purpose it sees fit – a practice that, unless you take extra precautions, is happening virtually every second you are on the Web.

In other words, this suit is very much about Google Terms of Service and Privacy Policy, which is a legal contract each of us agree to by using any Google product, not just Gmail. And just because you didn’t read the ToS doesn’t exempt you from whatever conditions it applies, according to common law. So even if Google is using Big Data practices to steal our “thought data” for “secret use,” the only remedy is to not use Google products. And those of you who don’t use Gmail, but communicate with people who do, must at least acknowledge that Google’s servers will process your communications.

Still, this will be an important case to watch. In the presumably off chance that the court rules in the plaintiffs’ favor, the decision could have wide-spread consequences not just for Google and Web-based email, but for any Big Data industry that harvests users’ information. Stay tuned.

This article has been updated with comments from Google, and additional contextual information.

Editors' Recommendations

How to delete your Gmail account
gmail app on phone

There is a good chance that at some point, you have had a Gmail address. Brands like Google make it all too easy to sign up, but trying to delete your Gmail account isn't quite as straightforward. Maybe your email is full of junk, you're cracking down on the security of your personal data, or you’re looking to start fresh with another email service. 

Whatever your reason might be for deactivating your account, we'll guide you through how to permanently delete your Gmail account. 
Step 1: Navigate to your Google Account

Read more
Google blocking 18 million scam emails related to coronavirus daily
Gmail app icon.

It’s not just the coronavirus that's creating havoc. Related scams and malware are causing trouble, too, with cybercriminals seemingly intent on taking advantage of what is already a dire situation for many folks.

Highlighting the extent of the problem, Google has revealed that on each day over the past week, its Gmail-linked computer systems detected -- and blocked -- 18 million malware and phishing emails related to the coronavirus, also known as COVID-19.

Read more
Google will charge law enforcement and government agencies to access user data
Google's Logo

Google has begun charging law enforcement for access to user data, according to a report by the New York Times. The company is levying fees of $45 for a subpoena, $60 for a wiretap, and $245 for a search warrant, according to documents reviewed by the NYT.

The company receives a high volume of requests from law enforcement agencies to hand over data about its users and has therefore decided to bring in charges to "offset the costs" of compiling this data. According to the report, Google is legally allowed to levy these charges but traditionally big technology companies have handed over data without any charges.

Read more