A few weeks ago, we wrote about a troubling ruling by Judge Lucy Koh, in which she accepted the argument pushed by a group called Consumer Watchdog (which is basically an anti-Google organization focused on misrepresenting Google at every opportunity) that Google's Gmail conducted some sort of illegal wiretap when its computers scanned incoming emails to put relevant ads next to it. As we noted, if having a computer scan your email is illegal wiretapping, then pretty much any anti-spam software is also an illegal wiretap. The whole concept is really ridiculous. If you send me a mail, you are granting permission for me to view that mail however I wish to view it -- and if that includes reading it via Gmail and having its automated computers put ads next to it, then that's the price you pay.
Unfortunately, with Judge Koh unwilling to recognize this basic concept, it's now open season on email providers. A very similar lawsuit has now been filed against Yahoo, and I'm sure it won't be the last one.
The whole situation is screwed up beyond belief. Eric Goldman's comments on the original lawsuit against Google are completely on point here. Not only does this ruling show how totally screwed up ECPA (the Electronic Communications Privacy Act) is, but the whole thing may lead to making just about everyone a hell of a lot worse off. Goldman notes why Judge Koh's ruling is almost certainly incorrect under the law: algorithmic processing of content isn't considered interception under the law; the ruling could certainly apply to anti-spam/anti-virus/spell-checking services and more; email providers have been doing this for ages, so where's the statute of limitations; and what actual harm was caused to people who had their email scanned?
But he concludes it with this plea for sanity to the likes of Consumer Watchdog:
PLEASE PLEASE PLEASE don't take away my Gmail account. It has materially improved my life, and I hope and pray that I'm not downgraded into some second-rate email account due to this litigation.
Indeed. It leaves me wondering what "consumers" Consumer Watchdog is looking out for, because it's not me, and it doesn't appear to be the many many millions of people who use a variety of different webmail services quite happily -- because it improves their lives. I don't want a group (especially one prone to blatantly misrepresenting reality) to break email for me. That's not being a watchdog, it's being an authoritarian dipshit, arguing that millions of people around the world should be worse off because this one group thinks it knows best.
My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Lawyer: We would not honor a request from the government for such a...
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Lawyer: I don't think that describes what private advertisers...
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.
If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
Julian Sanchez has put forth an interesting and compelling proposal: if Google really wanted to take a stand in favor of user privacy, it should encrypt all our emails.
Google is in an ideal position to overcome these difficulties, and finally make strong e-mail encryption a mass phenomenon. Their Gmail service—the one David Petraeus was using to exchange steamy messages with his biographer and lover, Paula Broadwell—has some 425 million active users by last count. Many of those users access the service through a Web interface, which Google can change and update for all users simultaneously. That means we could all wake up tomorrow to find a handy new “Encrypt Message” button included in the familiar Gmail interface we're already using. Meanwhile, Google (along with Facebook) has rapidly become a kind of universal Internet identity provider, with the Google Account used as a key not only to access Google’s own myriad offerings, but many other independent online services as well.
Because truly strong encryption is “end to end”—meaning the end-users generate, store, and have sole access to their own private encryption keys—a robust content encryption system may require users to have appropriate client software installed on their own machines. Here, too, Google is well positioned to provide a solution: They already make a widely-used browser, Chrome, and a popular operating system for mobile devices, Android, which could be updated with the necessary functionality built-in, eliminating the need for a separate browser plug-in.
Of course, as Julian notes, one reason why Google is resisting this is that it would make it more difficult to scan your emails and offer contextual advertising based on what's in those emails. He notes that Vint Cerf more or less admitted this last year, in noting that it would be a challenge to their business model. But Julian notes that there are other ways to target advertisements (some of which might be more effective) than keying them directly off each email -- for example, it can still use your search history, social profiles, Youtube videos, etc. For what it's worth, in all the years I've used Gmail, I don't recall ever looking at the ads they display -- though, obviously, some people out there must click. Also, a point worth noting: Microsoft's new Outlook.com email system does not scan each email for contextual advertising purposes. If they can do it, it seems silly to argue that Google needs to scan each email. More importantly, Julian isn't saying that every email should be encrypted -- so plenty of messages will still be sent in the clear, and those can be used for contextual ads. And the benefits may outweigh the negatives:
Meanwhile, Google would garner enormous goodwill from privacy advocates, reams of free press coverage, and an attractive new selling point, not only for Gmail but for Chrome and Android as well. Encryption would likely be a particularly appealing feature for Google's paying enterprise customers, whose messages may contain information that is not only private but highly valuable. At the very least, it's worth running the numbers again to see whether offering strong encryption might now be a net boon to the company's bottom line.
Furthermore, he notes that Google can use this to take a real stand against efforts by law enforcement to build wiretapping into email. Those efforts have been going on for a long time, and Google has fought against them in the past. But, he notes, getting people up in arms about the feds taking away something that people already have is a much more powerful motivator than getting them worked up about the feds making it impossible for Google to offer that feature in the future.
Because people are loss-averse, taking away something people already have and value can be all but impossible—while preventing them from getting it in the first place is far easier. By rolling out e-mail encryption now, Google can ensure that ordinary users see myopic efforts to regulate secure communications infrastructure as something that affects all of our privacy and security—not just that of faceless crooks or terrorists.
For what it's worth, Ed Felten responded to Julian's proposal by noting a few potential issues with it: (1) managing the crypto keys and cyrpto code would be an issue (would Google also store your key? if so, many of the benefits go away) and (2) there are features that rely on Google being able to see your email. For that latter issue, he notes that beyond just the question of contextual advertising, it could make things like filtering messages more difficult -- and that includes for more important filters like spam.
Julian responds by noting that these are not insurmountable issues. The management of the crypto keys could be handled by Google if people are okay with it, or they could offer up third party options (whether local, or some other "cloud" provider, such as Dropbox).
...lots of cloud services that offer encryption let the user choose whether or not to let the provider keep a backup copy of the user's keys. The more paranoid could sacrifice some mobility and convenience—and risk losing access to some of their messages if their local copies of the key are destroyed—by opting not to let Google keep even an encrypted copy of their key. Or, as a middle ground, a user could always store an encrypted backup copy of her key with a different cloud provider, like Dropbox, which need not even be known to Google. That provides all of the advantages of storing the key with Google at a relatively minor cost in added hassle, but substantially raises costs for any attacker, who now must not only crack the passphrase protecting the key, but figure out where in the cloud that key is located. Assuming it's accessed relatively infrequently (most of us read our e-mail on the same handful of devices most of the time) even a governmental attacker with subpoena power and access to IP logs is likely to be stymied, especially if the user is also employing traffic-masking tools like Tor
As for the filtering option, he notes that you can still filter based on other metadata, and that most of the encrypted notes are less likely to be spam, since they're more likely to be used between people who know each other. To avoid the problem of spammers suddenly jumping on the encryption bandwagon, he suggests an option where you might only accept encrypted mail from white-listed addresses.
Some Google haters will insist that Google will never do this because it might diminish the contextual ad business, but as Julian explains (in both links!) that's not necessarily the case. Furthermore, Google has, in the past, shown that it recognizes that making a goodwill gesture in terms of increasing privacy or better protecting its users can often pay off in much more usage and public goodwill in the long run. As Julian notes: it seems that it's at least worth running some numbers to see how it might make financial sense to better protect user emails.
As the fervor over the hatefulInnocence Of Muslims movie is beginning to die down, you may have heard that in response to that film the Iranian government blocked access to Gmail. There has been much postulation over why Gmail suddenly became a target, including what seems to be a ridiculous claim from the Iranian Telecommunications Ministry that they were simply trying to put a heavy block on YouTube (it's been blocked since long before this movie showed up). But, as most of us probably expected, Gmail is back on.
Regardless of whether or not the block on Gmail was intentional, the obstruction to one of the world’s most popular email services resulted in many complaints from Iran officials. Legislator Hossein Garousi reportedly threatened to summon Iran’s telecommunications minister Reza Taqipour for parliamentary questioning if the service was not unblocked.
Iran continues to block any site or network that expresses “anti-government views,” including sites like Twitter, Facebook and YouTube, which helped rally citizens and circularize the massive protests following the questionable re-election of President Mahmoud Ahmadinejad.
Now, the blocking of such sites probably doesn't shock any of us anymore. It's unfortunate, but they're doing it. Hell, Iran has previously announced plans to build their very own internet. The good news is that Iranian citizens aren't simply rolling over at their government's heavy-handed censorship of the internet. They know how to use technology to get around the filters too.
Even though YouTube was previously blocked in Iran before the film was released and Gmail access was barred, Reuters reports on the ability of Iranian citizens to “circumvent Internet restrictions” using virtual private network (VPN) software, which makes it appear as if the computer accessing the content is located in another country.
So best of luck to you, Iranian government, because you're going to need it if you think that suppressing thought and the freedom to access an unfettered internet is going to work out for you in the long term. At least you can rest easy knowing that your citizens can't play online roleplaying games. We've got that covered from our end.
Of course, last time this happened (with RIM, at least), RIM pointed out that there's simply no way for it to decrypt email sent by users, since it's based on an encryption key set up by the end user. In response, the Indian government claimed that it had cracked the encryption used by Blackberries and was able to monitor messages sent via those devices. Of course, the fact that it's now pressuring RIM to format messages in easily spied-upon ways, certainly suggests the news of the cracking of Blackberry's encryption was somewhat exaggerated.
Given reports that Iran is potentially handing out death sentences to bloggers whose content the Iranian gov't dislikes, you would think that a secure and private means of communication is important for many people in that country. And apparently the Iranian government realizes this and doesn't like it. So it's decided to try to pull the plug on Gmail, and instead roll out a "national email service." Of course, that just means an email service that the government has full access to, which I'm sure doesn't fool anyone. However, it does make you wonder if Iran thinks it can possibly block all other types of email beyond just Gmail (and I'm sure plenty of folks in Iran can quickly figure out how to get around the blocks).
With all of the iPhone App Store press love these days, it's almost easy to forget that Apple refused to allow any outside apps on the phone when it first launched -- instead, telling developers that anything they wanted to do can and should be done via a browser, creating mini-apps that were all web-technology-based. Of course, now that the App Store gets so much attention, plenty of folks have forgotten about designing web-based apps for the iPhone... but not everyone. Google has designed a new version of Gmail that routes around Apple's command-and-control App Store process by going direct via the web. While the article linked here seems to make this out to be a big deal, it seems like the only really big deal is the fact that everyone forgot this was the way Apple originally planned for apps to be handled on the phone.
I think privacy is a very important issue that often is given short-shrift... but I've never been able to understand some of the positions staked out by the Electronic Privacy Information Center (EPIC), who seems to have decided long ago that, even if people are making a conscious choice, anything that puts their privacy at risk is downright evil and must be stopped. When Google first launched Gmail back in 2004, EPIC went ballistic saying that it needed to be shut down as a privacy violation. Most people responded by getting Gmail accounts as quickly as they could.
Apparently, EPIC isn't giving up this fight, even though five years have gone by and Gmail has become a popular email service for many, many people online. EPIC has now asked the FTC to shut down all Google online applications, from Google Docs to Gmail, claiming that they're unable to "adequately safeguard the confidential info" of users -- and comparing those apps to a faulty car seat for kids (hyperbole, much?).
This all seems designed to get EPIC attention rather than to actually help consumers. The likelihood of the FTC agreeing with EPIC seems slim (which even EPIC seems to admit). People are pretty aware of what risks they're taking on by putting stuff on Google's servers, and Google has a pretty clear track record of doing its best to keep that info private. But most people feel that the risk is slight and the trade-off and value from the services is obviously worth it. Thus, it's not actually a privacy issue at all -- because most people are comfortable with the situation. So, why is EPIC trying to take away such useful services from millions of people who have come to rely on them?