Gmail

[Daniel Brandt]

Problem 1: Gmail is nearly immortal

Google offers 1 gig of storage, which is many times the storage offered by Yahoo or Hotmail, or other Internet service providers that we know about. The powerful searching encourages account holders to never delete anything. It takes three clicks to put a message into the trash, and more effort to delete this message. It's much easier to "archive" the message, or just leave it in the inbox and let the powerful searching keep track of it. Google admits that even deleted messages will remain on their system, and may also be accessible internally at Google, for an indefinite period of time.

Google has been spinning their original position in press interviews, and with an informal page described as "a few words about privacy and Gmail." When we see fresh material from Google, we check the modification date at the bottom of the terms-of-use page and privacy page for Gmail. If these dates are still April 6 and April 8, we know that nothing has changed. Google can modify these pages too, any way they want and whenever they want, unilaterally. But at least these two pages carry slightly more legal weight than other pages, because Google should attempt to notify users of significant changes in these formal policies.

A new California law, the Online Privacy Protection Act, went into effect on July 1, 2004. Google changed their main privacy policy that same day because the previous version sidestepped important issues and might have been illegal. For the first time in Google's history, the language in their new policy makes it clear that they will be pooling all the information they collect on you from all of their various services. Moreover, they may keep this information indefinitely, and give this information to whomever they wish. All that's required is for Google to "have a good faith belief that access, preservation or disclosure of such information is reasonably necessary to protect the rights, property or safety of Google, its users or the public." Google, you may recall, already believes that as a corporation they are utterly incapable of bad faith. Their corporate motto is "Don't be evil," and they even made sure that the Securities and Exchange Commission got this message in Google's IPO filing.

Google's policies are essentially no different than the policies of Microsoft, Yahoo, Alexa and Amazon. However, these others have been spelling out their nasty policies in detail for years now. By way of contrast, we've had email from indignant Google fans who defended Google by using the old privacy language -- but while doing so they arrived at exactly the wrong interpretation of Google's actual position! Now those emails will stop, because Google's position is clear at last. It's amazing how a vague privacy policy, a minimalist browser interface, and an unconventional corporate culture have convinced so many that Google is different on issues that matter.

After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.

Google's relationships with government officials in all of the dozens of countries where they operate are a mystery, because Google never makes any statements about this. But here's a clue: Google uses the term "governmental request" three times on their terms-of-use page and once on their privacy page. Google's language means that all Gmail account holders have consented to allow Google to show any and all email in their Gmail accounts to any official from any government whatsoever, even when the request is informal or extralegal, at Google's sole discretion. Why should we send email to Gmail accounts under such draconian conditions?

Problem 2: Google's policies do not apply

The phrasing and qualifiers in the Gmail privacy policy are creepy enough, but nothing in any of Google's policies or public statements applies to those of us who don't have Gmail accounts. Google has not even formally stated in their privacy policy that they will not keep a list of keywords scanned from incoming email, and associate these with the incoming email address in their database. They've said that their advertisers won't get personally identifiable information from email, but that doesn't mean that Google won't keep this information for possible future use. Google has never been known to delete any of the data they've collected, since day one. For example, their cookie with the unique ID in it, which expires in 2038, has been tracking all of the search terms you've ever used while searching their main index.

http://www.google-watch.org/gmail.html

[Derek McMillan]

Yahoo offers 1 Gig of storage now in a bid to keep up with the googles!

PGP or its open source equivalent GPG is a good way to secure your email from prying eyes as far as I know. Of course everything I write is above board so I don't need to use it