As if the recent NSA revelations weren’t enough, Google recently revealed a new concern when it comes to a user’s electronic privacy. In an attempt to get a case regarding a settlement between the FTC and Google regarding data-mining accusations (Google placed a special cookie in Safari that gathered information about the users’ browsing habits despite offering assurances that Safari users would not be tracked without an opt in), Google filed a brief (found here) that they don’t believe that users have an expectation of privacy when using Gmail as part of the motion to dismiss. For some people, this isn’t a huge surprise.
Google’s wording for their filing, that a user has “no legitimate expectation of privacy”, should interest any attorney who took Constitutional Law and Criminal Procedure back in law school. That term “expectation of privacy” speaks specifically to the Supreme Court’s requirements for compliance with the Fourth Amendment search and seizure jurisprudence. Normally, a government entity requires a warrant when the citizen has a reasonable expectation of privacy (a standard established in Katz v. United States). The application of that standard to electronic devices remains an on-going question within the legal world (and has produced some interesting results, such as the entire United States v. Jones case). Google even cited a famous case, Smith v. Maryland, holding that the police’s use of a pen register (a device that records phone numbers dialed by a particular phone line) did not constitute a search because individuals voluntarily share call routing information with the phone company (thus giving the individual no legitimate expectation of privacy in that information). Google seems to view themselves as the phone company in this situation, as an entity with which users share their information for the purpose of sending emails.
Now, there is an obvious distinction between Google and the police: one is a private company and the other is a government entity. Constitutional protections technically only apply in the case of a government entity, so the Fourth Amendment doesn’t necessarily apply against Google. As a result, certain statutes are more relevant in this situation (for example, the Electronic Communications Privacy Act and the California Invasion of Privacy Act). Google’s legal position, in regard to those statutes, is less worrisome.
Still, there are a number of problems with Google’s stance. First, Smith v. Maryland involved use of a device that only logged the routing information (i.e. the phone numbers). Google’s data-mining program scanned the content of emails sent through Gmail by looking for keywords. That represents a greater potential intrusion and may change the expectation of privacy analysis. Second, Google argues in the brief that users provide consent to these practices. Google bases this primarily on the Terms of Service for Gmail, which allows for advertisements based on the contents stored on various Google services (including Gmail). However, Google does ignore the consent issue for users who chose an email service that expressly does not engage in keyword scanning or for individuals using an email encryption service of some kind (say PGP or Bitmessage). One could argue, reasonably, that there is no consent if a user goes out of their way to encrypt their communications since the user took steps to ensure that their communications could not be read. Google does not acknowledge that situation or its implications.
Now, Google probably doesn’t have to worry too much about this case. The ECPA allows for an Electronic Communications Service (ECS) to engage in a certain amount of scanning and filtering as part of the normal course of business (section 2701 allows a qualified ECS to access communications and the data therein on their own networks, even if such communications normally constitute an interception, as long as it is related to operating their services). Even in regard to the consent issue, the Federal wiretapping statute only requires the consent of one party (a fact stated repeatedly in Google’s brief).
That being said, Google citing Fourth Amendment language in a case like this is a little troubling (and probably unnecessary). The kind of information issues Google discusses in the brief (sharing keywords with advertisers) is mostly separate from the issues that require citing cases like Katz or Smith v. Maryland (warrant requirements). A government entity’s involvement would change the legal analysis greatly, and may produce a different result regarding the legitimate expectation of privacy. This particular issue becomes especially important with the recent NSA revelations (particularly xKeyforce), where any court case would have to answer whether a user really can expect privacy in Gmail. A user’s expectation of privacy changes greatly depending on what Google shares and with whom. In the mean time, the best thing a user can do is make sure to read the Terms of Service and keep informed (particularly through items like the Electronic Frontier Foundation’s “Who Has Your Back?” whitepaper).