Risk
10/2/2013
12:18 PM
50%
50%

Google Wiretapping Lawsuits Can Proceed, Judges Say

Lawsuits allege that Google's automated scans of Gmail content for advertising purposes and its Street View Wi-Fi data collection violate wiretap laws.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Two federal judges have allowed separate wiretapping cases against Google to proceed.

One of those cases concerns Google's automated scanning of Gmail messages to provide advertising based on email contents. On June 13, Google filed a motion in federal court to dismiss the lawsuit, which accused the company of illegally scanning Gmail users' emails, as well as any emails they received from non-Gmail users. The suit also alleges that Google illegally scanned emails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users, who can opt into the content-based scanning of emails.

But Thursday, U.S. District Court Judge Lucy H. Koh, issued a 43-page ruling denying Google's motion to dismiss the Gmail lawsuit, which consolidated seven previous individual and class-action lawsuits.

Her ruling poses a legal setback for Google. "We're disappointed in this decision and are considering our options," a Google spokeswoman said via email. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox."

[ Need an inexpensive way to create online ads? Read Google Web Designer Offered As Free Download. ]

Last month, Google also asked the Court of Appeals for the Ninth Circuit to reconsider its Sept. 10 ruling that a lawsuit over the company's past collection of unencrypted Wi-Fi data -- as part of its Street View program -- could proceed. The lawsuit alleges that Google violated federal prohibitions against wiretapping. To date, Google has already paid a related $25,000 fine to the Federal Communications Commission, and faced further sanctions and fines abroad. But Google has maintained that collecting unencrypted Wi-Fi data is legal, although it said it stopped doing so in July 2010.

In the case of the Gmail suit, meanwhile, Google had argued that it was exempt from federal and state wiretapping regulations, because they allow companies to intercept communications during the "ordinary course of business."

Judge Koh, however, disagreed with that legal reasoning for failing to distinguish being an email service provider and an advertiser. "In fact, Google's alleged interception of email content is primarily used to create user profiles and to provide targeted advertising -- neither of which is related to the transmission of emails," she wrote in her ruling. She likewise dismissed Google's assertion that any non-Gmail users who sent an email to a Gmail user should have known that their emails would be automatically scanned, thus exempting Google's scanning from wiretapping regulations.

Judge Koh is well respected in Silicon Valley, The New York Times reported, due in no small part to her ability to handle complex cases, including the Apple-Samsung patent trial.

Now, her Gmail ruling opens up the possibility that Google might face a massive class action penalty, owing to nearly half a billion people using Gmail. Any related rulings could also have legal repercussions for other webmail providers, including Yahoo and Microsoft, if not the entire online advertising industry.

The suits against Google touch on multiple laws, primarily the Electronic Communications Privacy Act (ECPA), and to a lesser extent the the Stored Electronic Communications Act and Federal Wiretap Act. These laws, in the eyes of many technology, security and privacy experts, are outdated and overdue for updating by Congress.

Accordingly, the cases against Google could provide meaningful guidance to any attempt by Congress to revamp the ECPA and related laws. "We're finally reaching these legal issues," said Alan Butler, a lawyer at the Electronic Privacy Information Center, speaking by phone. "It's taken the court over 10 years in the case of the email scanning and more than five in the case of the Street View collection."

What might Google have done differently to have avoided these types of lawsuits?

For a start, giving users an opt-in mechanism might have mitigated some of the resulting legal challenges. Instead, Google began automatically scanning emails, backed by a clause in its terms of service stating that advertisements could be delivered based on the content of emails that users sent or received.

"At the outset, there was no real concept of any kind of consent mechanism or meaningful notice, in terms of what was being done," said Butler. "Eventually Gmail users were able to figure it out through reporting and seeing the page in a sense, seeing targeted ads, but there was certainly no upfront disclosure or discussion about that when they first started doing it. And how that works with respect to non-Gmail users that communicate with Gmail users is an even more difficult question."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TomW770
50%
50%
TomW770,
User Rank: Apprentice
10/31/2013 | 4:56:22 AM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
Anyone who thinks that the ad-targeting in gmail is wiretapping clearly has no idea how it works.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/3/2013 | 1:42:41 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
If it's against the law, the law may be out of sync with reality
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
10/2/2013 | 10:02:54 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
I have trouble seeing this as wiretapping given that email is routinely scanned for malware.
mak63
50%
50%
mak63,
User Rank: Apprentice
10/2/2013 | 7:48:00 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
As a gmail user, i was kinda aware of the TOS and targeting advertisement, but the non-gmail users should be exempt of that, shouldn't they?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?