12:18 PM
Connect Directly

Google Wiretapping Lawsuits Can Proceed, Judges Say

Lawsuits allege that Google's automated scans of Gmail content for advertising purposes and its Street View Wi-Fi data collection violate wiretap laws.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Two federal judges have allowed separate wiretapping cases against Google to proceed.

One of those cases concerns Google's automated scanning of Gmail messages to provide advertising based on email contents. On June 13, Google filed a motion in federal court to dismiss the lawsuit, which accused the company of illegally scanning Gmail users' emails, as well as any emails they received from non-Gmail users. The suit also alleges that Google illegally scanned emails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users, who can opt into the content-based scanning of emails.

But Thursday, U.S. District Court Judge Lucy H. Koh, issued a 43-page ruling denying Google's motion to dismiss the Gmail lawsuit, which consolidated seven previous individual and class-action lawsuits.

Her ruling poses a legal setback for Google. "We're disappointed in this decision and are considering our options," a Google spokeswoman said via email. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox."

[ Need an inexpensive way to create online ads? Read Google Web Designer Offered As Free Download. ]

Last month, Google also asked the Court of Appeals for the Ninth Circuit to reconsider its Sept. 10 ruling that a lawsuit over the company's past collection of unencrypted Wi-Fi data -- as part of its Street View program -- could proceed. The lawsuit alleges that Google violated federal prohibitions against wiretapping. To date, Google has already paid a related $25,000 fine to the Federal Communications Commission, and faced further sanctions and fines abroad. But Google has maintained that collecting unencrypted Wi-Fi data is legal, although it said it stopped doing so in July 2010.

In the case of the Gmail suit, meanwhile, Google had argued that it was exempt from federal and state wiretapping regulations, because they allow companies to intercept communications during the "ordinary course of business."

Judge Koh, however, disagreed with that legal reasoning for failing to distinguish being an email service provider and an advertiser. "In fact, Google's alleged interception of email content is primarily used to create user profiles and to provide targeted advertising -- neither of which is related to the transmission of emails," she wrote in her ruling. She likewise dismissed Google's assertion that any non-Gmail users who sent an email to a Gmail user should have known that their emails would be automatically scanned, thus exempting Google's scanning from wiretapping regulations.

Judge Koh is well respected in Silicon Valley, The New York Times reported, due in no small part to her ability to handle complex cases, including the Apple-Samsung patent trial.

Now, her Gmail ruling opens up the possibility that Google might face a massive class action penalty, owing to nearly half a billion people using Gmail. Any related rulings could also have legal repercussions for other webmail providers, including Yahoo and Microsoft, if not the entire online advertising industry.

The suits against Google touch on multiple laws, primarily the Electronic Communications Privacy Act (ECPA), and to a lesser extent the the Stored Electronic Communications Act and Federal Wiretap Act. These laws, in the eyes of many technology, security and privacy experts, are outdated and overdue for updating by Congress.

Accordingly, the cases against Google could provide meaningful guidance to any attempt by Congress to revamp the ECPA and related laws. "We're finally reaching these legal issues," said Alan Butler, a lawyer at the Electronic Privacy Information Center, speaking by phone. "It's taken the court over 10 years in the case of the email scanning and more than five in the case of the Street View collection."

What might Google have done differently to have avoided these types of lawsuits?

For a start, giving users an opt-in mechanism might have mitigated some of the resulting legal challenges. Instead, Google began automatically scanning emails, backed by a clause in its terms of service stating that advertisements could be delivered based on the content of emails that users sent or received.

"At the outset, there was no real concept of any kind of consent mechanism or meaningful notice, in terms of what was being done," said Butler. "Eventually Gmail users were able to figure it out through reporting and seeing the page in a sense, seeing targeted ads, but there was certainly no upfront disclosure or discussion about that when they first started doing it. And how that works with respect to non-Gmail users that communicate with Gmail users is an even more difficult question."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/31/2013 | 4:56:22 AM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
Anyone who thinks that the ad-targeting in gmail is wiretapping clearly has no idea how it works.
David F. Carr
David F. Carr,
User Rank: Apprentice
10/3/2013 | 1:42:41 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
If it's against the law, the law may be out of sync with reality
Thomas Claburn
Thomas Claburn,
User Rank: Moderator
10/2/2013 | 10:02:54 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
I have trouble seeing this as wiretapping given that email is routinely scanned for malware.
User Rank: Apprentice
10/2/2013 | 7:48:00 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
As a gmail user, i was kinda aware of the TOS and targeting advertisement, but the non-gmail users should be exempt of that, shouldn't they?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.