Risk
10/2/2013
12:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Wiretapping Lawsuits Can Proceed, Judges Say

Lawsuits allege that Google's automated scans of Gmail content for advertising purposes and its Street View Wi-Fi data collection violate wiretap laws.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Two federal judges have allowed separate wiretapping cases against Google to proceed.

One of those cases concerns Google's automated scanning of Gmail messages to provide advertising based on email contents. On June 13, Google filed a motion in federal court to dismiss the lawsuit, which accused the company of illegally scanning Gmail users' emails, as well as any emails they received from non-Gmail users. The suit also alleges that Google illegally scanned emails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users, who can opt into the content-based scanning of emails.

But Thursday, U.S. District Court Judge Lucy H. Koh, issued a 43-page ruling denying Google's motion to dismiss the Gmail lawsuit, which consolidated seven previous individual and class-action lawsuits.

Her ruling poses a legal setback for Google. "We're disappointed in this decision and are considering our options," a Google spokeswoman said via email. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox."

[ Need an inexpensive way to create online ads? Read Google Web Designer Offered As Free Download. ]

Last month, Google also asked the Court of Appeals for the Ninth Circuit to reconsider its Sept. 10 ruling that a lawsuit over the company's past collection of unencrypted Wi-Fi data -- as part of its Street View program -- could proceed. The lawsuit alleges that Google violated federal prohibitions against wiretapping. To date, Google has already paid a related $25,000 fine to the Federal Communications Commission, and faced further sanctions and fines abroad. But Google has maintained that collecting unencrypted Wi-Fi data is legal, although it said it stopped doing so in July 2010.

In the case of the Gmail suit, meanwhile, Google had argued that it was exempt from federal and state wiretapping regulations, because they allow companies to intercept communications during the "ordinary course of business."

Judge Koh, however, disagreed with that legal reasoning for failing to distinguish being an email service provider and an advertiser. "In fact, Google's alleged interception of email content is primarily used to create user profiles and to provide targeted advertising -- neither of which is related to the transmission of emails," she wrote in her ruling. She likewise dismissed Google's assertion that any non-Gmail users who sent an email to a Gmail user should have known that their emails would be automatically scanned, thus exempting Google's scanning from wiretapping regulations.

Judge Koh is well respected in Silicon Valley, The New York Times reported, due in no small part to her ability to handle complex cases, including the Apple-Samsung patent trial.

Now, her Gmail ruling opens up the possibility that Google might face a massive class action penalty, owing to nearly half a billion people using Gmail. Any related rulings could also have legal repercussions for other webmail providers, including Yahoo and Microsoft, if not the entire online advertising industry.

The suits against Google touch on multiple laws, primarily the Electronic Communications Privacy Act (ECPA), and to a lesser extent the the Stored Electronic Communications Act and Federal Wiretap Act. These laws, in the eyes of many technology, security and privacy experts, are outdated and overdue for updating by Congress.

Accordingly, the cases against Google could provide meaningful guidance to any attempt by Congress to revamp the ECPA and related laws. "We're finally reaching these legal issues," said Alan Butler, a lawyer at the Electronic Privacy Information Center, speaking by phone. "It's taken the court over 10 years in the case of the email scanning and more than five in the case of the Street View collection."

What might Google have done differently to have avoided these types of lawsuits?

For a start, giving users an opt-in mechanism might have mitigated some of the resulting legal challenges. Instead, Google began automatically scanning emails, backed by a clause in its terms of service stating that advertisements could be delivered based on the content of emails that users sent or received.

"At the outset, there was no real concept of any kind of consent mechanism or meaningful notice, in terms of what was being done," said Butler. "Eventually Gmail users were able to figure it out through reporting and seeing the page in a sense, seeing targeted ads, but there was certainly no upfront disclosure or discussion about that when they first started doing it. And how that works with respect to non-Gmail users that communicate with Gmail users is an even more difficult question."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TomW770
50%
50%
TomW770,
User Rank: Apprentice
10/31/2013 | 4:56:22 AM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
Anyone who thinks that the ad-targeting in gmail is wiretapping clearly has no idea how it works.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/3/2013 | 1:42:41 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
If it's against the law, the law may be out of sync with reality
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
10/2/2013 | 10:02:54 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
I have trouble seeing this as wiretapping given that email is routinely scanned for malware.
mak63
50%
50%
mak63,
User Rank: Apprentice
10/2/2013 | 7:48:00 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
As a gmail user, i was kinda aware of the TOS and targeting advertisement, but the non-gmail users should be exempt of that, shouldn't they?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.