12:18 PM

Google Wiretapping Lawsuits Can Proceed, Judges Say

Lawsuits allege that Google's automated scans of Gmail content for advertising purposes and its Street View Wi-Fi data collection violate wiretap laws.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Two federal judges have allowed separate wiretapping cases against Google to proceed.

One of those cases concerns Google's automated scanning of Gmail messages to provide advertising based on email contents. On June 13, Google filed a motion in federal court to dismiss the lawsuit, which accused the company of illegally scanning Gmail users' emails, as well as any emails they received from non-Gmail users. The suit also alleges that Google illegally scanned emails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users, who can opt into the content-based scanning of emails.

But Thursday, U.S. District Court Judge Lucy H. Koh, issued a 43-page ruling denying Google's motion to dismiss the Gmail lawsuit, which consolidated seven previous individual and class-action lawsuits.

Her ruling poses a legal setback for Google. "We're disappointed in this decision and are considering our options," a Google spokeswoman said via email. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox."

[ Need an inexpensive way to create online ads? Read Google Web Designer Offered As Free Download. ]

Last month, Google also asked the Court of Appeals for the Ninth Circuit to reconsider its Sept. 10 ruling that a lawsuit over the company's past collection of unencrypted Wi-Fi data -- as part of its Street View program -- could proceed. The lawsuit alleges that Google violated federal prohibitions against wiretapping. To date, Google has already paid a related $25,000 fine to the Federal Communications Commission, and faced further sanctions and fines abroad. But Google has maintained that collecting unencrypted Wi-Fi data is legal, although it said it stopped doing so in July 2010.

In the case of the Gmail suit, meanwhile, Google had argued that it was exempt from federal and state wiretapping regulations, because they allow companies to intercept communications during the "ordinary course of business."

Judge Koh, however, disagreed with that legal reasoning for failing to distinguish being an email service provider and an advertiser. "In fact, Google's alleged interception of email content is primarily used to create user profiles and to provide targeted advertising -- neither of which is related to the transmission of emails," she wrote in her ruling. She likewise dismissed Google's assertion that any non-Gmail users who sent an email to a Gmail user should have known that their emails would be automatically scanned, thus exempting Google's scanning from wiretapping regulations.

Judge Koh is well respected in Silicon Valley, The New York Times reported, due in no small part to her ability to handle complex cases, including the Apple-Samsung patent trial.

Now, her Gmail ruling opens up the possibility that Google might face a massive class action penalty, owing to nearly half a billion people using Gmail. Any related rulings could also have legal repercussions for other webmail providers, including Yahoo and Microsoft, if not the entire online advertising industry.

The suits against Google touch on multiple laws, primarily the Electronic Communications Privacy Act (ECPA), and to a lesser extent the the Stored Electronic Communications Act and Federal Wiretap Act. These laws, in the eyes of many technology, security and privacy experts, are outdated and overdue for updating by Congress.

Accordingly, the cases against Google could provide meaningful guidance to any attempt by Congress to revamp the ECPA and related laws. "We're finally reaching these legal issues," said Alan Butler, a lawyer at the Electronic Privacy Information Center, speaking by phone. "It's taken the court over 10 years in the case of the email scanning and more than five in the case of the Street View collection."

What might Google have done differently to have avoided these types of lawsuits?

For a start, giving users an opt-in mechanism might have mitigated some of the resulting legal challenges. Instead, Google began automatically scanning emails, backed by a clause in its terms of service stating that advertisements could be delivered based on the content of emails that users sent or received.

"At the outset, there was no real concept of any kind of consent mechanism or meaningful notice, in terms of what was being done," said Butler. "Eventually Gmail users were able to figure it out through reporting and seeing the page in a sense, seeing targeted ads, but there was certainly no upfront disclosure or discussion about that when they first started doing it. And how that works with respect to non-Gmail users that communicate with Gmail users is an even more difficult question."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/31/2013 | 4:56:22 AM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
Anyone who thinks that the ad-targeting in gmail is wiretapping clearly has no idea how it works.
David F. Carr
David F. Carr,
User Rank: Apprentice
10/3/2013 | 1:42:41 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
If it's against the law, the law may be out of sync with reality
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/2/2013 | 10:02:54 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
I have trouble seeing this as wiretapping given that email is routinely scanned for malware.
User Rank: Apprentice
10/2/2013 | 7:48:00 PM
re: Google Wiretapping Lawsuits Can Proceed, Judges Say
As a gmail user, i was kinda aware of the TOS and targeting advertisement, but the non-gmail users should be exempt of that, shouldn't they?
FTC Opens Probe into Equifax Data Breach
Jai Vijayan, Freelance writer,  9/14/2017
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.