Lawsuits allege that Google's automated scans of Gmail content for advertising purposes and its Street View Wi-Fi data collection violate wiretap laws.

Mathew J. Schwartz, Contributor

October 2, 2013

4 Min Read

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy


9 Android Apps To Improve Security, Privacy (click image for larger view)

Two federal judges have allowed separate wiretapping cases against Google to proceed.

One of those cases concerns Google's automated scanning of Gmail messages to provide advertising based on email contents. On June 13, Google filed a motion in federal court to dismiss the lawsuit, which accused the company of illegally scanning Gmail users' emails, as well as any emails they received from non-Gmail users. The suit also alleges that Google illegally scanned emails for users of Internet service providers who used a self-branded version of Gmail, as well as for Google Apps for Education users, who can opt into the content-based scanning of emails.

But Thursday, U.S. District Court Judge Lucy H. Koh, issued a 43-page ruling denying Google's motion to dismiss the Gmail lawsuit, which consolidated seven previous individual and class-action lawsuits.

Her ruling poses a legal setback for Google. "We're disappointed in this decision and are considering our options," a Google spokeswoman said via email. "Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox."

[ Need an inexpensive way to create online ads? Read Google Web Designer Offered As Free Download. ]

Last month, Google also asked the Court of Appeals for the Ninth Circuit to reconsider its Sept. 10 ruling that a lawsuit over the company's past collection of unencrypted Wi-Fi data -- as part of its Street View program -- could proceed. The lawsuit alleges that Google violated federal prohibitions against wiretapping. To date, Google has already paid a related $25,000 fine to the Federal Communications Commission, and faced further sanctions and fines abroad. But Google has maintained that collecting unencrypted Wi-Fi data is legal, although it said it stopped doing so in July 2010.

In the case of the Gmail suit, meanwhile, Google had argued that it was exempt from federal and state wiretapping regulations, because they allow companies to intercept communications during the "ordinary course of business."

Judge Koh, however, disagreed with that legal reasoning for failing to distinguish being an email service provider and an advertiser. "In fact, Google's alleged interception of email content is primarily used to create user profiles and to provide targeted advertising -- neither of which is related to the transmission of emails," she wrote in her ruling. She likewise dismissed Google's assertion that any non-Gmail users who sent an email to a Gmail user should have known that their emails would be automatically scanned, thus exempting Google's scanning from wiretapping regulations.

Judge Koh is well respected in Silicon Valley, The New York Times reported, due in no small part to her ability to handle complex cases, including the Apple-Samsung patent trial.

Now, her Gmail ruling opens up the possibility that Google might face a massive class action penalty, owing to nearly half a billion people using Gmail. Any related rulings could also have legal repercussions for other webmail providers, including Yahoo and Microsoft, if not the entire online advertising industry.

The suits against Google touch on multiple laws, primarily the Electronic Communications Privacy Act (ECPA), and to a lesser extent the the Stored Electronic Communications Act and Federal Wiretap Act. These laws, in the eyes of many technology, security and privacy experts, are outdated and overdue for updating by Congress.

Accordingly, the cases against Google could provide meaningful guidance to any attempt by Congress to revamp the ECPA and related laws. "We're finally reaching these legal issues," said Alan Butler, a lawyer at the Electronic Privacy Information Center, speaking by phone. "It's taken the court over 10 years in the case of the email scanning and more than five in the case of the Street View collection."

What might Google have done differently to have avoided these types of lawsuits?

For a start, giving users an opt-in mechanism might have mitigated some of the resulting legal challenges. Instead, Google began automatically scanning emails, backed by a clause in its terms of service stating that advertisements could be delivered based on the content of emails that users sent or received.

"At the outset, there was no real concept of any kind of consent mechanism or meaningful notice, in terms of what was being done," said Butler. "Eventually Gmail users were able to figure it out through reporting and seeing the page in a sense, seeing targeted ads, but there was certainly no upfront disclosure or discussion about that when they first started doing it. And how that works with respect to non-Gmail users that communicate with Gmail users is an even more difficult question."

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights