Privacy issues in GMail and other webmail

Most people have heard about the various debates around Google's new GMail service. I wear many hats, both as a friend and consultant to Google and as chairman of the EFF. There have been some tinfoil-hat flaps but there are also some genuine privacy concerns brought about by people moving their life online and into the hands of even a well-meaning third party.

Check out the Essay on privacy issues in GMail and webmail. I welcome your comments in the blog.

Comments

Great job with your essay here. It pointed out a lot of interesting aspects to this whole GMail debate. I'm a computer science college student right now, and I'm in an honors class that has been talking about this issue for a while now. We'll probably discuss some of your points in length sometime soon.

I wonder, would it be in Google's best interest to create a privacy task force made of people like yourself with an understanding of these issues? Google should obviously care about privacy, because that will be a major barrier to getting people to use their product. If they can get some sort of expert seal of approval by taking a few steps to seal down some possible privacy leaks, they could calm the agitatable senators and appease the public. At the same time they should be able to find a compromise that still allows for a great product.

Anyhow, thanks for offering your insights to the world. It's really a battle of getting people to understand what's at stake, and this hopefully can help do just that.

While I try to be sympathetic with people's privacy concerns, my first response to the announcement of Gmail was to hoot with laughter. I can just imagine the non sequiturs I'd get from robotic reading of my email ... certainly funnier than the headhunter email I get based on publicly posted resumes.

Maybe 1/3 of my email is work-related. Can you imagine what advertising a robot would send me based on "single sign-on" or "function call"?

Another 1/3 concerns the junk I buy on ebay, lots being misspelled or jargonized. The ads would look like a spellchecker trying to make sense out of non-English names.

The rest is a mixed bag of spam, politics, and religion. I can see it now! Seed catalog ads every time I get a missive making jokes about the "shrub".

I have appreciated Google's services since they started. But they run the risk, unless they take your concerns seriously, of becoming a mockery of themselves as well as a legal nightmare.

An oasis of balance amongst a desert of polarised extremes: terrific job, thanks Brad.

Under the "What users can do" section, you rightly point out that Google can be used without allowing cookies, and offer the sound (but rarely adopted) advice to change to a browser with easier cookie-blocking controls.

But Google is significantly enhanced by saving your preferences in a cookie: I wouldn't want to do without them.

Might I suggest an easy, one-click, way to anonymize the Google cookie, whilst using almost any browser, with a GoogleAnon bookmarklet? :-

http://www.imilly.com/google-cookie.htm#anon

I suppose it might qualify as "fancy cookie-management" ;)

Milly

A modest suggestion: encrypt mail _after_ the user views it.

Public keys, a preset period, generate a random key for users who don't bother, scan/index while plaintext, selective user indexing/keywords, etc.

The people at Google can work out the details ;-)

In point of fact, 'privacy' has no protection as far as communication which isn't face-to-face...in something like a Faraday cage. The NSA has rights to all information transfer in the U.S. and has been mandated to pursue it since its inception. Privacy exists purely in degrees. Anyone who has had a security clearance beyond a certain level who doesn't expect to be routinely monitored is naive, for instance. The only privacy that can be realistically expected is from other private parties.
...Glenn

A very informative and balanced essay, this.

In my point of view, the whole gmail privacy thing is a non-issue. I've always viewed web based email as a non-secure communication medium anyway. I have the following reasons for this:-
1. I would never trust ANY third party to uphold my privacy. Hence, i only use web based e-mail for trivial but useful purposes like corresponding with e-com sites, chatting up with friends, job applications, and such.
2. Organizations like the No Such Agency and systems like Carnivore routinely spy on e-mails anyway.
3. Legal authorities can read your e-mails if they really want to.
4. Would i really trust a 3rd party to retain and bacup my important mails? NO. Hence, i won't use them for important items anyway.
5. Frankly, barring work related e-mails, the backup and privacy of which is my company's headache, i hardly generate/read mails that're really private. For all i care, the government, a hacker, a bot, or even the sys admin is welcome to read my birthday greetings, job applications and most importantly, my spam ;-)
6. Information that is really private should not be put on any electronic (or even physical) medium. It's like sticking a "mug me" label on one's back and walking in downtown moo york.

the point you raise in item 2 (i.e., Other webmail providers are doing, or will be doing the same things, meaning these issues apply to all of them, including MSN, Yahoo and others.) was not only well put in my opinion, but also happens to mirror some of my own initial thinking on the subject too.

have not really had an opportunity, nor the time, energy or online access to fully read through your essay yet. will be printing it out so I can take plenty of time to go over and digest it later today.

while I have not yet gathered my own thoughts enough in order to blog a post concerning my own take concerning Gmail, I do intend to stick with the service however.

There is a new email service from a company called Sentinare. It is built with mostly opensource tools (OpenBSD is the main OS).

Privacy is very important to them apparently as they support encryption for all protocols. (IMAP, POP, SMTP-TLS)

You can send mail from anywhere, since they support SMTP-AUTH (over TLS).

They also give our users' control over their spam quarantine. Via a web-interface, you can review items that are quarantined. With a 99%+ success rate, you probably won't need to.

And there are ZERO ADS in their webmail, which is really awesome!

For $3/month, this is a really good deal.

Use GMail, but encrypt your private information.
Simple and free.

Type your E-mail, and click the A-LOCK icon.
http://www.a-lock.com/_site/alock/index.mhtml

appreciate the heads up concerning A-Lock Mel. will be updating my own blog post about Gmail in order to alert people to the information you provided. thank you.

however, if I understand it correctly, it appears that it is only available to those with computers of their own or that can have the downloaded to anyway: i.e., being that my only computer and online access is via public access computers and they do not allow the public downloading new programs on them, I cannot use or access it.

Good point about the public access. I assume they do not permit ANY method of using any user software on the computer? i.e. receive an Email attachment, save on diskette, then run off the diskette?

Excellent piece. I wrote up somethign today (http://www.pushkar.net/archives/000264.php) before I got a link to your blog (from eric /vedana.net). I just hope the good corportate citizen image that google has will still be around after their IPO. I would hate to have signed my life (emails?) away by a click of a button!!

yes Mel, that is correct, for most of them anyway. however some do allow for the use of *virgin* diskettes for storage/word processing purposes; it can only be used on the their computer again though as long as the diskette is not used elsewhere and is stored there at the library. am not sure though if that includes downloading a program onto a diskette only for use on their computer(s) (i.e., stored on the premises) when it is needed for accessing/using Web-based e-mail. good idea. might give ot a check. thank you.

Considering all the real privacy concerns that new technology offers, the last thing I am concerned about is Google scanning my emails to target my ads. I am far more concerned about DigitalAngel implanting their VeriChips in everyone, which would REALLY end privacy and civil freedom as we know it. More on that here:
http://dubiousprofundity.com/article.php/20050524103025821

Trackback from atmaspheric | endeavors:This is a great overview on the issue effecting GMail and even Webmail in general. Worth a deeper look… this is just a quick overview.rnrnI come to this problem from two sides. One, I’m a fan of Google, and have been friends with Googl......

Trackback from BLADAM: Musings on life, love, liberty, and stuff:Public handwringing about Gmail has obscured the larger and more important issues surrounding personal privacy and government intrusions....

Trackback from Daily Ablutions:Why Gmail / Google fans can defect?...

men i love google go to froogggle men

Add new comment