Opinion, Berkeley Blogs

bMail and Google's "Content One Box"

By Chris Hoofnagle

A lawsuit against Google alleging that its Gmail service is in effect a wiretap sheds light upon bMail, specifically concerning whether Google is scanning our communications in bMail. In the suit, plaintiffs allege that Google is intercepting communications and building profiles on users based upon their email traffic, and that this is illegal in part because Google is analyzing communications before users even open their email.

Much of the record in the case is redacted, but at a hearing this week, a key allegation, previously obscured by sealed documents and redactions, was aired: Joel Rosenblatt of Bloomberg reports that in 2010, Google moved an appliance (called the "content one box") from the storage systems for Gmail to the delivery system. Why might Google do this? If one uses Gmail with a client, such as Outlook, Apple Mail, or on a phone, Google cannot show ads. By moving the content one device, apparently a greater proportion of email traffic (all traffic) would be subject to the company's analytic systems. Such an approach would enhance Google's ad targeting, because it would have more users to build profiles upon.

Hiding ads while analyzing data takes advantage of a key deficit users have around internet services: users only perceive profiling if they receive ads. The content one box infrastructure would allow Google to understand the meaning of all of our communications: the identities of the people with whom we collaborate, the compounds of drugs we are testing, the next big thing we are inventing, etc. Imagine the creative product of all of Berkeley combined, scanned by a single company's "free" email system. Through the glass of the Fread v. Google lawsuit, darkly, we are just beginning to understand what it means to outsource our communications system.

Why should we take the allegation seriously? It fits within the publicly-available information about the case. Several highly redacted documents filed with the court make it clear that sometime in "20XX" Google made an important change to how messages were routed through Gmail.

Google seems to be arguing that it had consent for this scanning — rather than denying the existence of content one — and that consent was obtained by universities themselves when implementing services such as bMail. A declaration by a Google employee cites dozens of examples of news articles and public controversy surrounding Gmail scanning, which apparently put the world on notice of Google's activities. Google's representative even cites to a 2011 article claiming in part, "Google will now begin building a profile about you based on all of your emails. It’s this profile that will then be used to deliver advertising to you."

The content one allegation is bad news for Google. The wiretapping law has a heightened consent requirement, thus only actual or implied consent is valid. It will be difficult for Google to claim that users and campuses consented to the interception of their communications, because over and over, campuses were assured that there would be no advertising in apps for education. Since school officials were in the dark about Gmail scanning, it will be difficult to argue that these school officials fairly obtained consent from students.

Those campuses that negotiated a "no data mining" provision are in the best position to argue that there was no consent, because they specifically rejected such data analysis. And they are likely to have a claim because the placement of the content one box suggests that data mining is taking place over the entire stream of traffic. All campuses have to evaluate whether the content one scanning is consistent with our obligations under the FERPA.

It has always been understood that communications providers sometimes have to access content of user communications for technical rendition of service. Thus, phone companies can, through sampling, listen to calls to check for sound quality. Internet providers can screen for malware and the like. But Google argues that it is "ordinary" for a service provider to read content of individuals' communications for business purposes, such as pitching advertising. Google's position would allow AT&T and Verizon to listen to your calls and voicemail in order to pitch advertising, or the Postal Service to break the seal of your envelopes to stuff ads in them.

Given Google's positions in other cases, we could be more savvy about this company's ideology and what our support of it means for society. For instance, in another case, Google argued that individuals have no privacy interest in their unencrypted wifi signals. Under this logic, Google could intercept Airbears traffic and read your emails and monitor your browsing activity. We have outsourced our email and documents to a company that believes that technical might equals right.

Update:

Benjamin Herold of Education Week reports: "A Google spokeswoman confirmed to Education Week that the company "scans and indexes" the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off-even for Apps for Education customers who elect not to receive ads. The company would not say whether those email scans are used to help build profiles of students or other Apps for Education users, but said the results of its data mining are not used to actually target ads to Apps for Education users unless they choose to receive them."

In its defense, Google uses industry-standard privacy PR that is irrelevant to the concern raised and devoid of content: "Mr. [Bram] Bout of Google, in his statement to Education Week, said the company is 'committed to protecting the privacy and security of our users—and that includes students—to make sure their information is safe, secure, and always available to them.'"

–Google Under Fire for Data-Mining Student Email Messages, Education Week, March 13, 2014.

Related:

  • Is Google Reading Your bMail?
  • The Good, Not So Good, and Long View on bMail