Skip to main content

bMail and Google’s “Content One Box”

Chris Hoofnagle, adjunct professor of information | March 1, 2014

A lawsuit against Google alleging that its Gmail service is in effect a wiretap sheds light upon bMail, specifically concerning whether Google is scanning our communications in bMail. In the suit, plaintiffs allege that Google is intercepting communications and building profiles on users based upon their email traffic, and that this is illegal in part because Google is analyzing communications before users even open their email.

Much of the record in the case is redacted, but at a hearing this week, a key allegation, previously obscured by sealed documents and redactions, was aired: Joel Rosenblatt of Bloomberg reports that in 2010, Google moved an appliance (called the “content one box”) from the storage systems for Gmail to the delivery system. Why might Google do this? If one uses Gmail with a client, such as Outlook, Apple Mail, or on a phone, Google cannot show ads. By moving the content one device, apparently a greater proportion of email traffic (all traffic) would be subject to the company’s analytic systems. Such an approach would enhance Google’s ad targeting, because it would have more users to build profiles upon.

Hiding ads while analyzing data takes advantage of a key deficit users have around internet services: users only perceive profiling if they receive ads. The content one box infrastructure would allow Google to understand the meaning of all of our communications: the identities of the people with whom we collaborate, the compounds of drugs we are testing, the next big thing we are inventing, etc. Imagine the creative product of all of Berkeley combined, scanned by a single company’s “free” email system. Through the glass of the Fread v. Google lawsuit, darkly, we are just beginning to understand what it means to outsource our communications system.

Why should we take the allegation seriously? It fits within the publicly-available information about the case. Several highly redacted documents filed with the court make it clear that sometime in “20XX” Google made an important change to how messages were routed through Gmail.

Google seems to be arguing that it had consent for this scanning — rather than denying the existence of content one — and that consent was obtained by universities themselves when implementing services such as bMail. A declaration by a Google employee cites dozens of examples of news articles and public controversy surrounding Gmail scanning, which apparently put the world on notice of Google’s activities. Google’s representative even cites to a 2011 article claiming in part, “Google will now begin building a profile about you based on all of your emails. It’s this profile that will then be used to deliver advertising to you.”

The content one allegation is bad news for Google. The wiretapping law has a heightened consent requirement, thus only actual or implied consent is valid. It will be difficult for Google to claim that users and campuses consented to the interception of their communications, because over and over, campuses were assured that there would be no advertising in apps for education. Since school officials were in the dark about Gmail scanning, it will be difficult to argue that these school officials fairly obtained consent from students.

Those campuses that negotiated a “no data mining” provision are in the best position to argue that there was no consent, because they specifically rejected such data analysis. And they are likely to have a claim because the placement of the content one box suggests that data mining is taking place over the entire stream of traffic. All campuses have to evaluate whether the content one scanning is consistent with our obligations under the FERPA.

It has always been understood that communications providers sometimes have to access content of user communications for technical rendition of service. Thus, phone companies can, through sampling, listen to calls to check for sound quality. Internet providers can screen for malware and the like. But Google argues that it is “ordinary” for a service provider to read content of individuals’ communications for business purposes, such as pitching advertising. Google’s position would allow AT&T and Verizon to listen to your calls and voicemail in order to pitch advertising, or the Postal Service to break the seal of your envelopes to stuff ads in them.

Given Google’s positions in other cases, we could be more savvy about this company’s ideology and what our support of it means for society. For instance, in another case, Google argued that individuals have no privacy interest in their unencrypted wifi signals. Under this logic, Google could intercept Airbears traffic and read your emails and monitor your browsing activity. We have outsourced our email and documents to a company that believes that technical might equals right.


Benjamin Herold of Education Week reports: “A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off-even for Apps for Education customers who elect not to receive ads. The company would not say whether those email scans are used to help build profiles of students or other Apps for Education users, but said the results of its data mining are not used to actually target ads to Apps for Education users unless they choose to receive them.”

In its defense, Google uses industry-standard privacy PR that is irrelevant to the concern raised and devoid of content: “Mr. [Bram] Bout of Google, in his statement to Education Week, said the company is ‘committed to protecting the privacy and security of our users—and that includes students—to make sure their information is safe, secure, and always available to them.'”

–Google Under Fire for Data-Mining Student Email Messages, Education Week, March 13, 2014.


Comments to “bMail and Google’s “Content One Box”

  1. Please.

    The claim that Google intercepts emails SENT to Google doesn’t even pass the laugh test.

    The whole thing is a lawyers scam.

  2. The infrastructure of the Internet needs to be publicly owned – the fiber optic cable, routers, storage, and core mail servers. Google, Facebook and other businesses would contract for access as needed to provide the services they offer advertisers and users.

    This step would at least make the governance and administration a matter of public decision. As the NSA shows, that does not guarantee democracy. But note how much controversy Snowden stirred about the NSA, while the steady stream of revelations about Google and the other corporate monsters causes little commotion.

  3. From the start, one has to question, in and of itself, the outsourcing — something UC Berkeley and the entire UC system, I have gathered, are doing more and more frequently -— even to the extent of having to go to an outside source, as just one example, to provide documentary proof that one is receiving retirement benefits when applying for a home loan.

    Then, depending on the bank involved, it may refuse to pay the fee demanded by the outside source, which brings one back to humbly request that UCOP actually write an official letter validating that one does receive that income. And few seem to question the likelihood that an outside source is very likely to be extremely expensive —- but perhaps in the long run less expensive than regular staff, since staff can be laid off, or tapered off by attrition, and such annoying costs as health benefits and pensions need not be expended.

    In the case of Google, I’m sure many UC tech staff have been retained, as the whole field is mushrooming, but I’m also sure the services provided by Google are not inexpensive, to say the least. And if these services were kept within staff purview, many more jobs would be created -— a good thing!

    Finally, the issue of privacy — let’s face it, NSA, the CIA (its cloud now part of Amazon) and numerous other agencies and corporations can tap into your work/play/purchases/and see through your camera’s eyes. The struggle to reassert the first amendment (among other rights) may seem hopeless already, but we have no choice but to advocate for our privacy as best we can, come up with updated safeguards, and continue to engage with as much energy as we can muster in the constant struggle we call freedom!

    IMHO, the Google contract should be cancelled (on the basis of their failure to disclose) and responsibility for this complex task be returned to the University, with an expanded and diverse work force, and regularized oversight by, for example, a rotating student/grad student/faculty committee across a continuum of class, race, sex/sexual preference, age, economic status, and political viewpoints to strive for the greatest possible protection.

    Google may seem “progressive” at the moment, but given its recent activities/acquisitions etc. (along with five or six other web-based behemoths) sometimes I think its real name is “Gobble.”

  4. It is true? It has been a big question on Google; people say Google accesses our email content and based on those content, they serve ads.

Comments are closed.