Privacy Complaint Against Google's GMail Service

CRCates writes "Privacy groups in the UK have filed a complaint against Google over its new Gmail service. Privacy groups said they were concerned about Google's ability to link a user's personal details, supplied in the Gmail registration process, to Web-surfing behaviour through the use of a single cookie for its search and mail services. "

So?

[System.out.println()]

You want a gig of email but with privacy? Go sign up at Spymac [spymac.com]. It's also free, and it's already here - and not in beta. And they don't read your email.

also in the BBC

[tuxette]

BBC Article [bbc.co.uk]

Gmail - Opt-In

[Silwenae]

I can understand the concerns Europeans may have, but then again, this is an opt-in procedure.

If you don't want to use Gmail, you have other options through your ISP, other free services, etc.

It just seems to me this is an extension of social networking, but from a business perspective. - target based advertising based on what you surf for based on your cookie.

It seems similar in a way to what Gnome's Nat Friedman wants to do with Dashboard. Based on your email & IM, having the desktop provide you with links to what you're talking about.

To me, the pro's at this point from what we know may outweight the cons - yes they'll target me with ad's based on my surfing behavior, but the ability to index and search my email rather than using "To" "From" and "Subject" headers is definitely a step forward in email management.

Read it.

[mystery_bowler]

Here is the privacy policy. [google.com]

I didn't see anything in there about this particular topic, although there is a bit about the fact that they will be using cookies (natch).

Personally, I find it hard to be too concerned about this. My web-surfing patterns are already recorded in a "soft" way via my browser history and a much "harder" way via my ISP's access logs. I can go out of my way to use proxies and make it difficult to trace, etc, but it isn't like you can't figure out what my machine is doing (unless I'm doing some fairly advanced stuff).

Americans, wake up!

[Infonaut]

This is about European Union privacy laws, which are different than those in the United States. It says so multiple times, quite clearly in the article.

Data Protection Act

[Aardpig]

Look, they aren't charging for the service, nor are they forcing you to use it.

Whether its free or not is irrelevant. In the UK, there is legislation (the so-called Data Protection Act [hmso.gov.uk] ) which places tight constraints on how personal data is archived and managed. If the Google mail service falls foul of this act, then it does not matter whether or not the service is free; it is still breaking the law.

Re:So?

[System.out.println()]

The name is much older than the email service - it used to be just forums, probably for rumor reporting and discussion back in the day.

Now it functions very well as a replacement to .Mac - free, even. 100MB webspace FREE, a gig of email FREE, iCal hosting, 250MB for pictures - yes - FREE. I'm amazed they turn a profit at all. (They have paid web hosting as well, something like $17/month for a couple domains and 1GB webspace... still a pretty good deal.)

Re:Data Protection Act

[AlecC]

But the DPA prevents usage of personal information for purposes other than that for which it was collected. If anybody explains why they are collecting information about you, and receives your OK to do so (opt-in, not opt-out), it does not seem to me that they are breaking the DPA. Google is very open. If they put all this clearly (as they do) in their Terms and Conditions, and then keep to their word, I don't see that the DPA being involved.

Re:Microsoft Exchange?

[dave420]

The real reason they're keeping the data is the way google's distributed file system works.

It uses 64mb-chunks of disk space, and instead of erasing data from within the chunk, it just flags it as deleted, thereby not fragmenting the filesystem fantastically. That method means it's practically impossible to delete the email.

It has to be kept on their filesystem as the inbox is searchable, and 1gb large - raid arrays just wouldn't cope with that stress (and it'd take 3 days to search your mail). The filesystem is the real genius of google - their system is made of hundreds of terabytes of storage on a distributed system. Thousands of servers running redundantly. When one dies (with that many it's a regular occurance) it gets swapped out seamlessly. The processing on the data also requires huge bandwidth throughput.

To me, it looks like the google boys found a great use for their systems, but the very methods that make them great contradict local law in some areas they're selling in.

Oh, and the rules are that different in europe ;)

Re:The conflict is with EU law

[eetiiyupy]

The EU law which might cause the conflict is the Data Protection Directive (95/46/EC). The policy of this law is to try to give citizens some control over what happens to personal data about them. In particular I can consent to some company controlling my personal data within limits which we agree but constrained by law. Google can collect that data, and I expect that the local spooks will want them to hang on to it even when an account is deleted. As long as it is clear that the retention of data following deletion of an account is only for law enforcement and not for commercial purposes they might be OK. Suppose Google is bought by a mega-corp we don't like, it's going to be a real pain for us all to change our email addresses, and what is this new owner going to be able to do with all of that personal data. Data Protection law is not such a bad idea.

Re:Legal rights can usually be waived

[Gumshoe]

Not even the UK Data Protection Act (which exists in various implementations throughout the EU) prevents people from voluntarily submitting information about themselves and allowing Google to store that information indefinitely, if they so like.

I don't think that's the problem. The UK Data Protection Act requires that personal information be purged if the person in question requests it. Google seem to be saying that there is no assurance that this will happen. From Google's privacy policy [google.com] "[Google does not] guarantee the deletion of emails that are archived even if you cancel your account."

It's good that Google are being up front about this but even so, it simply isn't compatable with UK law.

An advantage of not using IE.

[BCW2]

I use Netscape and Mozilla. I started each off with an empty cookie file and visited the sites I wanted to not log into later, like /. . I saved a copy of this file as cookies2. n=Now when I'm done I delete the cookie file and save cookies2 as cookies and avoid all the spyware crap everyone thinks they deserve.
Also if you block all third party cookies, you much less crap to delete anyway.

Re:Privacy policy is here

[scrm]

btw. I tried to sign up, but they send an email to you with a link to activate your account, but I still didnt get the mail (its been 6 hours)...

This happened as soon as I had to submit my reg form:

Warning: mail(): Could not execute mail delivery program '/usr/sbin/sendmail -t -i ' in /var/www/www.spymac.com/classes/global_class.inc on line 617

So it would seem registrations aren't really working on their end. Sorry but I wouldn't say SpyMac isn't looking like a viable alternative to something Google can put out (yet)...

Re:Erase the cookie

[LnxAddct]

Just encrpyt all your emails, they'll have a great profile of random bits :). And they said they'll probably let you use outside clients for free so it makes it even easier to encrypt, no biggy. Regards, Steve

Re:Microsoft Exchange?

[HidingMyName]

The real reason they're keeping the data is the way google's distributed file system work

That argument is bunk.

With a system like that, you could implement a system where "deleted" chunks get purged or overwritten on some semi-regular basis.

It is possible that the grand parent poster did not get the motivation for making the users agree to allow google to maintain the data correct. However, his assertion that backups, checkpointing, caching and distributed storage cause privacy concerns is accurate, and it is a hard problem.

HIPAA (U.S. law which includes penalties for disclosing confidential health information)and other regulations have caused serious concerns in the database and data mining research community (contrary to popular opinion not all data miners want to strip you of your privacy). Rakesh Agrawal [ibm.com], Jerry Kiernan [ibm.com] and Ramakrishnan Srikant [ibm.com](major data base researchers, Srikant and Agrawal made groundbreaking contributions to the field of data mining) published recently (well about 2 years ago or so) on Hippocratic Databases (in gzipped PostScript) [ibm.com], where he describes the hard problem of making the database forget information to conform to legal and ethical restrictions.

Re:Lots of ways to get yourself in the GMail datab

[tricops]

So you send email to their address at GMail, and... okay...

I suppose it could link the contents of the email to your email address/name
(which they could already anyway), but it can't place a cookie of any type on
your system by receiving an email from you. So, the person you're sending to
might be profiled from the email, but that was happening anyway. They made
the choice to subject themselves to it.

You're still personally as safe from that as you ever were.

Re:Not that simple

[Tony Hoyle]

Presumably you haven't read the "Declaration on Combating Terrorism" that the EU member states ratified without any fanfare (or public consultation) a week or so ago.

It makes the US Patriot act look like a walk in the park. gmail is just a distraction.. whilst we're bickering over that our 'privacy' is lost anyway.

One of its measures is the *mandatory* retention of all communications data within europe (inc. email, phone calls, mobile phone calls, faxes and internet usage). No idea how they're going to do that... it'll require a damn big SCSI disk :)

Add to that the compulsory fingerprinting of everyone in Europe, the introduction of biometric passports, tracking all travel in, out and within Europe and retaining this data, oh and the government gets automatic right to inspect your back accounts too...

http://www.statewatch.org/news/2004/mar/swscoreb oa rd.pdf