Google wiretapping case, what the judge ruled

Yesterday I reported that the judge had ruled on Google’s motion to dismiss. Today I’ll take a little bit deeper look at the case and the interesting things that were in denial of the motion to dismiss.
Google is being sued for violations of federal wiretapping laws, the California invasion of privacy act (CIPA) and wiretapping laws in Florida, Pennsylvania and Maryland. This lawsuit is awaiting class certification for the following groups.

  1. all Cable One users who sent a message to a Gmail user and received a reply or received an email;
  2. all Google Apps for Education users who have sent a message to a Gmail user and received a reply or received an email;
  3. all U.S. citizen non-Gmail users (except California residents) who have sent a message to a Gmail user and received a reply or received an email from a Gmail user;
  4. all U.S. citizen non-Gmail users who have sent a message to a Gmail user and received a reply or received an email from a Gmail user;
  5. all Pennsylvania non-Gmail users who have sent a message to a Gmail user and received a reply or received an email from a Gmail user;
  6. all Florida non-Gmail users who have sent a message to a Gmail user and received a reply or received an email from a Gmail user;
  7. all Maryland non-Gmail users who have sent a message to a Gmail user and received a reply or received an email from a Gmail user; and
  8. all Gmail users who were under the age of majority and who used Gmail to send an email to or received an email from a non-Gmail user or a Gmail user under the age of majority.

Plaintiffs are alleging that Gmail intercepts the content of emails, to and from Gmail users, and uses the content of those emails to build user profiles and provide targeted advertising. The initial complaint was filed under seal and is heavily redacted. The Consolidated Complaint is a little less redacted, and asserts there are multiple servers involved in scanning email outside the regular SMTP servers. Plaintiffs allege these servers outside of the normal email handling process take copies of every email going through Gmail. These copies are scanned, not to improve filtering or email handling but solely used to build individual user profiles for the purpose of targeted advertising.
The level of technical detail visible even in the consolidated complaint was surprising to me. The plaintiffs appear to have found someone who knows a lot about mail and advertising processing inside Google, up to and including naming different processing systems involved (CAT2 mixer, NEMO, Caribou server, ICEbox server, etc.) The level of detail leads me to believe these allegations are mostly accurate.
In the motion to dismiss Google lawyers did not deny any of the messaging routing as alleged by the plaintiffs. Rather, they fell back on the claim that their processing was within the “ordinary course of business” and necessary to provide mail service to Google users.
The court, however, found that in all areas that should guide a ruling (case law, statutory law and legislative intent) that ordinary course of business should be interpreted very narrowly.

[T]he Court finds that the section 2510(5)(a)(ii) exception is narrow and designed only to protect electronic communication service providers against a finding of liability under the Wiretap Act where the interception facilitated or was incidental to provision of the electronic communication service at issue. Plaintiffs have plausibly alleged that Google’s reading of their emails was not within this narrow ordinary course of its business. Specifically, Plaintiffs allege that Google intercepts emails for the purposes of creating user profiles and delivering targeted advertising, which are not instrumental to Google’s ability to transmit emails. […] The Court therefore finds that Plaintiffs have plausibly alleged that the interceptions fall outside Google’s ordinary course of business. (pg 20, Document 69)

The plaintiffs also allege that the Google violated its own privacy policies by scanning emails and using the information to build user profiles.

[T]he Court need not determine at this stage whether Plaintiffs will ultimately be able to prove that the Privacy Policies were intended to comprehensively list the information Google may collect. Rather, Plaintiffs’ plausible allegations that the Privacy Policies were exhaustive are sufficient. Because Plaintiffs have alleged that Google exceeded the scope of its own Privacy Policy, the section 2510(5)(a)(ii) exception cannot apply.
Accordingly, the Court DENIES Google’s Motion to Dismiss based on the section 2510(5)(a)(ii) exception. (pg 22, Document 69)

Google also argued that their activities are legal because Google users explicitly consented to their email being monitored and that people who send mail to Google users implicitly consent to Google monitoring their mail. The plaintiffs allege, however, that some users (specifically those attending schools using Google apps for education and customers of ISPs that outsource mail to Google) never actually agreed to those terms.
The judge looks first at the argument that users explicitly consented to Google intercepting mail. During the hearing a lot of time was spent discussing the specifics of the multiple privacy polices and terms of service. The judge repeatedly asked Google’s lawyer “what part of this policy covers email?” Google’s response was “all of it.”
The judge ruling basically says the privacy policies aren’t clear enough for users to be able to consent to interception.

[T]he policies do not put users on notice that their emails are intercepted to create user profiles. The Court therefore finds that a reasonable Gmail user who read the Privacy Policies would not have necessarily understood that her emails were being intercepted to create user profiles or to provide targeted advertisements. Accordingly, the Court finds that it cannot conclude at this phase that the new policies demonstrate that Gmail user Plaintiffs consented to the interceptions. (Document 69, page 26)

The judge then looked at Google’s contention that email senders give implicit consent for email to be intercepted and categorized by Google. I think she said it best.

Google has cited no case that stands for the proposition that users who send emails impliedly consent to interceptions and use of their communications by third parties other than the intended recipient of the email. Nor has Google cited anything that suggests that by doing nothing more than receiving emails from a Gmail user, non-Gmail users have consented to the interception of those communications. Accepting Google’s theory of implied consent — that by merely sending emails to or receiving emails from a Gmail user, a non-Gmail user has consented to Google’s interception of such emails for any purposes — would eviscerate the rule against interception. (Document 69, pg 27)

Those are the alleged violations of Federal Wiretapping law. The consolidate complaint also alleges violations of the California Invasion of Privacy Act (CIPA) and various state wiretapping laws. Given the length of this post, I’ll leave the federal claims here and I’ll look at the CIPA and state allegations in future blog posts.
(All the docs I’ve downloaded are available on my Google Drive)

Related Posts

Judge sides with plaintiff, refuses to dismiss wiretapping suit against Google

Judge Koh published her ruling on Google’s motion to dismiss today.
It’s a 43 page ruling, which I’m still digesting. But the short answer is that Google’s motion was denied almost in total. Google’s motion was granted for two of the claims: that email is confidential as defined by the California Invasion of Privacy Act (CIPA, section 632) and dismissal of a claim under Pennsylvania law.

Read More

Changes at Gmail

As I’ve said before, I can usually tell when some ISP changes their filtering algorithm because I start getting tons and tons of calls about delivery problems at that ISP. This past month it’s been Gmail.
There have been two symptoms I’ve been hearing about. One is an increase in bulk folder delivery for mail that previously was reliably hitting the inbox. The other is a bit more interesting. I’ve heard of 3 different mailers, with good reputations and very clean lists, that are seeing 4xx delays on some of their mail. The only consistency I, and my colleagues at some ESPs, have identified is that the mail is “bursty.”
The senders affected by this do send out mail daily, but the daily mail is primarily order confirmations or receipts or other transactional mails. They send bi-weekly newsletters, though, exploding their volume from a few tens of thousands up to hundreds of thousands. This seems to trigger Gmail to defer mail. It does get delivered eventually. It’s frustrating to try and deal with because neither side is really doing anything wrong, but good senders are seeing delivery delays.
For the bulk foldering, Bronto has a good blog post talking about the changes and offering some solid suggestions for how to deal with them. I’m also hearing from some folks who are reliable that Gmail may be rolling back some of the bulk foldering changes based on feedback from their users.
So if you’re seeing changes at Gmail, it’s not just you.

Read More

Gmail shows authentication data to the recipient

Yesterday Gmail rolled out some changes to their interface. One of the changes is that they are now showing end users authentication results in the user screen.
It’s really the next step in email authentication, showing the results to the end user.
So how does Google do this? Google is checking both SPF and DKIM. If mail is authenticated and the authentication matches the from address then they display the email as:
mail from steve to me
If we click on “details” for that message, we find more specific information.
full details of message showing signing domain and spf domainIn this case the mail went through our outgoing mailserver to gmail.
Mailed-by indicates that the message passed SPF and that the IP address is a valid source of mail from wordtothewise.com.
Signed-by shows the domain in the DKIM d=. In this case, we signed with the subdomain dt.wordtothewise.com. That’s what happens when you sign using the domain in the From address (or a subdomain of it).
For a lot of bulk senders, though, their mail is signed using their ESP’s domain instead.  In that case Gmail shows who signed the mail as well as the from address.

And when we click on “details” for that message we see:
3rd party signature detailsThis is an email from a sender using Madmimi as an ESP. Madmimi is handling both the SPF authentication and the DKIM authentication.
As an aside, this particular  sender has a high enough reputation that Gmail is offering me an unsubscribe option in their interface.
Gmail is distinguishing between first party and third party signatures in authentication. If the mail is authenticated, but the authentication appears to be handled by a separate entity, then Gmail is alerting recipients to that fact.
What does this mean for bulk senders?
For senders that are signing with a domain that matches their From: domain, there is no change. Recipients will not see any mention of your ESP in the headers.
However, if you are using an ESP that is signing your mail with a domain they own, then your recipients will see that information displayed in the email interface. If you don’t want this to be displayed by Gmail, then you will need to move to first party signing. Talk to your ESP about this. If they’re unsure of how to manage it, you can point them to DKIM Core for an Email Service Provider.
Gmail blogpost about the changes
Gmail help page about authentication results

Read More