Google’s Lawyers Admit To gmail Privacy Leak

The background: Google was sued recently regarding their efforts to prevent click-fraud in AdWords. It was a class-action suit, which basically means that there are a large number of people who were “harmed” by the tortious action at issue and that some lawyer has taken it upon themselves to sue on behalf of all of the ones who don’t opt out. Class action suits are a huge scam but that is another matter altogether.

Google attempted to settle the suit. In the process, the would have to contact class members (the people who have theoretically lost money due to fradulent clicks), and they hired a firm which specializes in this sort of work. So far so good. And that firm zealously tried to contact class members in a variety of ways, including through snail mail and email. So far so good.

Now, we all know the problems with getting mail to large numbers of people. Mail addresses changed, people go on vacation, challenge-response systems are engaged, what have you. The firm zealously tried to correct for all of these, by investigating new email addresses, tracking people down after vacation, clicking through the “I am a human” tests, etc. So far so good.
Now, what is the other main way for a mail delivery to fail? Spam filters. Now, remember, as a class member you haven’t opted-in to the lawsuit or the settlement. You might not even think you’ve been harmed by the action at issue, or you have no desire to waste your time for what is typically a sliver of a credit (the attourneys, of course, get 25%-33% of millions — in this case attourney fees will probably go above $20 million). So you might understandably not want to really talk to someone wanting to talk to you about the lawsuit. In this case, service from an agent of Google’s to tell you about your rights regarding the lawsuit is spam. You didn’t ask for it, you don’t want it, and it has a commercial purpose (they’re being paid to get the email to you, and the email is sent to divide up a pot of money — although unlike most spam its not your money).

So, as can be expected, lots of these advertisers have Gmail accounts. And what did Google do? It checked them. Google algorithmically peaked at all the accounts on the list their agent had developed which they had access to, to see if the mail was marked spam or not. There were 75,000 accounts in which it was marked spam, and an unknown (larger) amount of accounts must have been compromised to get that statistic.

Unhinged rantings of a conspiracy nut? Well, no. Google’s lawyers bragged about this in a recent document they filed to the court regarding the settlement (which is tied up in legal wrangling). In relevant part (page 13 of the pdf of the document which Matt Cutts provided on his blog while responding to concerns about click fraud):

Gilardi [ed: the firm Google was using to contact people] also re-sent 74,591 email notices to intended recipients whose addresses ended in “” and “”, and for whom Google had information that the first email notice had been directed to the recipient’s spam folder. (italics mine)

Google is apparently hunky-dory with this. Its essential for the Google lawyers to demonstate that their notices stand up to certain legal requirements regarding legitimately trying to notify class members (note that its completely non-essential to go peeking). Google brags on page twelve:

[T]here is no question that Google complied with the notice procedures ordered by this court. In fact, Google did more than was required to provide the best notice practicable. (italics mine)

I’m sorry Google, I just don’t remember telling you you could go peeking at the mail, even to “provide the best notice practicable”. As a matter of fact, given that I know you’ll be storing it for life I actually bothered to read that privacy policy of yours. Lets see, where was it… aha.

Information sharing

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

  • We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
  • We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.
  • We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

Hmm, thats what I remember: opt-in consent for all disclosures of private data. I think the contents of my inbox is pretty darn private. So that ones out. You’ve already explained in your own words that the peeping was more than the court required, so excuse #3 is out. So what about #2: were you “processing information on [Google’s] behalf”? If you were, then this exemption swallows the entirety of the policy policy!

I’m less than happy, and now seriously wondering if all those business documents I’ve got floating around my Gmail inbox are going to end up in the hands of your lawyers without so much as a by-your-leave if your lawyers, in their sole discretion, think its for my own good strategically a good idea to get Google out of a lawsuit.

Do no evil, indeed.

[Edit: Fixed spelling mistakes and bolded some juicy bits.]

Explore posts in the same categories: Uncategorized

31 Comments on “Google’s Lawyers Admit To gmail Privacy Leak”

  1. DanD Says:

    Email is progressively moving to the web, as opposed to the traditional “local” POP3 mail. This is wrong, if you value your email and privacy, it should be under *your* control. Also, email must change in a way that each one of us decide what is spam and what is not.

    The new EmailXT proposal of a new protocol makes your email private, and defeats any non-authorized bulk emailing. Among other nice features. I strongly advise it for all those privacy-sensitive out there. DKIM and SenderID are out.

    People, forget GMail/Yahoo/Hotmail. Keep your email to yourself. ’nuff said!


  2. Great read. I think Google’s gone in too deep this time.

  3. JeeBs Says:

    I run my own mail server at work, and messages that are flagged as spam get noted in a log file. I can easily search this log file to see if a particular sender is being blocked, without seeing the message contents or looking in a user’s mail. What I’m wondering is if this is maybe what Google did, instead of going through everyone’s spam folder. The quote from the Google lawyer is: “…for whom Google had information that the first email notice had been directed to the recipient’s spam folder.” This looks like a case of a non-technical person making assumptions about ‘the way things work’, without really knowing anything at all, or wanting some dirt on Google, and jumping to conclusions.

  4. Sorry but, how “checking algorithmically a spam flag” in any way violates my privacy? O_o

    You know that the search engine in your GMail account to work must index in a database all your mails, uh? 😀

  5. Gabe Says:

    Google keeps logs and can generate stats from those logs at any time. If they generate a log event that says ‘message id 5475 was marked as spam by user foobar’, and they record that event every time the user marks a message as spam…


    No need to get hysterical about this. This is not necessarily a privacy breach. It sounds like Google generated some stats and drew some conclusions – so what?

    Congrats on the Digg – goes to show a little paranoia is all it takes to hit front page.

  6. Was it really them peeping into your inbox? More like your spam box, but probably not even that. They can probably tell by looking at what your spam filter has learned about you. And even then ‘They’ is probably an automated script. I figure the only potentially private thing they found out is that their mail would be automatically sent to the spam filter. Which unless you setup a filter specifically for that type of mail, it probably wasn’t that private. I don’t really have a problem with this. It’s not like they looked through some one’s inbox to extract specific emails that prove they are innocent.

  7. tak Says:

    They are google’s servers, they can do what they like. If you don’t like it, run your own mail server!

  8. Chris Jones Says:

    You want to fix more of your spelling, peak -> peek at the very least.

    Also, what crack are you on? Google didn’t share your information with anyone, they used it themselves to ensure the mails were delivered. So that makes your privacy policy quotes irrelevant.
    You also state that they did the peeking algorithmically, so they haven’t actually read your emails or sent them to their lawyers. You also should know that they do spam filtering on gmail accounts, so they are already algorithmically reading every single email you receive. You should also know that they explicitly state in the terms/policies that they don’t guarantee to actually physically delete an email you delete in gmail.

    Basically, you have chosen to let someone else host, manage, filter and provide your email and now you’re complaining that they have been trying to do a good job of it. If you’re that paranoid or you are indeed using it for company documents, you’re a fool. Would you put sensitive documents in an email folder on Yahoo mail? or Hotmail? If you would, you’re a bigger fool.
    Get your own domain, your own mail server, your own filtering software, your own webmail software and encrypt the hell out of all of it. That’s the only way your mail will be safe, ignoring the obvious fact that it travels across the Internet from one mail server to another in plain text.

    Basically, this blog post is pure nonsense, I suggest not reading it unless you are bored 😉

  9. Simon Tooke Says:

    I fail to see how having a shell script check for the existance of an email with a known title and sender ina folder list counts as “peeking at email”. Seems like most commenters feel the same way.

  10. xurizaemon Says:

    you’re paranoid. think about it from the spam-filterer’s point of view; what’s a key way to identify the spammers? source address. assume that they keep an index saying “1,000,000,000 spams filtered from“, right?

    so in that instance, which is a pretty fair assumption, it would be fairly easy to glance at the spamdex and say “oh, 75K spams filtered from that address”

    i don’t see what’s so scary and disastrous about this. (no, i don’t work for google.)

    you already know they index the contents of the mails, that’s their whole business model. no news there.


  11. Irfan Says:


  12. Shawn Says:

    OMG they were looking for something, they wrent reading every little love letter from big bertha or whoever your ugly woman or w/e might be. get over it. like they had the time to read 75,000 emails. NO! they were looking for something. and anyone that is smart enough could read your email. i could go read your emails right now … if i had the time. so get over it. ITS FREE AND ITS THEIRS .. DONT LIKE IT DONT USE IT. not like they are gonna go forwarding it to everyone on the internet. STFU get a life

  13. vs1400 Says:

    I fail to see how the message they were looking for (and counting), using an automated means is divulging your “sensitive personal information”. There are very clear guidelines on what constitutes this type of information, and it does not appear that Google has even come close to breaching that.

    But of course, you’d probably write an entirely different FUD-filled piece if Google hadn’t done that, and simply paid this sly-assed lawyer the millions of dollars because someone (thousands of people?) clicked the “Report Spam” button on their crappy email message.

  14. Menzonius Says:

    Here are some tips for all people concerned about email and privacy: using pop email from your provider is not going to completely protect you from other people intercepting and reading your e-mail. If you are concerned about your privacy, then you must use OpenPGP to encrypt your email (search for GnuPG) and do not EVER communicate anything via email (passwords, credit card information, your AIDS test results, nude pictures with artsy poses) that you would not mind the whole world knowing about. Just my two cents.

  15. ammoQ Says:

    Paranoid people should not use Gmail.

  16. Shawn Says:

    Or… they shouldnt use the internet at all

  17. Keith Says:

    When you decides to store information on an external server, expect that piece of delicate information to be compromised anytime. Lots of enhanced features do come with a price to pay.

  18. mystery paint Says:

    If Google owns gmail, they dont have the right to look into their own system?? It’s a free service on their system. Am I missing something here?Too many people complaining about a free service and their rights…

  19. engtech Says:

    I don’t think this is a big deal. It’s not like they had someone read any of that mail.

    They used one of the search algorithms they must already have in place to check if a specific email is spam.

  20. Rees Says:

    Ooh! Nice headline. It got me curious. Bit sensationalist though.

  21. Shawn Says:

    Hey for the last couple ppl to post.. THANKS for REPEATING what i said… im sure everyone loves to read what i said over and over being reworded by someone else..

  22. cgot Says:

    First china, now this. Whatever happend to “don’t be evil”?

    check out my blog at

  23. besttanning Says:

    Email should be like the regular mail. No one can tamper with it unless it addressed to them.

  24. Shawn Says:

    Uh.. technically if its in their posession its theirs.. its on their property.. kinda like if i built something on ur land and u took it.. then well i cant do anything about it

  25. James Says:

    First, they didn’t share it.
    Second, they effectively used a shell script to search for an email and double check that it wasn’t marked as spam. I seriously doubt any humans actually read said mail.
    Do you have a problem with an indexed version of your email being scanned by a machine to make sure you get important documents? Oh, wait. That already happens anyway…

  26. I really don’t mind, Google can look at my emails as much as they want as long as I am using their free service. I have to admit that when I signed up to Gmail I knew my stuff would be looked at – not ecactly looked at by some mid-level manager at Google but at least some bot of sorts.

    Great read, and your right about class actions being a scam…

  27. eteraz Says:

    i just read the post and not the comments:

    the email is not spam b/c it informs an individual about their individual rights.

    it is a form of legal process. no spam ever does that.

  28. eteraz Says:

    also, they are merely following what’s permitted by Federal Rules of Civil Procedure Rule 23. Hope you got a lot of hits out of dissing Google.

    Wish I would have thunked it.

  29. […] This is unreal: Google voluntarily "peaked" at the contents of over 75,000 gmail accounts to convince a judge that they were eager to settle a lawsuit. Specifically, they checked whether a message a Google-affiliated law firm had sent was marked as spam or not. The whole thing is recounted in a linked pdf-ed legal filing. Do no evil, huh?read more | digg story […]

  30. Joe K Says:

    Yeah – class actions are a real scam. They forced the auto industry to actually recall cars.

  31. […] private is? I was reading this article about Gmail admits privacy Leak. What worries me more then Google privacy is an Amazon […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: