PGP CTO Blog

First, let's not lose sight of the fact that people "opt in" to Gmail: it's a "want-to" rather than a "have-to" situation. Second, we should recognize that Google isn't doing anything in Gmail that other free email vendors aren't already doing. Yahoo, Earthlink, MSN, and other free email services all scan your incoming email to remove spam (and/or viruses). Google has just turned the tables by adding a sort of personalized spam to email in the form of ads based on message content.

That said, I don't have any specific concerns about Gmail. I think Google is doing with Gmail what they've done with their other systems, and they're taking heat for it not because it is more intrusive than anything else, but because they are waving the existing intrusion under your nose. Type your home phone number into Google and search on it. I get a telephone entry for me and my spouse as well as our address and links to maps or driving directions to our house. Although this is a bit alarming, it's also a bit useful. For example, I just emailed that URL to a friend who is coming over for dinner.

Is an "opt-in" service really a violation of privacy?
Unlike many other things I have to deal with that violate my privacy, I don't have to use Gmail. Consequently, any concerns I might have about it are tempered by this observation. People are very bad at estimating risk in general. We tend to overestimate the risk of things we don't control or are exposed to infrequently and underestimate the risk of things we believe to be in our control or that happen to us frequently. This is why, for example, many people fear flying more than driving in their cars. At the end of the day, if you're against Gmail, then don't subscribe.

This train of thought brings me to the real privacy and risk issue. You can't take any system in a vacuum. Some people find Gmail's content-based ads a little creepy and wonder what else might be going on. Let's not mince words. Let's suppose someone has the misfortune to share the same last name as a suspected terrorist. What happens then? Will Google's indexing do something bad, like sic the Feds on you?

Google says no. Do you believe them? I believe them. I also know that if the Feds decide they want to look through your email, then your ISP-be it Google, Hotmail, Yahoo, AOL, or Earthlink-must comply (subject to the appropriate paperwork). Besides, the Feds aren't going to use Google's system, they're going to use their own. The risks are the same no matter what you do. I trust the Google folks not to snoop on me just as I trust Amazon not to send my shopping preferences to the Attorney General voluntarily. Email is like a postcard, and if you don't want it read, you've come to the right website. We sell strong, proven PGP® technology here.

Never put anything in email you don't want to appear in print
If you send an email to someone who uses Gmail, however, your email will be scanned to determine the appropriate ads to put up. I've entertained myself by sending my Gmail account bits of mail and seeing what pop up as relevant. The specific security issue here is that any time you send anyone else email-no matter which email system you're using-it goes into their system where it can be indexed, forwarded, backed up, and so on. Twenty years ago, my dear friend, Martin Minow, said, "Never put anything in an email that you don't want to see stapled to your résumé." That is still good advice, and applicable to blogs as well as email.

This worry isn't unique to Gmail. If you have another free email system, you probably have no idea what its backup and retention policies are. If someone were embarrassed because you thought something was deleted that was not, I'm afraid my response would be, "What do you expect from free email?"

Is email ever really deleted?
There was another bit of brouhaha about Gmail users perhaps not being able to delete email completely. My reaction on hearing this was, "Well, that's a bug they have to fix." Note that I said "bug," not "privacy violation." I have since verified that you can move a message (or "conversation," in Gmail terminology) to the trash, and from there you can select Delete Forever. My empty trash folder now says, "No conversations in the trash." This approach is less convenient than I'd like, and there's always some risk in forgetting to delete messages. Besides, who needs to delete when you have 1,000MB of storage?" Well, I do, thank you. I think Google also needs to have some purge policies Gmail users can set, such as "delete messages in the trash after xx amount of time."

This worry is a misinterpretation of Google's enthusiasm, along with their being forthright that when you click Delete, things aren't really gone immediately. Of course, the same thing is true for all forms of storage. You may remember that back in the Reagan administration, there was some embarrassment because an email was deleted, but the backup was not. One of the important features of security programs like PGP® Disk is that of securely deleting files. But even that process doesn't delete the backups.

Gmail offers a straightforward risk-benefit proposition: a gigabyte of storage in return for tailored ads. Other Web systems are in some ways Dickensian: they offer a few snippets and want to charge for more. Using Gmail is like being Oliver Twist in the land of the bleeding-heart liberals. The answer to "Please, sir, may I have some more?" is "Certainly, my boy, there's more than you can eat!"

Knowledge (plus technology) is the best defense
The best way to protect yourself from prying eyes (or matching algorithms) in an email system is to use PGP® secure messaging. Encrypted email can't be read or used by anyone else for any purpose, and therefore can't be scanned to determine appropriate ads to include. With security mechanisms such as encryption, however, you also loose the ability to choose between "good" (or useful) add-ons and "bad" ones, even if those are not intrinsically evil as some people insist Google's Gmail is. In fact, I'd like to see ISPs start to integrate systems like PGP Universal™ with their offering to give users even better security and data privacy.

Summary

All free email systems scan your messages-for spam, viruses, or (in the case of Gmail) relevant advertising content-but you can always "opt out" of these systems
Never put anything in an email (or a "blog") that you don't want to be made public
Deleted emails aren't gone unless you delete the backups, too; the same thing is true for all forms of storage
Consider securing your email with strong encryption from industry leaders such as PGP Corporation
Learn how to protect your privacy while using any free email system by consulting the guidelines published by the Electronic Frontier Foundation (see "Background reading")

Background reading

"About Gmail/Frequently Asked Questions"

Electronic Frontier Foundation, "EFFector - Volume 17," April 2004

Kuchinskas, Susan, "Privacy Pressure Applied to Google, Gmail," April 19, 2004

Macworld Daily News, "Google takes ail out of email," April 1, 2004

O'Reilly, Tim, "The Fuss About Gmail and Privacy: Nine Reasons Why It's Bogus," April 16, 2004

World Privacy Forum and Privacy Rights Clearinghouse, "Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail," updated April 19, 2004

PGP News Feed