Privacy - GMail and the Government (SB1822)

Recently I was asked what I thought about California Senate Bill SB-1822. This bill, relating to online privacy, was initially the "anti-GMail" bill - the one that would make Google's GMail illegal. But it's evolved considerably since it first appeared and deserves a second look.

At issue is the question of who can look at the content of your email communication and how. Software already looks inside your messages for a number of purposes - routing software to direct it to the right person, antivirus software to remove viruses, antispam software to detect spam. What Google wants to do with Email is scan your messages for certain keywords and deliver advertising on subjects that relate to the content of that message.

In its initial form, SB1822 would have banned this form of advertising unless both the sender and recipient agreed. Obviously the recipient (who is using GMail) approves, but getting permission from the sender would be a problem, and would effectively stop GMail.

Here is the problem that concerned the Senate: Sure, the people who use GMail are agreeing to its use. But imagine this: Google has the Email address of the sender and recipient. They could build up a database of ads that were served up, listing them both by sender and recipient. It wouldn't take long before they would have a vast (and valuable) database that listed tens of millions of email addresses, and what each of those people was interested in. This is obviously a serious privacy issue - and the database could include those who sent email to someone holding a GMail account, and those people never agreed to have that kind of information collected about them.

Now don't get me wrong - Google says they never planned building a database and I believe them. But while I do trust Google and its willingness to stick with its privacy policy, there are plenty of companies out there who I wouldn't trust.

In its current version, the bill has been revised in a way that makes a lot of sense. It basically blocks the creation of any such database, and adds additional restrictions on selling any information collected. It also makes Google (and similar Email providers) guarantee that when you delete and Email message they will actually delete it and not keep a copy around - another important privacy issue.

The bill isn't perfect. There are concerns that because of the way it is written it might slow innovation, in that it could be interpreted as banning any content analysis of Email other than those listed in the bill. For example: a mail service that automatically translated email between languages might be illegal. Hopefully these problems will be addressed before the bill becomes law.

One way in which this bill is unusual is that usually the government doesn't start legislating until after a problem has become serious (and often not even then). We too rarely in our society consider the consequences of deploying a new technology until after it is deployed, so this represents unusual foresight on the part of the state Senate.

Reading Between The Lines

As interesting as the bill itself is (and the issues it raises), there are some other facts relating to this bill that are in many ways even more interesting, for example:

• Even though it is often illegal for someone to intercept your email, most email is sent unencrypted, meaning that it is readable by anyone who has access to the system which your email goes through (look at the headers on an email message to see the routing - it's not unusual for a message to go through half a dozen different computers on its way to its destination).
• SB1822, like most similar laws, does not consider a company you work for to be an email provider. In other words, your boss at work can intercept and read your email, add advertising, make copies, or do pretty much anything he or she wants with it. 
• The first version of this bill included a clause where if someone sold your social security number and it was misused (say, for identity theft), you could sue them for damages. I'd sure like to reopen that issue.
• Google is currently neutral on bill. The opposition comes from an industry group called "The Internet Alliance" which is, guess what - owned by the Direct Marketing Association (those are the good folks who bring you junk mail, telemarketing calls and some kinds of spam... uh excuse me.. the people who save you time and make it easier for you to shop by collecting information about you and providing you offers that are most likely to interest you).
• The whole question of how and to what degree the California Legislature (and other states) can truly legislate the Internet is an open question. Many of these issues really should be addressed on a national (if not international) level. California law bears watching though, as it tends to be more consumer and privacy friendly than Federal law.

Conclusion

As those of you who have read "Always Use Protection" know, I have a definite bias in favor of privacy. While I do think the bill could use a bit more work to make sure non-marketing related innovation is not slowed, the bill is fundamentally a good one.

View the bill text and status here