Privacy - GMail and the Government (SB1822)
Recently I was asked what I thought about California Senate
Bill SB-1822. This bill, relating to online privacy, was initially
the "anti-GMail" bill - the one that would make Google's
GMail illegal. But it's evolved considerably since it first
appeared and deserves a second look.
At issue is the question of who can look at the content of your
email communication and how. Software already looks inside your
messages for a number of purposes - routing software to direct it
to the right person, antivirus software to remove viruses, antispam
software to detect spam. What Google wants to do with Email is
scan your messages for certain keywords and deliver advertising on
subjects that relate to the content of that message.
In its initial form, SB1822 would have banned this form of
advertising unless both the sender and recipient agreed. Obviously
the recipient (who is using GMail) approves, but getting
permission from the sender would be a problem, and would
effectively stop GMail.
Here is the problem that concerned the Senate: Sure, the people
who use GMail are agreeing to its use. But imagine this: Google
has the Email address of the sender and recipient. They could
build up a database of ads that were served up, listing them both
by sender and recipient. It wouldn't take long before they would
have a vast (and valuable) database that listed tens of millions
of email addresses, and what each of those people was interested
in. This is obviously a serious privacy issue - and the database
could include those who sent email to someone holding a GMail
account, and those people never agreed to have that kind of
information collected about them.
Now don't get me wrong - Google says they never planned
building a database and I believe them. But while I do trust
are plenty of companies out there who I wouldn't trust.
In its current version, the bill has been revised in a way that
makes a lot of sense. It basically blocks the creation of any such
database, and adds additional restrictions on selling any
information collected. It also makes Google (and similar Email
providers) guarantee that when you delete and Email message they
will actually delete it and not keep a copy around - another
important privacy issue.
The bill isn't perfect. There are concerns that because of the
way it is written it might slow innovation, in that it could be
interpreted as banning any content analysis of Email other than
those listed in the bill. For example: a mail service that
automatically translated email between languages might be illegal.
Hopefully these problems will be addressed before the bill becomes
One way in which this bill is unusual is that usually the
government doesn't start legislating until after a problem has
become serious (and often not even then). We too rarely in our
society consider the consequences of deploying a new technology
until after it is deployed, so this represents unusual foresight
on the part of the state Senate.
Reading Between The Lines
As interesting as the bill itself is (and the issues it
raises), there are some other facts relating to this bill that are
in many ways even more interesting, for example:
- Even though it is often illegal for someone to intercept
your email, most email is sent unencrypted, meaning that it is
readable by anyone who has access to the system which your
email goes through (look at the headers on an email message to
see the routing - it's not unusual for a message to go through
half a dozen different computers on its way to its
- SB1822, like most similar laws, does not consider a company
you work for to be an email provider. In other words, your
boss at work can intercept and read your email, add
advertising, make copies, or do pretty much anything he or she
wants with it.
- The first version of this bill included a clause where if
someone sold your social security number and it was misused
(say, for identity theft), you could sue them for damages. I'd
sure like to reopen that issue.
- Google is currently neutral on bill. The opposition comes
from an industry group called "The Internet
Alliance" which is, guess what - owned by the Direct
Marketing Association (those are the good folks who bring you
junk mail, telemarketing calls and some kinds of spam... uh
excuse me.. the people who save you time and make it easier
for you to shop by collecting information about you and
providing you offers that are most likely to interest you).
- The whole question of how and to what degree the California
Legislature (and other states) can truly legislate the
Internet is an open question. Many of these issues really
should be addressed on a national (if not international)
level. California law bears watching though, as it tends to be
more consumer and privacy friendly than Federal law.
As those of you who have read "Always Use Protection"
know, I have a definite bias in favor of privacy. While I do think
the bill could use a bit more work to make sure non-marketing
related innovation is not slowed, the bill is fundamentally a good
the bill text and status here
Buy your copy of Always Use Protection today from your local bookstore or