John Henry Skillern, 41, has been charged with possessing child pornography, after the National Center for Missing and Exploited Children received a tip from Google. While it’s clear that the end result of this is positive – he’s being prosecuted for the heinous crime he’s committed – we have to ask, do email platforms have the right to scan user emails if it helps to combat crime?
Technically, whether or not they have the “right” depends on the terms of service between the user and that service as well as the laws governing that country. In the US, this is a complicated issue due to other US Federal laws that compel ISPs to help combat child pornography.
But that’s the technical legal point of view. The bigger picture is around society’s expectations around the privacy of their use of the Internet. Despite the horrific nature of these specific crimes, I don’t think Google has the “right” to scan user’s information. The general public has an understanding and expectation of how privacy works in the “real” world. For better or worse they’ve carried those same expectations into the online world.
This means that society expects online privacy to work in a certain way, regardless of the wording and details buried in user agreements and privacy policies. These are not read, and these are not understood – there is no meeting of the minds. So again, for better or worse, these expectations for privacy in the real world is how “we the people” expect and want online privacy to work. These expectation are not being met, by things like online tracking and the scanning of emails and cloud content.
There are three types of scanning that email, cloud, and calling (VOIP) services do, such as parsing the content of Gmail messages to display ads, looking at user activity to optimize ‘free’ services, and pro-actively scanning content to identify criminal activity (plus a fourth which is providing access directly to law enforcement & governments at their request). It could be argued that there’s not a real “right” for free services providers to do any of these, except provide information when compelled, but at this point most people do understand that Gmail will scan their mail to display ads.
Each one of these types of scanning needs to be treated differently:
1. No right to scan for a crime. Both Gmail and Microsoft’s Cloud Storage have been known to proactively scan users’ content for evidence of criminal activity. In the US, society would expect the 4th Amendment’s protections against search & seizure to guard the privacy of their communications (not unless they have a warrant or other specific legal measures). People do understand that if they are specifically being investigated and there is probable cause to believe they are engaged in criminal activity, then there are processes in place. But we would not expect the digital equivalent of “papers please” looking at every message sent.
2. “Limited” right to scan content for Ads. I think at this point most people have some understanding that free email and other platform providers are scanning their content in order to display ads. But they would be shocked at the depth of the profiles that are assembled. Companies also have no right despite whatever clever agreements they’ve come up with to use this type of data for any other purpose. That would break the “context” of the exchange between the ad and the use of the free service. This should be a very limited right as it is directly looking at the content of user communications, so in practice it’s not clear what if any real limits are placed on the use of this data. Some companies are likely to be better here than others in their treatment of users’ profile and data.
3. “Limited” right to scan usage for service optimization. Like ads, many people do understand that service providers look at metrics around how they use the services. Nominally this is done to “improve” the services provided and their service delivery. It also usually includes figuring our how to cross market additional services. This is where the limited right comes in. Service providers should have no right to cross-out of the context in which the users provided their information, for instance by making that information available to other companies or simply placing it for sale.
So can users protect their privacy when using free platforms like Yahoo, Outlook or Gmail? How?
Users can take steps to protect their privacy when using free platforms like Yahoo, Outlook or Gmail. However they need to decide how much convenience they are willing to sacrifice, and how much information they are willing to share. Here are some things they can do right now to protect the content they entrust to these service providers:
Encrypt the content of your email messages. Users can keep free email providers from successfully scanning the content of their emails by first encrypting their emails before they send them. Tools like EnigMail for FireFox or GnuPGP will provide strong encryption. But they can be tricky to use, and you should use them to encrypt your email content outside of gmail.google.com (as it could save drafts while you are composing your email.)
Encrypt your files for cloud storage. Any files or images that you want to store on a cloud service you can also encrypt before they are uploaded to the cloud. Note this won’t work with sites like Flickr, but rather with cloud storage services that work like “hard drives” such as SkyDrive or Dropbox. You’ll have to be sure to decrypt and re-encrypt these files each time you use them, and here’s some tips on making this as easy as possible.