I attended some of last week’s Computers, Freedom and Privacy conference, and had the following thought after an excellent panel discussing the necessity of reforming the atavistic Electronic Communications Privacy Act. As privacy buffs well know, the law sets a fairly high bar for acquiring or intercepting the “contents” of a user’s communication—the audio of a phone call or the text of an e-mail. A much lower bar is set for interception of the individualized non-content records a service provider might hold about a customer; these can be obtained by administrative subpoena, or by a court order with a much lower evidentiary showing.
Here’s my concern—and perhaps someone else has already broached this question, but I can’t recall seeing it, and I read about this stuff all the time. Any time you log into Gmail, and perhaps other similar services, you’re going to see targeted ads that are generated in part on the basis of your e-mail contents. So, for example, I look at an invite I just received to a Cato Institute event about the future of U.S. policy toward Pakistan, and I see on the side a bunch of ad links for publications or master’s degree programs about national security or international relations. Another old one in which I mention tech journo Declan McCullagh got (among other things) an ad for the Irish country music of one Declan Nerney. A single e-mail thread might have five or six different ads triggered by several distinct words.
Now, back when Gmail debuted, they told Wired they wouldn’t “keep a log of which ads went to which users, nor will it keep a record of keywords that appear often in an individual’s e-mail.” Their privacy policy, on the other hand, pretty clearly says that they can:
When you use Gmail, Google’s servers automatically record certain information about your use of Gmail. Similar to other web services, Google records information such as account activity (including storage usage, number of log-ins), data displayed or clicked on (including UI elements, ads, links); and other log information (including browser type, IP-address, date and time of access, cookie ID, and referrer URL).
Whether Google in particular does or doesn’t track that kind of information on an individualized basis isn’t really my primary concern. The point is that any company that did track its own ad-serving history on a personalized basis would clearly have a huge cache of information that was obviously not itself the “content” of any user’s communication, but also provided a damn good rough map to what that content might look like. And we know that our intelligence services are very big on the idea of sifting through vast reams of metadata in search of suspicious patterns. Since Google seems above all concerned with trying to sell me stuff, I’m not sure I’m enormously worried about their having this information. I’m less sanguine, though, if the government is able to use the lower standard for acquiring customer records to effectively gather capsule summaries of the contents of the e-mails sent and received by vast numbers of users. It wouldn’t surprise me in the least if something like that had been done, but even assuming it hasn’t, that it might be possible in principle is a pretty good argument for updating EPCA to remove any ambiguity.
1 response so far ↓
1 Barry // Jun 15, 2009 at 2:17 pm
‘Scroogled’, by Cory Doctorow
http://blogoscoped.com/archive/2007-09-17-n72.html