Yesterday it was revealed that Google claims Gmail users have no reasonable expectation their emails are private. This revelation came out in the midst of the whole NSA brouhaha.
My comment was simply:
Not saying that it's a good thing, but how exactly did people think that the AdWords/AdSense program worked in the first place?Anyway, below the fold, it seemed like a good time to repost the diary I wrote in response to the original NSA story a few months ago, since it's equally relevant here:
Of course it reads the messages; that's what determines the ads that get placed.
Now, you could argue that there's a big difference between the software reading the messages and using it as part of the algorithm to generate the appropriate ads vs. a person reading it, but really, if the software is reading it, there's nothing to stop it from flagging certain phrases and alerting a human employee as well.
I've been a bit swamped this week, so I've missed out on most of the NSA/Verizon wiretapping/PRISM brouhaha.Update: By request, I'm removing the name of the person who posted the diary about the Gmail revelation yesterday. I didn't mean this diary to come off as rude, belittling or insulting (and I genuinely don't see it as being that). There's absolutely nothing wrong with bringing attention to Google's policy statement, and it's important to know. I just wanted to stress the point that--as I said in the first place--whether or not it's a good or evil policy is besides the point; technologically, the horse left the barn on this issue years ago.
I'm sure many others have made similar (or the same) point that I'm about to, but screw it; if I'm repeating something, so be it.
In addition to being a website developer, I also provide website hosting services for most of my clients. I prefer that my clients use my hosting service, partly for obvious business revenue purposes, but mostly for consistency; I know exactly how my servers are set up and configured, what parameters/capabilities they have and so on. I don't have to worry about installing a script that requires PHP 5.3 on a clients' site only to find out that their server only has PHP 5.2, and so on.
This also means that most of my clients host their email services through me as well.
Now, let me be clear about this: I have never spied on my clients email, and I never would. Not only would doing so destroy my reputation, lose my clients and almost certainly be illegal (which I realize is also one of the major points of contention wrt the NSA controversy)...quite frankly, it would be boring as hell for the most part.
I have no interest in knowing how many widgets this or that client produced last quarter, or whether they're having some sort of legal spat with one of their own customers (unless the dispute involved a problem with the website functionality, of course), any more than they give a crap about my own internal goings-on.
However, all of that is besides the larger point, which is this:
I could do so if I really wanted to.
I know this may sound pretty obvious, but the following conversation has occurred between a client and myself on more than one occasion:Client: "Hi, I'm having problems with my email account."See, that's the thing--they often completely forget that if I actually wanted to--in spite of how stupid, pointless and self-damaging it would be to do so--I could read their mail anytime I wanted to. In fact, I don't even really need their password to do so; with root access to the server, I could simply view the raw email message files directly.
Me: "Have you tried...(laundry list of possible culprits, ranging from their actual internet connection being down, to the server's security setting blocking their IP address due to them mis-entering their password too often and a number of other common causes)?"
Client: "Yes, I've tried everything."
Me: "Hmmm...ok, well, once in a blue moon I've run into a situation where a large, corrupt file attachment will gum up a clients' email account. To check for this, I'd have to take a look at the actual messages in your inbox on the server. Do I have your permission to do so in this instance?"
Client: "Sure, I guess so...but I don't remember my password."
Me: "That's OK, I have it right here."
Client: "Ummmmm...you do??"
Me: "Uh, yes...I'm the one who created your password for you in the first place, remember?"
Client: "Oh...right. I forgot."
And, of course, even though I don't spy on my clients, there's always the outside possibility that someone at the actual hosting service itself is (although they, too, have a policy against doing so without the express permission of the client). And even though they don't either, who the hell knows what's going on at the ISP or hosting service of whoever sent the email to them (or received it from them)?
That's the thing: The same is true of ANY ISP, HOSTING OR SOCIAL MEDIA SERVICE THAT YOU SUBSCRIBE TO...AND EVEN SOME THAT YOU DON'T, IF ANYONE YOU CORRESPOND WITH DOES.
For all the screaming people do about Facebook's ever-changing, never-certain "privacy policies", the truth is that ultimately it doesn't really matter what their official "policy" is; there's still plenty of people who work there who could, if they really wanted to, spy on your account any time they wanted to. Perhaps they'd be fired and/or charged, or perhaps they wouldn't...but that wouldn't change the fact that they could do so before getting busted.
You know how Facebook has a strict policy about what photos you're allowed to upload and which ones you can't, due to them violating their terms of service (or being flat-out illegal, like child porn)? Have you ever wondered just how they actually enforce that policy? Guess what: Every time you upload a photo to Facebook, whether it's a pic of your kid playing soccer or your college roommate lying passed-out on the bathroom floor, there's the distinct possibility that a complete stranger somewhere in Turkey, the Philippines, Mexico or India is taking a look at it for $1 per hour in order to decide whether it's OK to post in your gallery or not.
It doesn't matter whether your Facebook "privacy" settings are open, friends only, or locked down to just yourself--someone halfway around the world is checking out your "selfies" to make sure it isn't something especially revolting or illegal.
It's the same thing with Comcast, TW/RoadRunner, Wide Open West, Verizon (obviously), AT&T, T-Mobile, Sprint...all of them. Apple, Twitter, Google...doesn't really matter. No matter what they claim that their policies are about privacy and access, the fact remains that the moment you post something online, whether it's an email, text message, tweet, Facebook post or comment, photo or other file upload, or even a fax (plenty of people still using these, believe it or not)...the moment that you transmit any sort of data electronically, someone not only has the ability to access it, but can usually duplicate it and store it elsewhere.
Hell, check out this 3-year old story from CBS News about the terabytes of sensitive data stored on old copiers that most people don't even realize store:
That's right--think about how many times you might have had a copy made of your driver's license, social security card, medical records, school transcripts, etc. on a copier at Kinko's or wherever without thinking about it. It's all there, somewhere.
Deleting your emails doesn't mean that the recipient deleted their copy, and even if they did, it's always possible that any number of other people along the chain could have nabbed a copy of it as well.
The truth is, the main reason why this is unlikely to be the case in most situation isn't because of technical inability or for legal reasons--it's because, quite frankly, in the vast majority of cases, no one gives a crap.
Seriously, there's so many terabytes of mundane, everyday flotsam & jetsam floating through the internet at any given moment that 99.999% of it is utterly meaningless to anyone other than the sender and recipient (and in some cases, perhaps not even them).
On the other hand, it's also astonishing to me how many people willingly post the most incredibly personal information about themselves openly and publicly on Facebook etc. every day, without giving it a second thought.
When my wife and I found out we were expecting our child, we didn't tell a soul outside of her doctor and our parents--who we swore to secrecy--for the first trimester. Why? Because the first trimester is when you're at the biggest risk of miscarriage. This is one of the most personal experiences either of you is going through, and some things are just for you and your partner alone. Once you're reasonably out of the woods, of course, tell family, friends and so on...but play it close to the chest for awhile.
However, I have friends who've actually posted their ultrasounds publicly as early as 6 weeks into the pregnancy. I know people who've discussed their suspicion--suspicion, mind you--of their partner possibly cheating on them in an open Facebook forum. For that matter, I've known people to brag about cheating on Facebook.
None of this has anything to do with whether the revelations about the NSA accessing gobs of private citizen data mean, legally, Constitutionally, or even ethically or morally. I'm just saying that, when it comes to data privacy, for good or for bad, the train left that station a long time ago.
I've been posting on dKos for nearly 10 years, including hundreds of diaries and thousands of comments. Some of what I've written would sound horrifying out of context, and some of it sounds pretty bad even in context. And it's all out there. Even if Kos were to get taken down tonight and their entire database and backup files were wiped...Google would still have a cached version of much of the content, as would anyone else who happened to save a copy of those posts before the wipe.
I don't think I'll ever be able to run for public office, since even the most basic opposition research (ie, a Google search) would turn up all sorts of material to hit me with.
I don't regret just about anything I've written (ok, there's probably a few exceptions). For the most part, I meant what I've said. However, I'm sure I've lost clients because of some of this (though I wouldn't know if this is the case, since presumably they would reject becoming a client of mine before even calling or writing me). Then again, I believe I've picked up one or two clients because of my rantings as well, so it's probably a wash in the end.
Does all of this mean that you should just give out your SSN and passwords to the world? Of course not. Locking your doors and enabling an alarm system at night isn't going to stop someone who's truly intent on breaking into your house from doing so--but it will certainly prevent anyone except a hard-core burglar from doing so.
Bottom line: Any time--ANY time--that you post ANYTHING online, from a snarky quip to a business email to your credit card or social security number, be advised that there's ALWAYS the possibility that someone, somewhere has access to it who shouldn't, even if it's not the case intentionally.
I'm also not sure what the point is of removing the original author's name when I'm still linking to their diary (which is kind of important since it gives relevance to this one), but I've done so anyway. I certainly don't think including their name merits a HR, which they gave me until their name was removed, but there you have it: It's removed.
Update x2: Well, now. It turns out that the original Google legal filing that caused such a fuss isn't even about Gmail users in the first place:
Non-Gmail users who send emails to Gmail recipients must expect that their emails will be subjected to Google's normal processes as the [email] provider for their intended recipients.
So that's that. It's very much true that Google needs to do a better job of communicating and enforcing the steps it takes to protect its customers' privacy, especially as it continues to amass data about every human on the planet. And it's a fact that the third-party doctrine as laid out in Smith v. Maryland is no longer good law — the Supreme Court didn't know about the internet and smartphones in 1979. Panic tweakers still have plenty to freak out about, in general.
But taking to arms before even reading and understanding 500 words of a legal filing? Surely we can avoid that.