The "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" quote has been massively taken out of context by everyone who is covering this story.
The overall case appears to be about people complaining that Google scanning their emails and showing contextual ads is a privacy violation.
Most of this document is an explanation of why that shouldn't hold (Gmail users agreed to this when they signed the ToS, automatic scanning is essential for things like spam filtering and full-text search, legislating against this will kill innovation in online services etc).
The section that contains the "expectation of privacy" quote is in reply to part of the case which suggests that, while Gmail users may have accepted the ToS, non-Gmail users who send an email to a Gmail user have NOT accepted that ToS and hence are having their privacy violated.
The counter-argument presented is that, if you send a letter to someone and they allow their assistant to open it, you shouldn't be surprised by that. The analogy is that if you send an email to someone who has chosen to use a specific email provider, and that email provider automatically scans your email in some way, you shouldn't be surprised either.
As I read it, the "third parties" in the troublesome quote aren't Google themselves - they are the recipients of your email who happen to be using Gmail. You've turned over your information voluntarily to the recipient of your email, they can then chose to allow it to be automatically processed by the email provider they have an agreement with (without this violating your expectations of privacy).
I see your point, it's clear and has plenty of logic to it. Then I guess that the same argument will apply to my medical records, tax returns, GPS coordinates of my car, GPS coordinates of phone, my pay-per-view TV consumption, the who/when/where of the phone calls I make, etc.
Trust is vital in any economy that wants to function. This Google argument will make me trust no one.
Quote:
"...they nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of email must necessarily expect that their emails will be subject to automated processing.
Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery.
Indeed,“a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
Smith v. Maryland,
442 U.S. 735, 743-44 (1979)..."
Agree. The sender has no guarantee that the recipient haven't handed over authority to open and read mail to somebody else. It is not necessarily anything wrong with that.
At my office my secretary reads most of my snail mail, and at home I have authorized my girlfriend to do the same. Gmail reads my email. In all cases my reasons are the same; I am having a hard time keeping up with all the mail that comes in and want someone to filter out what is relevant.
While the non-Gmail Plaintiffs are not bound to Google’s contractual terms, they nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of email must necessarily expect that their emails will be subject to automated processing."
This is talking about non-Gmail users who send email to Gmail users.
Talking about privacy. Why use services like Scribd ?
A simple link to the pdf file hosted somewhere else would have suffice. I then can do my searches locally without them tracking exactly what I do (who views what, who searches what). SASS (Service as Software Substitute) is evil...
Should there not be a larger emphasis here on the nature of the service? It's not humans reading the mail, and the gathered data -as far as I know- does not enter the hands of a third party.
Anyone still using Google services since the NSA revelations is an idiot. I'd like to see them bankrupt after their betrayal of their do-no-evil and open source roots.
What open source roots? Their core software was always proprietary; if anything, with Android and Chromium, they're more open source than ever.
And frankly, I don't see great changes in the "don't be evil" policy either. When has Google been a great champion of users' privacy? Targeted advertising has always been their business model.
Frankly, the only thing I see is people's rose-colored glasses about the early Google.
I'm conscious of what happens, much before the NSA revelations this year.
I use 8.8.8.8 for DNS on some networks (for external resolution and for nagios) knowing perfectly that each request is registered and extrapolated.
I use an apple macbook air for some tasks, even if I know I've no control over many privacy issues in such machine.
On the other side, I've had offline networks for some data I didn't want never go out of my firewall. The only conection of such networks, was a 2TB USB disk, to update the mirrors of the software that such networks did need.
When I want to make something online not related to myself, I start from the beginning: using hardware not related to me or my credit card, and using an internet connection not related to me or my bank account.
I trust certain things, don't care about certain things, and care about others (i.e. my webcams and micros are always with duck tape, since invented, bluetooth? disabled, 3D in the browser? disabled, external fonts in the browser? disabled, etc).
I don't like cars, but I need to use one. I don't like the effects of our civilization in the nature, but at the end I'm part of it to cover my basic needs. And the same happens with internet and widely known services.
I don't approve unconstitutional surveillance, but I, from Europe, can't change such _facts_
You may think I'm an idiot because I don't have ignorance as an excuse for use certain services. I may think I'm not, because I don't need the media and news to know what is going really.
You may feel superior just by calling people idiot. I respect your though level, it's your life.
>>Anyone still using Google services since the NSA revelations is an idiot
Care to name a good alternative then? And a good way to notify hundreds of people and companies to change my address to a new one,and convince dozens of friends to stop using hangouts and use X instead?
PKI specifically means you don't have to rely on secure key transfer.
Encrypt everything, and post your public key on any keyserver you choose. There is very little sensitive information in a public key (though it can tie you socially to another party, in a cryptographically strong manner, for those who are concerned about such things).
But the point is that an out-of-band and secure key transfer isn't required.
However, each party needs to be sure that the identity of the other is who they expect, I.e. that a MitM is not occurring. Sometimes the best way to achieve that is an out-of-band key exchange
And what happens when your keyserver gets hit with NSL to impersonate another party? Is there something to prevent it there as infrastructure or legal?
Please read a fundamental PKI text or FAQ. That isn't a viable threat model.
On the other hand, anyone at any time can create a key with any given name on it. Under PGP, trust is generally imbued through keysigning and trust metrics.
Keys are also cheap: two (or more) parties could create keys (or subkeys) they used exclusively for communications between themselves, if they so chose.
It's like Google is asking their users to leave their service. How about creating a Lavabit-like solution instead, Google, instead of telling users that "if you use our service, you have no expectation of privacy"?
I'll take "Because Google's entire business model around email is processing it to serve relevant ads next to it, which requires that they be able to read it" for $1000, Alex.
They could still do that in a secure way, client-side, if they wanted: when content is displayed in-browser, javascript could parse it, send home relevant words (on an encrypted channel), and receive relevant ads. The server would have to ensure that data is not saved, or it's anonymously aggregated right away -- you'll have to trust their word on that, but that'll always be the case.
Computationally expensive, maybe, but it's 2013 and browsers can take a bit of abuse. It wouldn't cover people using POP/IMAP, but Joe Average doesn't bother with that geekery anymore. Obviously it would take some time to implement, but it could be done.
They'd also have to do spam filtering client side, parsing the MIME to extract inline images, attachments and so on, sanitize the HTML to protected against XSS attacks, process it for full-text search, filtering into labels, auto-forwarding and really absolutely everything that happens to an email. They all involve "reading" the email.
I'm not saying it'd be a 100% drop-in replacement for what they have now, but it'd be a good approximation, a starting point. I'm a leeching AdBlock user anyway, these days I don't even see what they try to show me...
Why does everyone assumes it's just about the "automated processing" they do?
I'm 100% sure besides showing "relevent ads" in real time as you check your mail, they also keep a huge profile for your account name, cross check with all their other services and mainly search, and generally have a file on you and your preferences.
And that's besides sharing your email with their government friends.
Because this whole kerfluffle is about the fact that by granting Google the ability to spam-filter and process your email, you are giving up your legal expectation of privacy by placing your data into the hands of a third party. It's the lowest common denominator. Sure, they may be doing other stuff, but we know for a fact that they process your email in ways X, Y, and Z, which are what the legal theories are based upon.
The overall case appears to be about people complaining that Google scanning their emails and showing contextual ads is a privacy violation.
Most of this document is an explanation of why that shouldn't hold (Gmail users agreed to this when they signed the ToS, automatic scanning is essential for things like spam filtering and full-text search, legislating against this will kill innovation in online services etc).
The section that contains the "expectation of privacy" quote is in reply to part of the case which suggests that, while Gmail users may have accepted the ToS, non-Gmail users who send an email to a Gmail user have NOT accepted that ToS and hence are having their privacy violated.
The counter-argument presented is that, if you send a letter to someone and they allow their assistant to open it, you shouldn't be surprised by that. The analogy is that if you send an email to someone who has chosen to use a specific email provider, and that email provider automatically scans your email in some way, you shouldn't be surprised either.
As I read it, the "third parties" in the troublesome quote aren't Google themselves - they are the recipients of your email who happen to be using Gmail. You've turned over your information voluntarily to the recipient of your email, they can then chose to allow it to be automatically processed by the email provider they have an agreement with (without this violating your expectations of privacy).
I call bullshit on the whole story.