You are here

Google’s Widespread Wiretapping Could Have Snowden-esque Repercussions

Summary

A shocking new legal fact set recently came together in public as a result of a Gmail wiretapping case, Fread v. Google. Revelations of Google’s secret widespread wiretapping of hundreds of millions of people over the last three years, using a NSA-PRISM-like device called “Content One Box” could have Snowden-esque repercussions. 

The New Legal Fact Set:

Google wiretaps. Federal Judge Lucy Koh has ruled that Google’s scanning of Gmail exchanges to create personal advertising profiles constitutes wiretapping. Specifically, Judge Koh ruled that Google’s reading of people’s email is not an “ordinary course of business” and that “accepting Google’s theory of implied consent… would eviscerate the [wiretap] rule against interception.”

Google never disclosed its mass wiretapping. Bloomberg’s Joel Rosenblatt reported this courtroom exchange: There is “…a device Google has used to intercept e-mails called the “content one box.” Google determined that the device couldn’t extract information from e-mails that weren’t opened or deleted, or when they were accessed by phones or through Outlook, Rommel said. In 2010, Google moved the device from the storage end of e-mail services to the “delivery pipeline” to extract data before users receive the messages, Rommel said. “That’s the secret,” Rommel said. “It is factually inaccurate to say that the location and the timing of that interception is in the public record,” he said, referring to Google’s disclosures about its scanning. “There is not a single disclosure in the record that identifies, alerts, tells anybody that there is an interception occurring. It’s not there, it doesn’t exist.” [Google’s “Content One Box appears to function much like the NSA’s PRISM technology reportedly operates in tapping into delivery conduits.]

Google has wiretapped hundreds of millions of people without their knowledge/consent for three years. In 2010,Google secretly redesigned where it intercepted Gmail for its reading so that it could put Google’s commercial priorities ahead of users’ and competitors’ privacy decisions.

Summary of Five Big Repercussions of Google’s Widespread Wiretapping

  1. Exposes Google’s secret no-privacy-by-design commercial surveillance priorities
  2. Exposes a big crack in Google’s main privacy defense -- implied consent by users
  3. Exposes mass violations of FTC deceptive privacy practices law & Google-Buzz settlement
  4. Exposes Google doing what Snowden exposed the NSA’s PRISM technology doing
  5. Provides EU the first high-profile test case of its just-passed tough privacy law   

 

Introduction

In 2010, Google made a franchise bet that it could get away with wiretapping all of its Gmail users communications when it secretly installed “Content One Box,” in the delivery system of its Gmail platform. Google’s new device enabled it to secretly intercept everyone’s communications and read everyone’s emails before they were delivered to their recipients, without any meaningful knowledge of, or consent from, users per Bloomberg and other reports.

This new legal fact set has become public via what Google said in sworn depositions that were discussed in open court in late February in a large pending wiretapping class action case -- Fread v. Google. Tellingly, this is the one Google court case where 26 media companies are jointly petitioning the court to not allow Google “to litigate this case in secrecy” by sealing from the public depositions and court documents that are normally available to the public in Federal Court cases.

The potential Snowden-esque repercussions from this new legal fact set, is precisely why Google so badly wants to cover-up these depositions and why 26 media companies are fighting so hard for their public disclosure.

Specifically, the main fallout affects the FTC, NSA, and EU most directly.

  • The FTC is now confronted with secret Google behavior which was disclosed to no one, and is the opposite of their public representations. In addition, it appears on its face to be an illegal deceptive practice under Section 5 and a likely gross violation of the FTC’s Google-Buzz privacy consent decree, and also the “comprehensive privacy program” that was supposed to detect and prevent precisely this type of “deceptive and unfair business practice.”
  • The eerie similarity of the mass surveillance Google is doing with “Content One Box” and the mass surveillance NSA did in its “Google Cloud Exploitation” with PRISM-like technology right after the NSA started working with Google in 2010, raises a host of serious unanswered questions about the real extent of Google’s relationship with the NSA. 
  • The EU is now presented with “smoking gun” evidence of secret widespread wiretapping by Google of all European emails to a Gmail user over the last three years. Importantly, the European Parliament just passed overwhelmingly a new strict data protection (privacy) law. Google’s widespread wiretapping of Europeans’ email communications without their knowledge could be the first high profile test of the teeth of the EU’s new privacy law.   

 

Five Big Repercussions from Google’s Widespread Wiretapping

 

Exposes Google’s secret no-privacy-by-design commercial surveillance priorities

First, this new fact set publicly establishes for the first time Google’s secret design priority for interception and collection of private data over its publicly-represented priority of respecting user’s privacy decisions. Simply, it exposes Google’s no privacy-by-design ethos because Gmail, and its account structure, is what most of Google+’s communications and sharing services are built around.

Particularly relevant to wiretapping, Gmail is fully integrated with Google Voice (calls, voicemail, translation, transcription, contacts, etc.); Google Hangouts (Google’s “one place for all your conversations,” video conferencing, etc.); and Google+ sharing – across all computers and mobile devices.

According to Google: “a Gmail account is required to use Google Talk or other download clients… [like] the voice and video chat plug-in. … If you are using Gmail, all chats are saved and searchable by default.” Google Voice automatically transcribes Gmail Voicemails into text. 

Is Google’s comprehensively-named “Content One Box” also intercepting voice and video conversations and sharing, for the purposes of compiling user profiles for advertising and predictive services, without people’s meaningful knowledge or consent?

And given the Google’s Gmail design priority to intercept and analyze data at the earliest point possible, i.e. at the delivery system level, does Google’s design priority for Google’s other main “delivery systems,” Chrome and Fiber, involve intercepting communications to people via Chrome and Fiber, before it reaches the intended recipient? That’s reasonable fodder for future wiretapping depositions of Google.

 

Exposes a big crack in Google’s main privacy defense -- implied consent by users

Second, this new legal fact set exposes the vulnerability of another franchise bet Google made long ago – that of implied consent.

Federal Judge Lucy Koh has alreadyruled Google’s scanning of Gmail exchanges to create personal advertising profiles could violate wiretap law. Specifically, Judge Koh ruled that Google was not exempt from wiretap law because creating personal advertising profiles by reading people’s emails was not an “ordinary course of business.”  Judge Koh also found that “accepting Google’s theory of implied consent… would eviscerate the [wiretap] rule against interception.”

Think of Google’s franchise bet on “implied consent,” as a big damn holding back a big reservoir of consumer liability Google has accumulated by long assuming that it is not violating privacy and other laws because of the “implied consent” that use of Google’s free services implies consent that Google can do what it wants with whatever information passes through its bots, servers, services, products and apps.

This Fread v. Google wiretapping legal fact-set could represent the first big fracture in Google’s remarkably untested and legally-revolutionary paradigm of “acceptance by silence.”

In “Google’s Legal Troubles” on Law.com, William A. McComas explains: “Every law student who has ever taken a contracts class knows that a contract cannot be formed by a participants silence. In business, there must be a manifestation of assent, such as a signature, to establish agreement between two parties.”

What’s new and so scary for Google here is that they have been caught doing something universally at the core of their business that is antithetical to user privacy protection and to their privacy commitments to users and regulators, i.e. reading emails before they are even received by the recipient, with zero public disclosure or any meaningful consent.

Thus this case’s fact set and decisions represents cracks in Google’s heretofore impregnable legal defense dam potentially enabling a flood of other privacy lawsuits and law enforcement wiretapping investigations at the Federal, State and International levels.   

 

Exposes mass violations of FTC deceptive privacy practices law & Google-Buzz settlement

Third, we need to set the stage here.

When the FTC announced the Google-Buzz privacy settlement in 2011 (after Google’s “Content One Box” started secretly reading people’s emails before recipients received them) the FTC declared Google “used deceptive tactics and violated its own privacy promises to consumers… [using practices that] violate the FTC Act.” The FTC also boasted “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." [Bold added for emphasis.]

Tellingly, at the time a Google spokesperson characterized the import of the new FTC-Google-Buzz settlement this way to the New York Times: "We don't see this as being a significant change in how we run our business because this is the standard we hold ourselves to already."

Months later, the FTC’s Google-buzz settlement proved weak in its supposed deterrent value. A Stanford researcher discovered Google hacked Apple Safari’s browser to circumvent both users' and Apple’s privacy protections to enable tracking for Google+ advertising -- per a WSJ lead story which prompted widespread outcry and official privacy complaints.

While Google claimed to have stopped the offending hacking, implying wrongdoing, it did not apologize, and was misleading in its public defense.

Ultimately, the FTC did fine Google an FTC record $22.5 million because it “mis-represented privacy assurances to users of Apple's Safari Internet browser,” but importantly the FTC did not require Google to admit any wrongdoing.

Tellingly, Google’s public response was that at Google: "We do set the highest standards of privacy and security for our users."

Why this new legal fact set is a big deal for the FTC’s enforcement stance towards Google is that this new Gmail legal fact set plays exactly to the FTC’s self-proclaimed enforcement strength, holding companies to their public representations and holding companies accountable to enforcement decrees with the FTC.

This new legal fact set helps establish that Google made no public disclosures whatsoever that is was reading tens of millions of Americans Gmail before it was even delivered for the purposes of predicting their behavior in direct contradiction to their public privacy representations. This proves Google’s “comprehensive privacy framework” is not comprehensive as represented by the FTC. It also proves that the FTC’s accountability process of an independent privacy audit is ineffective.

Moreover, this new legal fact set shows that Google effectively repeated what it did in its Apple Safari hack, which bypassed users’ and Apple’s privacy and security settings in order to secretly collect private information in order to predict user behavior and serve them ads. As the public transcript of Fread v. Google would show the FTC, Google’s moving of its Gmail reading server to the delivery system allowed Google to read emails from Apple’s iPhone that they could not otherwise read.

Furthermore, the moving of the server also effectively enabled Google to bypass and disregard users desire to opt out of Gmail advertising or tracking. Simply, since 2010, Google has been doing the opposite of what they promised to users and to the FTC. And they have done it in such a way at the core of Google’s surveillance system that it is in effect now the most basic standard operating procedure at Google.

Essentially Google’s widespread wiretapping over the last three years has seriously undermined the credibility of the FTC’s important promise: This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

Adding to the relevance and import of this new legal fact set to the fulfillment of the FTC’s statutory authority, is that it is not only a deceptive business practice but also an unfair (anti-competitive) business practice.

If the FTC were to read the transcript of the public hearing that made this new critical legal fact set public, they would learn that Google is arguing for the Court to seal the relevant depositions because the location of where Google positions its Gmail-reading-server that enables its wiretapping is proprietary – i.e. a trade secret! \

The implication here is that Google, in Federal court proceedings under oath, has taken the position that its secret wiretapping is a legal secret competitive advantage that the court should protect. The further implication here for the FTC is that Google apparently achieves its competitive advantage of having the best data, best user profiles, and thus best ability to target users with advertising – that makes it unbeatable in the marketplace -- by breaking the law and covering it up in Federal Court.

If that is not an unfair (anti-competitive) practice under the FTC Act, it would be hard to imagine what practice would qualify.

If the FTC is serious about its mission and credibility vis-a-vis its Google enforcement, the FTC should ask the Department of Justice as the Government’s lawyer to join the 26 companies in filing an amicus brief to ensure that these important documents get into the public record and are not deceptively, unfairly and anti-competitively kept from the public -- and also from the FTC and the DOJ.   

It will be telling to learn what the FTC does with this “smoking gun” evidence. Will the FTC enforce the FTC Act or will it do nothing or just settle and allow Google to admit no wrong doing as it has done in the past?

 

Exposes Google doing what Snowden exposed the NSA’s PRISM technology doing

Fourth, Google’s wiretapping franchise bet depended on their omni-surveillance of most email remaining secret from everyone, much like the NSA’s omni-surveillance of communications depended on no one disclosing it to the public like Edward Snowden did.

Specifically, we have just learned another Snowden revelation from the Washington Post that the NSA “has built a surveillance system capable of recording “100 percent” of a foreign country’s telephone calls,” which is eerily similar to Google’s “Content One Box” surveillance system capable of reading a 100% of many countries’ emails to Gmail users.

In a Himalayan height of irony, Google communicated outrage when a Snowden document disclosed that the NSA secretly wiretapped Google’s network: “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks.”

However, Google’s secret interception dragnet of all email traffic on its network before its recipients receive it for the purposes of spying on people to best predict their behaviors, is eerily similar to NSA’s secret interception dragnet to most-comprehensively spy on people to predict if they are involved in terror-related behaviors.

The plot thickens further.

Now consider what former NSA and CIA director Michael Haydentold in the Washington Post, 9-16-13, which is highly relevant to Google’s omni-surveillance capability of Google’s “Content One Box:”"Gmail is the preferred Internet service provider of terrorists worldwide. I don't think you're going to see that in a Google commercial, but it's free, it's ubiquitous, so of course it is." This establishes the fact that Gmail would be the single most important global email network for the NSA to surveil in order to best to track potential terrorists.  

Now consider the extraordinary coincidental timing sequence of when we learned Google was working with the NSA and when this NSA-like device to collect all information, was installed per the court transcript.

From the front page of the Washington Post we learned in February of 2010:  The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity. Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks…

From the front page of the New York Times in April of 2010, we learned that the Google losses from the espionage attack “included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.” [Bold added for emphasis.]

From the public transcript of Fread v. Google one learns on page 38 that Google’s “Content One Box” was installed in October 2010, just months after Google reportedly began working with the NSA.

And now we have learned from reporting from the Guardian that NSA General Counsel Rajesh De testified publicly under oath that Google and other companies had “full knowledge” of what the NSA was doing.

The media petitioning for more disclosure to investigate this issue further should also be interested in the real motive for Google’s interest in covering up this new legal fact set.

Google is either trying to cover up: violations of wiretapping law; breaches of trust with its users over representations of protecting users’ privacy; and/or previously denied cooperation with potential NSA snooping on Americans’ communications. 

 

Provides EU the first high-profile test of its just-passed tough privacy law 

Finally, evidence that Google is secretly reading all European Gmail, and email to a Gmail user, without disclosure to, or consent from, European users for the purposes of creating a European user profile to predict that European’s behavior, will likely result in a new EU investigation of Google’s “Content One Box” to bring it into compliance with the EU’s new privacy law and expectations.  

Consider the current European backdrop to Google’s widespread wiretapping. 

From a big picture perspective, the European Parliament just voted overwhelmingly 621-10 for much stronger data protection laws, the first such change since 1995.

On all major points, the EU essentially adopted a privacy law that is the opposite of Google’s standard practice or privacy position. It subjects foreign-based companies serving Europeans to EU law. It favors EU data being stored and processed in the EU where it is subject to EU law. It adopts a user-friendly opt-in privacy policy rather than America’s provider-friendly opt-out privacy policy. And it grants EU the citizens the right to demand erasure of their online data, which U.S. law does not require.

Obviously, European indignation over NSA spying was the primary catalyst to get the new data protection law passed.

However, another significant catalyst was European frustration with Google’s routine disrespect of Europeans’ privacy and Google’s disregard for European country privacy laws and their privacy authorities.

A large reason why the EU privacy law greatly increased the EU’s fining authority from the current negligible amounts to up to 5% of a company’s global sales was largely in response to Google naked non-compliance with direction from European privacy authorities, because current EU fining potential topped out at about 5 minutes of Google’s revenues.  

In addition, two big Google privacy clashes with European privacy authorities provide important context here.

In 2010, a German privacy official caught Google Street View cars secretly wiretapping home WiFi signals without the knowledge or consent from the homeowner. Despite the fact that thousands of Google Street View cars were secretly collecting Wifi signals in over thirty countries over a period of three years, Google’s explanation was that it was “a mistake” of just one “rogue engineer.”

At least nine EU member states investigated the legality and propriety of the Google WiSpy effort: EU, Czech, France, Germany, Hungary, Italy, Spain, Sweden, Switzerland, and the UK; and some fined Google the maximum that they could under their current law.

In 2012, Google consolidated over 60 privacy policies into one without any opportunity for a European user to opt out of the change. After many months of trying to get Google to abide by European country laws, Google refused to comply. Consequently, twenty-nine European data protection regulators began a joint inquiry led by France's CNIL, which determined that Google's new privacy policy posed a "high risk" to the privacy of Europeans individuals, per Reuters.

When European privacy regulators asked Google to make changes by a certain date Google refused. This prompted the six largest EU member states with fining authority, France, Germany, Italy, the Netherlands, Spain and Britain to investigate and fine Google the best they could under existing European laws.  

Over the last two years of Google’s European privacy non-compliance, Google’s standard public statement was this mantra: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward.”

What all this means is that is that times have changed for Google in Europe.

When Europe had weak privacy enforcement authority Google ignored European privacy authorities. Now that the EU has passed some of the toughest privacy laws in the world, with the authority to fine a company up to 5% of global sales, EU privacy authorities are learning that Google’s is secretly reading most every Europeans email communications just like the NSA’s PRISM program reportedly does.

Tinder meet spark.

 

***

Google’s Disrespect for Privacy Research Series

Part 1: Why Google is the Biggest Threat to Americans' Privacy; House Testimony [7-18-08]

Part 2: Google Book Settlement "absolutely silent on user privacy" [8-31-09]

Part 3: Yet more evidence of Google's hostility to privacy [9-4-09]

Part 4: Google's Schmidt: "Because we say so" on trusting Google's Privacy Dashboard [11-6-09]

Part 5: Fact Checking Google's New Privacy Principles [1-28-10]

Part 6: Google's Privacy "Buzz" Saw [2-11-10]

Part 7: Exposing Google's Systemic Privacy Vulnerabilities [5-15-10]

Part 8: What Private Information Google Collects -- A One-Page Fact Sheet [5-24-10]

Part 9: What else does Google secretly track? Top 10 questions for privacy investigators [6-2-10]

Part 10: Google's "Total Information Awareness" Power - A one-page graphic [6-4-10]

Part 11: Americans want online privacy -- per new Zogby poll [6-8-10]

Part 12: Why Privacy Is an Antitrust Issue & Why Google is its Poster Child [7-22-10]

Part 13: Google's Deep Tracking Inspection -- a privacy nightmare [8-31-10]

Part 14: Why is the FTC AWOL on Google Privacy? [10-27-10]

Part 15: Why Google's Privacy Controls are a Joke -- Lessons for FTC/FCC [11-11-10]

Part 16: Google's No Privacy by Design Business Model [3-17-11]

Part 17: FTC-Google Privacy Settlement Takeaways [3-31-11]

Part 18: Google vs Apple: How Business Models Drive Disrespect vs. Respect for Privacy [5-6-11]

Part 19: Big Brother Inc. -- My Huffington Post Op-ed on Google & Privacy [5-24-11]

Part 20: "G-Male:" a very funny new Google privacy satire [9-7-11]

Part 21: Where's the Market for Online Privacy? [1-31-12]

Part 22: Google's Latest Privacy Scandal Spin - A Satire [2-17-12]

Part 23: Google's Top 35 Privacy Scandals [2-22-12]

Part 24: Google's Privacy Excuse Algorithm Team - a Satire [3-16-12]

Part 25: Google's Privacy Rap Sheet [6-14-12]

Part 26: Why FTC's $22.5m Google Privacy-Fine is Faux Accountability [7-12-12]

Part 27: Google's Top Ten Anti-Privacy Quotes [10-15-12]

Part 28: The Unique Google Privacy Problem -- Korean Privacy Council in Seoul [10-25-12]

Part 29: Google's Privacy Words vs. Google's Anti-Privacy Deeds [3-8-13]

Part 30: Google's Privacy Rap Sheet: Fact-Checking Google's Claims on Privacy [3-13-13]

Part 31: Google's Creepy Glass-arazzi? [3-14-13]

Part 32: Six EU nations Revolt over Google's Virtual Colonialization of their Private Data [4-5-13]

Part 33: Big Brother Inc. - a One-page Graphic [6-10-13]

Part 34: Google Spy [7-8-13]

Part 35: Google's SpyGlass - Google's Big Rest-of-World Trust Problem [9-9-13]

Part 36: Video: Why Google's WiSpy Wiretapping is Now Class Action Catnip [9-16-13]

Part 37: Are Google Glass' Recordings Illegal Wiretapping Too? [12-9-13]

Part 38: Google's Empty Privacy Promises for Nest, Contacts, etc. [1-20-14]

 

Q&A One Pager Debunking Net Neutrality Myths