Skimming through my daily privacy law newsfeeds last week, I came across the following headline on multiple occasions: Google says e-mail users have “no reasonable expectation of privacy.” In quotes. Meaning Google actually said that. “Really?” I thought. That can’t be right. I bet Google did not actually say that.
Guess what? Google did not actually say that.
I’ll preface the rest of this piece by making clear that I am not in the business of defending or apologizing for Google. Those who know me well know that’s not the case. Not in the least. But what happened last week reaches far beyond Google and demonstrates the folly of letting the media drive the privacy debate in this country—and, consequently, the development of privacy law and policy.
What did Google say, and why do we care?
Here’s the situation. Google is defending a multi-district litigation in the U.S. District Court for the Northern District of California involving allegations that Google, through its Gmail service, is illegally intercepting e-mails when it scans them. In June (yes, in June – there’s the first sign that something is amiss here since this story broke in August – hmmm), Google filed a motion to dismiss. The hearing on the motion to dismiss is set for September 5.
A little legal context is needed to understand what is going on here. This is a motion to dismiss, so Google is challenging the plaintiffs’ pleadings. The court must assume that the facts as alleged by plaintiffs are true, and Google is not allowed to introduce any extraneous facts. So “truth” has very little to do with the proceeding here.
Plaintiffs assert claims under the federal Electronic Privacy Communications Act (ECPA) and California’s eavesdropping law–referred to by the parties as the California Invasion of Privacy Act (CIPA). Not surprisingly, Google’s arguments are legal arguments as to why those laws don’t apply here. Google asserts numerous arguments in its motion to dismiss, among other things: (1) Plaintiffs’ wiretapping claims under ECPA fail because the alleged scanning practices are part of Google’s ordinary course of business as an electronic communications service (ECS) provider; (2) the senders and recipients of the e-mails at issue have all consented to the processing of their e-mails by Google; (3) CIPA does not apply to e-mail communications; (4) plaintiffs have no Article III standing to pursue a CIPA claim; (5) plaintiffs fail to allege any connection to California; and (6) plaintiffs allege no facts to show that their e-mails were “confidential communications” within the meaning of CIPA.
Where in here did Google allegedly say anything about people having no reasonable expectation of privacy in their e-mails? In the context of its arguments as to why users have consented to the Gmail practices for purposes of the California law, Google argued that even the plaintiffs who do not use Gmail “nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” In other words, Google says, e-mail users must expect that their e-mails will be processed by a third party. This is followed by the paragraph that caused the advocacy group Consumer Watchdog, and the media, to go crazy:
“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based e-mail today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.” Id. at 744 . . .
That’s it. Google cited to a 34-year-old Supreme Court case that articulates the well-established third-party doctrine. Google was quoting Supreme Court law. If you want to learn more about the third-party doctrine, read any one of the articles authored by Prof. Orin Kerr of George Washington University Law School on the subject, in particular, “The Case for the Third-Party Doctrine.” I cannot do that justice here, and that’s really not my objective. My point is a broader one.
By glossing over what actually happened here, and the complexities of the pending litigation, Consumer Watchdog and the media are missing the complexities of this issue, complexities that must be discussed in order to arrive at the right conclusion. I’ll mention two here since my space is limited.
Number one: Privacy is contextual and encompasses a number of things – while an individual’s e-mails may be scanned, whether that person’s privacy has been violated depends, at least in part, on the use to which that information has been put, whether that information has been shared, and whether the user consented to that use and/or sharing. The mere fact that Google asserts that an individual must expect his or her e-mail will be processed when sent – a noncontroversial proposition in today’s day and age – does not mean that the individual’s privacy has been violated. If you cannot accept the notion that a third party is going to process your e-mail, you might as well shut down your computer, throw away your smartphone and go off the grid entirely. Gmail users get free e-mail in exchange for agreeing to receive targeted advertising based on automated scanning of e-mails. If you cannot accept that notion, don’t use Gmail. Non-Gmail users who send e-mails to Gmail users know that someone is going to process that e-mail to send it to the recipient. Whether those users also consent to having their e-mails scanned for other purposes – that’s the real question that requires analysis. But that’s lost in this mess.
Number two: There is a legitimate question requiring legal analysis – and that the court will presumably evaluate in ruling on Google’s arguments – as to whether the Fourth Amendment third-party doctrine should apply in the context of a California statutory claim challenging Gmail scanning of users’ e-mail for advertising or other purposes. That’s also an important legal debate that deserves attention.
But the headlines did not read, “Google Erroneously Claims That Non-Gmail Users Should Expect Their E-mails Will Be Scanned for Advertising Purposes” or “Google Improperly Invokes the Third-Party Doctrine In Defending Gmail Privacy Claims.” Nope. Instead, the headlines read, “GOOGLE: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'.” And, even better, in Consumer Watchdog’s response to clarifications regarding the story, “Google Is Either Lying To The Court Or To The Public, Consumer Watchdog Says.”
What do such headlines accomplish? They sell newspapers. (Well, no, probably not, but they might draw page views.) They incite anger and suspicion as to whether corporate America is flat-out lying to the public about privacy practices, anger that is already at an all-time high due to the recent revelations regarding the NSA surveillance programs. When I posted a short note on a popular legal and information security listserv last week clarifying the facts as to what Google said, I was greeted with the famous Spiderman quote, “With great power comes great responsibility.” Yes, really. Because I pointed out that Google cited a Supreme Court case.
Google is entitled to defend itself based on existing law. Privacy advocates, consumers and regulators who take issue with Google’s position should contest Google’s interpretation of the law in court. But mischaracterizing Google’s legal argument to suggest that Google doesn’t care about people’s privacy, for lack of a better description, doesn’t serve to advance the interests of privacy or consumer protection.