Regulating Gmail
As a Gmail account holder (peter.harsha), I’ve got mixed feelings about news that the California State Senate has approved Sen. Liz Figueroa’s (D) bill placing restrictions on Google’s web-based e-mail service in order to prevent, Figueroa says, Google from “secretly oogling private e-mails.” While I’m happy on the one hand that government appears to be getting the message that privacy is an important issue — one maybe not so well understood by most consumers — I’m a bit nervous about the California legislature intervening.
I was especially nervous about Figueroa’s original bill, which would have “forbid Google from secretly scanning the actual content of e-mails for the purpose of placing targeted direct marketing ads” and required the company to “obtain the informed consent of every individual whose e-mails would be ‘oogled’.” By “every individual” Figueroa meant not only the Gmail account holder, but any person who e-mailed a Gmail account holder, or (presumably) anyone whose original e-mail message may have been forwarded by a third party to a Gmail account holder. I was primarily nervous because it seemed to me that the hurdle this restriction posed would effectively kill Gmail, and I was kind of intrigued by the service (despite Ed Felten’s objections). 🙂
Though the bill passed by the CA Senate (SB 1822) appears to have been amended heavily — gone is the outright prohibition against scanning e-mail without consent for marketing purposes, replaced with language that notes the many legitimate uses of e-mail scanning (spam filters, translation into audio for the blind, automatic sorting and forwarding, blocking image ads and web bugs, stripping HTML for handhelds) — the bill still notes that
In the context of electronic mail and instant messaging communications where electronic mail is scanned for purposes other than those [exceptions listed above], full and informed consent or notification of parties to the electronic mail communication is both appropriate and necessary.
The bill also places restrictions on how, even if granted consent, Google can make use of the e-mail scanning: it can only provide automated scanning to provide contemporaneous ads — which I believe was Google’s plan all along. But it also means Google can’t keep, for any purpose, any information or “user characteristics” it gleans from my email — even if that purpose might provide me some great benefit (I don’t know what exactly…great deals on products I’d like? pointers to information I might find useful?). Don’t get me wrong, I realize that there are plenty of nefarious things Google might be able to do with a monstrous database full of user data. But there might also be plenty of good things it could do — things I might even want them to do — in the future. This bill, it seems to me, would insure Google won’t have an opportunity to innovate at all in that area. What I worry about with this CA Senate action is the same thing I was worried about in the Total (Terrorism) Information Awareness debate and the ongoing P2P filesharing debate: the act of locking down technologies because some uses might be illegitimate can kill areas of legitimate research and innovation (or send them underground). I really worry that the legislative hammer is just too blunt an instrument to tinker with these technologies. Rather than artificially constraining the technologies because there’s a hypothetical chance they might be used for something nefarious, maybe the effort would be better focused on stopping those who are actually doing nefarious things.
Update: The San Jose Mercury News makes the same point about stifling innovation in an editorial.
Update 2: Gene Spafford sends an interesting e-mail with his perspective:
I think the best way to look at any of these issues is through the lens of the Fair Information Principles. They have been refined over the years, and enacted into the laws of countries around the world (including Canada). They also are consistent with standard ethics as practiced in a number of fields.
One of the standard ideas is that of informed consent. Information should be given only with consent, and then only after the uses of the information have been fully disclosed. Gmail doesn’t do that — if I send email to your gmail account, I have not been fully informed nor have I given consent. The California law restores that. You are correct that the law probably goes too far.
I think the TIA issue is addressed the same way. If you apply the fair information principles, then it was an unethical use of personal information.