Google admits to reading your emails, claims you should expect it.

[Dannyalcatraz]

I'm going based on the wording presented. "(2) obtains individually identifiable health information relating to an individual;" Without context, a lone word (like "catheter") does not comprise health information. Without metadata about who used the word, it is not individually identifiable.

It is individually identifiable for the milliseconds it takes the software to link your email address (and thus, your identity) and that word to a product and authorize the sending of the targeted ad. That may be legally sufficient to trigger HIPPA (and other statutory) penalties, but we won't know for sure until after all the legal proceeding shave ended.

And "individually" has been broadly construed in the past.

If you were in a doctor's office asking for a catheter for an ailing relative, and a 3rd party catheter salesman overhears that and sends you info on his company's catheters, the violation is still there. You're acting as an agent for this relative, so you are under that person's umbrella of privacy. Even though the commercial speech was misdirected to you- the agent- and he actual patient was not actually identified, the breach of the patient's privacy has occurred, and the catheter salesman could be slapped with a HIPPA penalty.

(Note- if you were acting as a oateint's agent and directly queried the salesman, there would be no violation.)

Google advertisers do not use their own infrastructure. The advertiser submits an image and link to Google, along with information about when the ad should be shown. This is stored by Google, and the ad is served up from Google's servers. At the end of the month, the advertiser receives a report about impressions. Google does not send a query to the advertiser's computers. That would be slow, and would fail if that company's servers were down. If Google did do this, it would be anonymized ("I want an image for case #3"), which Google would then insert into the page for them. The advertiser does *not* get a direct link to you.

Sorry I was a bit unclear- I don't think the advertisers themselves will be found liable, precisely for the reasons you state. When I said "in concert" I didn't mean that the advertisers' software or employees had any access to the triggering data, just that this is a commercial exercise by Google & the advertisers that falls well outside of the permissible use of private data.

I expect their lawyers have been over that with a fine-toothed comb

True, but until there is a lawsuit before a judge (and possibly, a jury*) and/or actual case law on point, its just considered opinions.

Many a legal scholar has been surprised by the final outcome of a case.

Well, for one thing, if you haven't deleted the e-mail, the word is still there! If you deleted it less than 30 days ago, it may still be sitting in your trash, still not completely deleted.

Beyond that, for search criteria and page visits, I think the standard way is through browser cookies. I don't know if Google sets browser cookies based on e-mail content. So, there's a file on your own machine that says, in essence, "Keyword X got mentioned". When it needs to, Google asks your machine what keywords got mentioned in this browser, and your browser tells Google. The transaction is still between you and Google. In the basic case, it doesn't connect that keyword to you, personally, only to the browser.

I'm thinking specifically of politically themed adverising I receive almost daily, and the only political emails I had were sent to me (not by me) and were quickly deleted...some without reading them. (I know the sender.)

This has been going on the better part of 2 years.

 

[Jhaelen]

On the plus side, maybe things like this could actually lead to a new message interchange protocol with build in encprytion and security, something to replace e-mail?

Don't we already have that (at least in Germany) with De-Mail?

 

[billd91]

By the way, it's HIPAA not HIPPA.

And with the new Omnibus Privacy rule (well, new as of early 2013), business associates of covered entities (the health care organizations) who handle any of a patient's protected health information and their subcontractors are automatically covered by HIPAA and can be held accountable for breaching the privacy rule. So Google might want to reconsider giving anybody the impression they are misusing or improperly handling PHI lest they become targets of an investigation by the Office of Civil Rights and HHS. The penalties, very mild before, are a lot more expensive now. HIPAA violations have already been handed out for storing PHI in "the cloud" so the Feds are getting more serious about where and how PHI is stored and where it may be vulnerable.

 

[Janx]

By the way, it's HIPAA not HIPPA.

And with the new Omnibus Privacy rule (well, new as of early 2013), business associates of covered entities (the health care organizations) who handle any of a patient's protected health information and their subcontractors are automatically covered by HIPAA and can be held accountable for breaching the privacy rule. So Google might want to reconsider giving anybody the impression they are misusing or improperly handling PHI lest they become targets of an investigation by the Office of Civil Rights and HHS. The penalties, very mild before, are a lot more expensive now. HIPAA violations have already been handed out for storing PHI in "the cloud" so the Feds are getting more serious about where and how PHI is stored and where it may be vulnerable.

Yeah, I spelled it wrong.

I'll have to learn more about the Omnibus rule, as that wasn't in my last briefing.

Previously, as I understood it, a business associate isn't on the hook for a HIPAA violation if they don't KNOW that a covered entity is using them for stuff that touches PHI.

However, the covered entity is required to disclose that and make the proper arrangements.

So, there's always supposed to be proper agreements and audits between parties, but it is the fault of the source of the covered entity for not initiating that process.

This means, Google for example is oblivious to what you do with their Drive or email products. if you start stuffing patient files in there, scheduling patient appointments in the calendar for your clinic with it, you put Google at risk (not the other way around). Google was an unwitting participant as they don't know that's what you're using them for and you haven't approached them with a proposal to do business together (and thus start the contract and auditing process).

 

[Dannyalcatraz]

Yeah, I spelled it wrong.

I'll have to learn more about the Omnibus rule, as that wasn't in my last briefing.

Ditto and ditto.

The other thing that keeps me concerned about Google is that they used the phrase "expectation of privacy".

Law, like magic, is dependent on words and the way they are used. And that's a phrase that runs through all kinds of cases that deal with privileged information, as well as cases involving the Fourth and Sixth Ammendment. Its almost as if they're begging the question of "Who wants to sue us and for what?"

OTOH, perhaps they're just trying to get things rolling so they don't get blindsided down the road...kind of a "Come and get it!" maneuver.

And I woke up this morning considering yet another business where this could get ugly fast if a Google is right- communications with your accountant.

 

[Janx]

The other thing that keeps me concerned about Google is that they used the phrase "expectation of privacy".

Law, like magic, is dependent on words and the way they are used. And that's a phrase that runs through all kinds of cases that deal with privileged information, as well as cases involving the Fourth and Sixth Amendment. Its almost as if they're begging the question of "Who wants to sue us and for what?"

From the OP article, the lawyer's first very short paragraph was fine and reasonable. The server is going to parse your mail for keywords to show you ads. That seems reasonable for a free email service and isn't the same as "reading" my private mail.

Then the lawyer gets into jerky speech where it feels like he's saying "and then we're gonna bugger yer mum, because you know what, we can do that too!"


I think one of the more annoying things about corporations, even though they're people, they can commit crimes and be bad until somebody is strong enough to sue them.

Whereas real people are generally in trouble by virtue of calling the cops on them.

 

[Mustrum_Ridcully]

Don't we already have that (at least in Germany) with De-Mail?

It is an attempt, but is it a trustworthy one?

I think the solution will need to come from an organization like the WWW and be open source, so no one can hide any vulnerabilities in it, and no one has direct control over it.

 

[Dannyalcatraz]

Let me see if I can boil this down a bit, to show why I'm concerned:

If Google asserted that their programs didn't need a whole bunch of data to rout your emails & send you ads*, that would be one thing.

But they used that phrase, "expectation of privacy"...that's the phrase that gets tossed around when lawyers are trying to exclude or admit communications into evidence. If you have no "expectation of privacy" when and where something was said, it is going to be admitted into evidence unless it can be omitted on other grounds- privilege will be no protection.

Google's lawyers know this. And they used that phrase:

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.

They are saying that:

1) they are acting like an assistant, not the Postal Service. (A big stretch, since an assistant would probably not be considered a "third party" under the law and their business model most closely resembles a Postal Service.)

2) emails are inherently not privileged...and thus, admissible in court unless you can find another way to keep them out.










* and I'm not really buying that, either. Correct me if I'm wrong, but the email addresses alone should be sufficient to deliver them properly, and if Google were not targeting the ads, there would be ZERO reason to scan the data within the email at all. Simply sending random ads or using an advertising schedule would allow them to provide the service without violating the privacy of the people using it.

 

[Janx]

Let me see if I can boil this down a bit, to show why I'm concerned:

If Google asserted that their programs didn't need a whole bunch of data to rout your emails & send you ads*, that would be one thing.

But they used that phrase, "expectation of privacy"...that's the phrase that gets tossed around when lawyers are trying to exclude or admit communications into evidence. If you have no "expectation of privacy" when and where something was said, it is going to be admitted into evidence unless it can be omitted on other grounds- privilege will be no protection.

Google's lawyers know this. And they used that phrase:



They are saying that:

1) they are acting like an assistant, not the Postal Service. (A big stretch, since an assistant would probably not be considered a "third party" under the law and their business model most closely resembles a Postal Service.)

2) emails are inherently not privileged...and thus, admissible in court unless you can find another way to keep them out.



* and I'm not really buying that, either. Correct me if I'm wrong, but the email addresses alone should be sufficient to deliver them properly, and if Google were not targeting the ads, there would be ZERO reason to scan the data within the email at all. Simply sending random ads or using an advertising schedule would allow them to provide the service without violating the privacy of the people using it.

true enough. Technically, somebody at Google should have pounded the table shouting "That's evil!" and the whole idea would have been shut down when the lawyers were talking about taking this tack.

Because as Eric Schmidt was surprised when he got there, that's how Google's "Don't be evil" policy works.

 

[MarkB]

there's different kinds of privacy.

Nobody needs to know your social security number
Nobody needs to know who you dated last night
Nobody needs to know about that lump you have
nobody needs to know that you are planning to fire Tom in accounting tomorrow.

These are private things, that should only be shared when you choose and as needed.

As we do know, some people do need your social security number to process your claim
And the computer does need to know your address so it can mail the bill to you
And Google does need to skim your mail for nouns so they can display advertisements about those nouns to you while you use their free service.

but does that mean they've violated those core things I identified at the top? probably not.

So, just for example, let's say you're using a shared computer (the family PC at home, or a work PC) to send private e-mails, relying for your privacy upon the password-resctricted access to your webmail account, and some of those e-mails discuss private and personal subjects.

And then somebody else is browsing the web using the same computer, and starts seeing ads pop up for specialised medical sites, or dating sites, or recruitment sites.

Google may not have explicitly revealed the fact that you have a specific medical condition, or sexual preference, or that you're planning on firing a particular person, but it's certainly doing a lot to help someone join the dots.