Email is indeed woefully insecure, but the problem with Google's "privacy" policy has little to do with whether or not email is a secure medium or not. It's about social norms, and Google's institutional ignorance of them.
Privacy is created by social norms. It's no technical challenge for me to borrow your paper mail from your mailbox, steam it open, read it, copy the bits I find interesting, seal it up again, and replace it in your mailbox. But, in doing so, it's understood that I'm doing an awful thing. It's so awful that it's against the law:
... and, all else being equal, juries will not be inclined to sympathize with me.
Similarly, it's somewhere between very rude and illegal, depending on circumstances, to intercept or interfere with someone's email. If you happen to glance at someone's email you're expected to keep politely silent about it, as you would be if you happened to glimpse your neighbor through a window of their house. You're certainly expected, under pain of felony charges, not to tamper with or forge someone's email, just as you're expected to avoid entering your neighbor's house without knocking even if the front door is standing open.
Google, on the other hand, seems to be constantly trying to establish the precedent that it's perfectly normal and polite for any aspect of your life - currently including, but presumably not forever limited to: the state of your front yard, the contents of your photo album, the list of movies you've watched on YouTube, and the contents of your mailbox - to be sampled, data-mined, correlated, and archived forever by entities completely outside your knowledge or control so long as those entities are using secret algorithms to do it.
If you'd tolerate this behavior in a friend, you may by all means continue to have Google as a friend. I, however, am getting increasingly uncomfortable with Google sitting in my living room, and am increasingly tempted to escort them politely but firmly to the door and then deliberately misplace their address.
The problem with dumping gmail for another email provider is that at least half of the people with whom I correspond use gmail too so my messages wind up on their servers anyway.
Edit: REALLY tired of all the idiotic downvoting lately. What I've said is factual. Don't be such a lazy fuck and post a rebuttal if you disagree.
Yes, and likewise you don't have any guarantee that anyone you talk to, tell stuff, share stuff with, etc. won't go then share that with someone/thing you disapprove of. If that's really an issue for you, then just encrypt all conversations you care about, and don't talk to people you can't trust (and can't trust to use 'secure' methods, for however you define the term secure).
This is not a problem with GMail, per se. It's a broader issue of trust.
The difference is the concentration of email in one company's hands. Ironically it would be less of an issue if all my friends were using different providers but, since they're all on GMail, our conversations get sieved either way.
Sure, but the difference is in the implied consent.
If I continue to use Gmail beyond another week or two (what's that deadline, again?) I've implicitly consented to Google's policy on what they're permitted to do with my email. (One nice thing about Google: I can't really claim they haven't told me about this nonsense. They are taking the notification of their customers very seriously.)
If, however, I'm not actually a Google user, but the Googlers secretly reassemble my mailboxes by sniffing the inboxes and outboxes of all of my friends and relations... well, that's a bigger transgression. They didn't ask my permission to do that, and when they asked my permission to do similar things I said no. So they'd better be good at keeping their activities secret, because if I ever learn that they did it I'll squawk a long, loud squawk.
Sure, social disapproval doesn't have the force of law. (At least, not right away.) But it does have force.
It's not just your email but the recipients as well, and they can do what they want with it. Why would you care if they were able to figure out that you like computers and target more relevant ads?
Here's your rebuttal: shine another light on your situation and suddenly instead of having half the messages ending up on google servers anyways, you have half of your email freed from google servers which is better than having all on it there, privacywise.
I imagine about 20% of my email correspondence is all it would take for Google to form a pretty accurate picture of my interests and habits and circles of acquaintance. That's the way machine learning usually works: you don't need a complete dataset to make useful inferences.
You're right that privacy is all about social norms and expectations. That's why I've never understood how people willingly sharing personal information is considered a privacy issue at all. If I show my friend a postcard sent to me by another friend, no one's privacy has been violated. If I trust a roommate (e.g. a significant other) to read my mail, there's no privacy issue there.
This applies to a huge portion of privacy concerns raised by the tech community. Someone sharing their photos, location, or thoughts willingly on Facebook does not constitute a privacy issue. Someone accepting a fairly clear Google privacy policy and thereby letting their algorithm read all their emails does not constitute a privacy issue.
The real privacy issues are ones where companies don't follow their own privacy policies, or companies' databases get compromised, or companies abruptly change default sharing settings to be more public (which, granted, I believe Facebook has done before).
AFAIK google has broken its own privacy policy, gmail's databases have been compromised and they did change default settings to be more public at least once.
This makes a strong contender of gmail for privacy issues.
That's why I've never understood how people willingly sharing personal information is considered a privacy issue at all. If I show my friend a postcard sent to me by another friend, no one's privacy has been violated.
Really? Because most people would consider that it HAS been violated.
Opting to share something with some person X is not the same as opting to have it shared by X to anyone else, except if you explicitly or implicitly permit him to.
If your gf sends you an intimate mail, I don't think she will not feel her privacy was violated if you show it to your pals.
> except if you explicitly or implicitly permit him to.
What was precisely my point.
> If your gf sends you an intimate mail, I don't think she will not feel her privacy was violated if you show it to your pals.
Depending on the message and your relationship, one might be able to argue that there is an explicit or implicit contract of confidentiality between partners.
I agree, but I think the same applies here--- people expect an implicit contract of confidentiality with utility providers. Most people would feel that wrongdoing took place if the phone company started recording random excerpts of your calls to build a profile on you, and in fact we feel that strongly about it that there are laws banning them from doing so. I would guess that many people don't realize that there aren't similar laws applied to whether Comcast can snoop on your web-browsing, or Google can snoop on your email, as opposed to acting in a classic phone-company-esque service role.
An interesting recent one that's cropped up is whether the electric company can use your electric usage patterns to build a profile on you, perhaps to sell to marketers or government agencies. It's only become feasible to build a detailed profile recently, with the monthly meter-reader slowly being replaced with electronic meters that report back usage much more often; now with appropriate machine learning the electric company can actually, in many cases, detect signatures of specific kinds of appliances, and build a profile of what you do when. European countries have started passing privacy laws around this data; its legal status is less clear in the US. I would guess most people don't realize this is possible, and if they did, would feel it was a violation of an implicit contract.
I'm curious: Gmail, since the very beginning, has been predicated on the idea that Google will serve you relevant, content-related ads. (I thought that was a non-starter, but the world proved me wrong.) How long did you use them, and what finally triggered you to say "No, this is not OK"?
I talked myself into using Gmail as the IMAP server for my business for a while, but then migrated that to Fastmail.
My company uses Gmail and Google Docs, extensively. It's been fun using Gmail, at least before they "updated" the interface. (The new interface has not been my friend, thus far.) I can definitely understand why everyone fell in love with Gmail when it was new.
Giving up Gmail is easy; there are many alternatives. Even Google Search has alternatives. A bigger frustration is Google Reader, which is harder to replace. And I can't give up Docs or Groups cold-turkey, because I belong to groups that use them; fortunately I haven't used them for anything especially private.
How would we deal with spam? Anyways, it's part of their policy and you don't have to use it. Also, you may not understand how these sorts of things work, but most other services will keep such things, that's one of the benefits of the Internet. I don't get you conspiracy theorists on HN.
Being one of the advocates of leaving: The article got it wrong for me, on various points.
First: No, Google is not evil. Nor good, for what it's worth. It's a random company that won a lot of sympathy in the past and became unavoidable (for better or worse) on the internet.
If someone cries that Google is turning mad, evil and creepy, go ahead with posts like this. If people start thinking about the implications of throwing every piece of their online identity into one corporations data center: Stop mocking that.
Yes, you can have less secure solutions. Yeah, email isn't a secure protocol to begin with and pgp/gpg is mostly dead by now, used only by geeks that line up to compare their fingerprints and passports, calling that a 'party' (Hey, I did that. I'm allowed to make fun of my own subculture).
That's totally missing the point. For some people it is just too scary to give email, calendar, news feed, instant messages, mobile operating system, 'office' aka text editor/spread sheet data, pictures, location data (latitude), travel data (maps, google tracks) and probably a lot I missed to a _single legal entity_.
We didn't even touch the 'use Google as openid provider' part here, which puts your 3rd party accounts in Google's hands.
I wouldn't entrust those details to my wife or brother and recently, without fearmongering or throwing my hands in the air and running in circles, decided that Google is not the right place for that level of access either.
If you mock that, if you call that paranoia, then you're insulting intelligent people making a conscious (and - private/intimate. Even if discussed in public) decision. The headline of this article alone is out of line.
As with any security decision, you need a good threat model rather than FUD and giving in to cognitive biases. Whether you consider the threat model in the post to be complete and accurate, just saying "OMG Google could go evil!" is not really a useful way of looking at things.
You need to consider the loss implications if your email is compromised, given various scenarios (the whole account? one message? etc.) and the sorts of information you have in it (journalists working with protected sources vs. griping about your spousal unit malfunctioning). And consider who the likely threat actors would be.
In some cases, hosting on Google would be a spectacularly bad idea. If I were Jacob Applebaum, I wouldn't even think about it, because of concerns about "lawful intercept" and whatnot. But in my case, given the additional security features (two-factor auth, HTTPS everywhere, etc.), and my particular threat model, Gmail does the job just fine.
The most important part of this: "With that said, I think it’s a bad idea to use a @gmail.com address (or any other domain name you don’t own). If Google – or your email service of choice – does turn evil or shuts down, at best you have to change your email address, and at worst they own a critical part of your online identity."
I understand that some people are too lazy (or whatever) and use Gmail. But do you really assume that you won't switch your mail or chat provider for the rest of your life? That's exactly like the people who used @hotmail.com a decade ago.
Your own domain costs $10-20 per year and it's trivial to setup (either on your own server or with Google Apps). And if you decide at some point that you want to switch to another provider, all you need to do is to point a few records (MX, XMPP, SPF) to your new provider - this only takes a few minutes to do.
Google has an incentive to be nice: they only make money and continue to exist if people use their products. If they suddenly take everyone's gmail address, the backlash would be incomprehensible. There would be Senate hearings and an infinite amount of Internet Hate.
But registrars are smaller and probably wouldn't face any financial consequences for stealing your domain name and selling it to someone with more money. You would be mad, but since it only affected you, there would be very little you could do. No hearings. No Internet outrage.
Alternatively, someone could sue you for your domain name, and you'd never be able to afford to mount a reasonable defense. Google, on the other hand, could afford to do that.
I think once a company gets to be Fortune 500 in size, they probably aren't going to do anything too drastic. It's the smaller ones that can be bought or do something unethical because they don't have shareholders or a board of directors. (Then again, that didn't stop Enron. But they fucked over their employees, not their customers.)
I assume that the chances for you being sued for your domain are much lower than the chances of Google randomly disabling your account. Which has happened in the past: http://news.ycombinator.com/item?id=354593 and http://news.ycombinator.com/item?id=2798048 - seems that for some of the disabled Google+ account all other Google services have been disabled too. If the registrar steals your domain you would still have the possiblity to go to court to get it back. If Google disables your account you can't do that.
The highest (but still small) risk when having your own domain is that some company claims it has a trademark on the name. But you can mitigate this my (1) using your real name or some other nickname as the domainname and (2) using the .name namespace instead of .com.
I don't see what you're saying. Big Pharm sells drugs to insurance companies. Oracle sells databases to CTOs. Monsanto sells weed killers to farmers.
Yes, these activities all have externalities; drugs would be better if people could pay for them themselves, databases would be better if programmers picked them out, and farming would be better if Monsanto didn't patent genes. But ultimately, none of these companies try to harm their customers. We just don't like them because we aren't their customers.
Google is in a weird position where they have two sets of customers; users and advertisers. Both need to be pleased, even though their interests are in conflict, or Google will die. So there's a financial incentive to be nice to users, and as a user, that means they should be nice to you.
I disagree with this. Users are not customers, we are the product. Google need only be slightly better than the second best option. Now that they have such momentum in search I don't see any reason why they need to care about users, only advertisers.
Google does have a bidding system for ads, that's true, but if everyone stops using Google, then the ads become worthless and Google goes out of business.
It's easy to look at as "Google is just selling eyeballs", but it's not that simple; Google has to please both the advertisers and the people looking at the ads. And, of course, there are the various paid products (Earth Pro, Docs, etc.) that Google offers.
I switched from my domain ( a .co.uk) to gmail for personal email because it makes things clearer to other people. Being @gmail means people know to gchat you or send you a google doc. Or add you to an analytics account. A bunch of third party tools like browser plugins, gmail mail clients also don't work with apps for domains first. That has become less of an issue over time, but there has certainly been a reduced hassle just having a gmail account.
The act of maintaining an email server and managing your relationship with well-known peers (especially with major mail service providers) is unfortunately nontrivial.
The big dogs often act as if they own the Net, which, in a sense, they do (they account for a very large portion of email). And even as rational actors, they'll prioritize delivery/peer issues with other larger providers and organizations over Joe Part-time-postmaster. This isn't 1996 any more.
Not saying you can't do it, but you may find that you'll want to at least use a larger MSP as a your egress pathway.
I have a lot of gripes over Google (evil or otherwise) myself, but they are among my mail providers.
If you use Google Apps (as suggested in my post) the "goodness in terms of security and spam filtering" would be EXACTLY THE SAME as when using plain gmail.com.
> what nefarious thing Google could do with my email that is in its interest and that would cause me harm
responding to government information requests without due process. google isn't in the business of protecting civil liberties.
i wonder if they're filtering our email on a mass scale for suspicious activities, as defined by Dept Homeland Security? if they were, it would be classified, and none of us would know the difference.
heck, turns out one of my buddies used to be a drug dealer, i had no idea, and at the time he was all over my social graph. i wonder if it will come up next time I apply for a security clearance. I might never know - an old manager once told me how clearance applications have a way of getting lost in the system when things aren't perfect - once eyebrows are raised, you enter a whole new set of processes and red tape that nobody wants to deal with.
Actually, I would trust Google to challenge government subpoenas more than I would trust my current small webhost, which has probably next to no legal resources that would give it a chance in court.
Now if you and your small webhost is outside the jurisdiction of US courts then that might be a different story... At least that's the only "privacy" reason to not use gmail that I can't immediately dismiss. Anybody have any thoughts on this case?
forget information requests (let alone subpoenas), because neither google nor your webhost is going to resist being strong-armed on a targetted basis. lets look at mass-scale surveillance. lets suppose the DHS wanted 99.9% surveillance over email, and the more 9s you add the exponentially more budget it takes. i doubt your webhost made the cut.
Google isn't in the business of legislating either. Ideally we would hold our government and institutions accountable for protecting our civil liberties, and not rely on corporations to do it for us.
The argument that email is inherently insecure is specious. Most providers offer IMAP over TLS. Hotmail offers POP (which is incredibly crappy), but at least over TLS. Some big ISPs (e.g., Verizon) don't offer encrypted mail, and should be ashamed of themselves for this -- but this is definitely the exception these days. Mail between servers is also generally encrypted via TLS. And SPF and DomainKeys generally provide a nice audit trail if someone's hacking.
So it's just wrong to suggest that email is usually sent in cleartext form or is otherwise insecure -- even if the users involved haven't set up PGP.
I think it's totally legitimate for consumers to be concerned about the companies that host their email. Unlike social networking, email is for "important stuff", and while webmail providers like Google generally have protections in place to prevent random employees from reading your mail, the fact is that the possibility still exists, and incidents have occurred at companies like Google of rogue employees illicitly reading end-users' email. Someone with access to your Facebook account is unlikely to get access to your bank statements, mortgage emails, or travel plans. But if someone can read all your email, they'll likely get all these and much more.
The only genuinely safe long-term solution is for mail hosts to store their users' email encrypted in such a way that only the end users (and not the company) can read the email. This would preclude server-side ad targeting, but users should -- and I believe, will -- ultimately demand it.
mail between servers is also generally encrypted via TLS
Source for this? It historically has not been, but this may have changed.
Regardless, end-to-end encryption with PGP or S/MIME is the only way to really send "secure" email, and even then you're vulnerable to snooping/mishandling/exposure at the end points when the emails are actually read.
I run my own private mail server and also manage one for a company I consult to and anecdotally I can back this up. The logs for both servers show that the bulk of MTA to MTA traffic is encrypted.
How fortunate for us that you found the time to offer this insightful rebuttal.
I stand corrected. There are not a zillion entires in that database. There are many hundreds, covering only approximately 2B email accounts. Clearly the question of wether these data are representative of email security at large must be resolved in an properly peer-reviewed academic journal.
I am sorry to have wasted your valuable time with such an ill-considered comment. Please accept my heartfelt apologies.
Humans who work at Google do not read your emails, humans who work for the FBI on the other hand do, Google and Microsoft too along with other are required to implement back doors for the law agencies, you should be a lot more paranoid about that.
If you want absolute security, you are not gonna get it from nobody, and that includes Microsoft. Any information stored on a server you don't own is not secure, any information passed trough the internet unencrypted is also not secure. If you want absolute security you need to make sure that the information that you want to send is encrypted when transferring and only gets decoded and stored on servers you own and know to be safe from anyone, in other words, don't use email at all, because it's not secure by design, most of the time, it's vulnerable to man in the middle attacks.
Shame on Microsoft for not competing with features instead of FUD.
I'd like to read more about these "required" back doors.
If you mean that they have to comply with court orders, then yes, that's a "back door". But companies that comply with valid court orders to release emails are actually protecting your privacy. If they refused to comply with the court order, the government wouldn't say, "oh well, we tried, too bad", they'd come physically take all the servers and disks that they thought could possibly be relevant. That means that the government would now have access to your email, even though you weren't the target of any investigation.
Ultimately, if you want privacy from government intrusion into your email, stop electing judges that will sign warrants for your email. You can't expect major corporations to violate the law to protect your email. It's just not going to happen.
Sure, Google is doing the least-bad thing if you take as axiomatic that you're going to have to store your mail in plaintext on the servers of some enormous American corporation. There are, of course, alternatives that don't involve storing your emails in this way, which is the entire point.
For example, libraries regularly delete library records after a short time as a matter of policy. Mozilla encrypts Sync data with a key known only to the user. These represent alternative approaches that don't have the risks of the corresponding Google services (search and Chrome respectively).
if you actually want others to be able to read your email, it can't be encrypted at some point. PGP et al lost the battle a long time ago, which is pretty much exactly the point here. This isn't just in the US that this is problematic, by the way. Most governments reserve this kind of right for "law enforcement" purposes. For instance:
Whoa, was that Microsoft ad the most surprising this about this post to anyone else? Maybe it's because negative advertising in the Republican primary is being discussed so much here in the US, but to me that seems like a massively bad idea on the part of Microsoft. Do they do absolutely no targeted advertising with Bing, Hotmail, or their other web services? I find that a little hard to believe.
I guess I shouldn't be that surprised that they've resorted to attack ads though; Office 365 is one of the worst web apps I've ever used. I don't even necessarily disagree with their general goal of educating people about how Gmail works, but that's like a textbook definition of FUD if I've ever seen one.
Email is certainly not secure. IT guys can not only read text email, they can also read passwords. A long while ago in the earlier days of IDS, I was shown an example of how IDS scanner could read the Yahoo password a user types in the browser. But, that doesn't mean anyone would potentially read your email and they don't.
However, in the longer run, the question then is: like a snail mailbox which is fundamentally a right of each person/household - does our individual email in this increasingly connected world fall into the category of individual's right? Should the government or semi-government be responsible for securing the privacy of individuals? Should email be technically free in a real sense? I know this train of thought has several other inter-related points as well but ... we can't just ignore Gmail's reading of our emails - even algorithmically - without paying some attention.
Unless you're an important person, celebrity etc, your email is not worth reading, hence under the context, there aren't people out there reading everyone's email. Proportionally, there wouldn't be enough time in this world for people to read every email of every person. Again, you have to look at it under the context of email having a common denominator property of each and every individual on this planet earth, just as, the post office mail box belongs to each and every household. Assume you can read my email and I can read yours, both of our email content would be intelligible and useless for each of us to waste time on.
Ultimately, the point is not if a machine or human is or can read email....the point is, whether present day civilization should give up this privacy aspect to machines/corporations/government etc. The answer is already obvious, somebody has to manage the technology and that somebody is most likely not you....so by default, you have given up your privacy to someone else, so it can be managed for you.
The more bigger and unresolved problem is whether government or corporation should use machines to profile each and every one of us to preempt potential criminals.
One important point not raised in the article is that this is not only a security decision.
Yes, from a security standpoint each single one of us might be better off with using Gmail, instead of using their own mailserver or a service provided by a local company.
But when looking at the society as a whole the worst that could happen is giving a few companies a monopoly on our communication. Especially when we don't need to do this, because we already use a distributed and decentralized network.
For me the second argument is at least as important as the first one. But I fully understand when people don't look at the wider implications of their decisions and just use the easiest route.
Simply put, the civil liberties aspect of using Google (or Facebook - complaint applies to all equally) for the vast majority of your information services is a big concern. The consequence of someone unscrupulous having a single point of access could be profound.
I have read far too much history and current events to believe that we are in a new and trustworthy era of humanity.
One funny thing about "how to switch from Gmail" post is the top suggestion (Fastmail) is funded by Google. Indirectly, yes, but it is owned by Opera, which is nearly entirely funded by Google. It may be slightly better, but Fastmail still has a natural inclination to have you see Google ads. The reality is it is a trade off. Gmail is more secure than nearly any other solution, better than any other solution, and dead simple. And then you get served ads, cause there is no such thing as free lunch. If I had the skills and time, I would run my own server, but in all likelihood it would give me a minuscule amount of more privacy with a lot worse experience and a lot less security.
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
--Ben Franklin
Only problem is that the USA has become an even more monstrous empire than the Brits were at the time. Google can be as principled as it wants to be but at the end of the day it is still located in the USA. Btw google and facebook are more than the Nazis/Stasi/KGB could ever imagined.
"Email is simply not secure. Messages are not secure in transit: the protocol used for sending email (SMTP) does not require encrypted connections, so it could easily be intercepted by a third party as travels over the internet. You also have no guarantees about the security of a recipient’s email client or server. A hacker could have surreptitious access to a recipient’s inbox, or curious IT guy could be reading through email on the server."
Unless you encrypt your mail, or host it yourself, you can't really stop things like this from happening. Nobody can set up a perfect hiring process that screens 100% of creeps like this.
I agree with the title of the article, but the content is ridiculous.
The guy seems to have no concept of realistically balancing risks. Yes your email is somewhat insecure, but for most people, the risks are things like your boss or family members finding out that your talk badly about them, etc. Email is sufficiently secure for most people when it comes to stuff like this, and that really has nothing to do with other risks, such as those caused by google "reading your email".
He also talks about the risk of google discontinuing gmail, which is pretty far fetched.
Here is the sort of real bad thing that can happen from google's practice, though: you talk about something "secret" in email, and then later, it shows you an incriminating advertisement while someone is looking over your shoulder. For instance, you might email someone asking for advice on a surprise trip to Paris for your wife, and then later (after carefully stashing those emails in folders), your wife sees on your screen all these ads for Paris hotels and airfare, and knows what you are up to.
The argument that there's nothing to worry about because other aspects of email communication is insecure is like saying that I shouldn't lock the door to my house since a house is fundamentally insecure, having windows that are easy to break.
My point is that, just because certain aspects of email communication is insecure doesn't mean we need to accept even more insecurity from our email provider.
The author also forgets to mention that the authorities have relatively easy access to people's email communications. Read http://projects.washingtonpost.com/top-secret-america/ to understand how troubling the American government's peaking into personal stuff is.
People like being paranoid when there's little reason. Even the end of this article was a slightly paranoid. I don't thing Gmail is shutting down anytime soon, it will probably last longer than any random domain a person buys.
The point is that you're locked into a single provider and it's hard to switch. Using your own domain isn't much harder, looks more professional, and allows you to switch provider at any point in time.
I love the shit out of Gmail, but I switched to Apps with my own domain for this reason. I've had my email address for much longer than Gmail's been around.
I'd be a lot more impressed with that if they actually disclosed the identity of the requestors and the content they wanted searched/suppressed, at least as much as would be legally possible.
I'm not saying the following does happen. It is rather an example of the kind of thing that could happen when an email provider uses the content of your email to show you targeted ads:
1. You are engaged in an email exchange concerning a sensitive topic.
2. Your email provider targets you with an ad based on information associated with that sensitive topic.
3. You click that ad.
4. The advertiser records your IP address. They know what ad campaign the ad you clicked was part of, and what demographic they targeted it to. So, now they know your IP address is associated with that demographic.
5. The advertiser sells their IP demographic data.
6. Others sell IP demographic data that ties your identity to the IP address.
Now someone who buys the right databases can end up knowing that there is a good chance you (by name/address or email address) is likely in a demographic associated with that sensitive topic.
The bottom line is that the data miners are very very clever. They can extract amazing data out of seemingly innocuous data leaks. Clicking a targeted ad is one such data leak.
Google gives details of email accounts at the request of the US Government, without much of a fight. Ask Jacob Appelbaum who had his entire email account seized. Paranoia: justified. If that can happen to him, it can happen to all of us.
Even if they get your email encrypted they still have a map of all of your contacts.
You could run your own mail server, use PGP, disk encryption and suitably back it up using something like rsync or git. The above probably takes about the same time that the author took to write this article.
If you are concerned about contacts being traced there is Mixminion, an anonymous remailer.
you run that risk with any email account stored in a country where the government has established that they can demand access for law enforcement or national security reasons. that's...basically all of them.
that's great that you and that other guy can exchange encrypted email, but every other one of your contacts that have no clue what you're talking about can have their accounts accessed. see, again, Jacob Appelbaum, Birgitta Jonsdottir, and Rop Gonggrijp.
I stopped using Gmail recently, but the primary reason wasn't that Google algorithm reads my email.
I just finally realized, that by storing all my emails to some company server is potentially dangerous to my privacy. I just don't know, who can potentially access my data, now or in the future.
I switched to another solution, which is to periodically download my emails through pop3s to my local truecrypt-ed drive. It is a slightly more work, but not that much work. I just feel better not to have my private data with Google.
This is so bad yet so typical of Microsoft (remember the funeral for the iPhone?) where they come out with some stunt because they aren't winning in the product category.
What bothers me most is that MS is trying to take this principled position on the side of the consumer when I know they would be doing the EXACT SAME THING if their ad platform and marketplace wasn't so far behind AdWords.
To my old colleagues at MS, please help stop these embarrassments from happening.
it doesn't really help the point the author is trying to make that this post is flawed, biased and laced with logical fallacies and FUD.
Let me point out a few things:
- google says it analyzes gmail contents algorithmically, but do we really know what they actually do ?
- email being made out of secure or insecure protocols is irrelevant to gmail respecting privacy
- it is not about email security, it's about privacy.
- secure email is not a myth, see gpg
- one individual who could gain access to a mailbox is not the same order of magnitude than a transnational corporation systematically going through inboxes of milions of people.
- "Google becomes evil and steals all your email to do X "is not on your list of plausible threats because it's worded wrong, try "Google goes through all your email and adds it to the info they have on you to build a very detailed profile of you and your life" which goes on the confirmed list along with "people have been locked out of the gmail accounts without a valid reason"
- Google is obviously about selling ads [1] and has to maintain trust from their users for this to work, it does not mean they have to respect people privacy, actually it even means the opposite, they have to breach on people's privacy and make it look so it won't hurt their users' trust.
- gmail has default https, sure, but only after a high profile case of hacked gmail accounts made it to the medias. [2]
Lastly, about the advice to never use @gmail.com addresses, I wonder if using our own domain would protect us from google having the abilty to lock us out of our inbox.
I suggest that google places cameras in my house because it is possible to get in my house anyway,
But I suggest to build your own house in google country and not rent it from google in case they turn evil.
Hotmail isn't ad-free, but I suppose they might not be targeted ads. I genuinely have no idea if that's the case. Hotmail definitely isn't Microsoft's bread and butter though.
A machine parsing text is not the equivalent of a human "reading" it, all webmail services parse emails either to check for spelling errors or combat spam, Gmail uses adsense as well which is a much less annoying ad system than most.
The "reading" analogy is FUD employed by competitors to scare the uninformed, HN community should know better.
No, sir, the "reading" analogy is not FUD at all. Reading e-mail or whatever other text algorithmically has only one aim - to extract VALUABLE information. It's the nature of the information extracted that defines its value. And the more context this information defines, the more valuable it is. Spam filters also "read" emails but they don't care if it is you or me that the e-mail is directed to - the information they gather is not valuable. SMTP servers "read" mail headers in order to route the message and pass blindly its content - still no valuable information. But Google is building a highly specific profile of you. It doesn't matter if they do that algorithmically or there is a real person involved reading your mail. Google gains higly contextual information (and the context is YOU) with every message you receive or send. Their algorithms know more about you than you do yourself.
I don't mind if AdSense shows me ads for computers when I browse a computer related site. I mind when AdSense shows me ads for computers on every site I visit just because it have learned that it's me - the computers loving guy that happens to have a Gmail account... That's intrusive and Microsoft nabbed it right in their video. Btw, I don't like Microsoft too.
Their algorithms know more about you than you do yourself. There is your FUD.
Also sender and recipient "identity" have central role in identifying spam. Microsoft is building a profile about you as well and owns an ad network, which makes their propaganda video hypocritical as well as deceitful.
Identifying spam does not require building a profile of your browsing and communication habits, nor does it require information of what videos you watch on YouTube. If I put a task on my schedule to buy va from the nearby pharmacy, would that mean that I'd like to receive spam about it?
Habits is what we are. Habits make us predictable. There are habits that you don't know you have or just refuse to accept that you have them. That's why Google's algorithms know more about you than you do.
Privacy is created by social norms. It's no technical challenge for me to borrow your paper mail from your mailbox, steam it open, read it, copy the bits I find interesting, seal it up again, and replace it in your mailbox. But, in doing so, it's understood that I'm doing an awful thing. It's so awful that it's against the law:
http://www.wbrz.com/news/postal-workers-accused-of-tampering...
... and, all else being equal, juries will not be inclined to sympathize with me.
Similarly, it's somewhere between very rude and illegal, depending on circumstances, to intercept or interfere with someone's email. If you happen to glance at someone's email you're expected to keep politely silent about it, as you would be if you happened to glimpse your neighbor through a window of their house. You're certainly expected, under pain of felony charges, not to tamper with or forge someone's email, just as you're expected to avoid entering your neighbor's house without knocking even if the front door is standing open.
Google, on the other hand, seems to be constantly trying to establish the precedent that it's perfectly normal and polite for any aspect of your life - currently including, but presumably not forever limited to: the state of your front yard, the contents of your photo album, the list of movies you've watched on YouTube, and the contents of your mailbox - to be sampled, data-mined, correlated, and archived forever by entities completely outside your knowledge or control so long as those entities are using secret algorithms to do it.
If you'd tolerate this behavior in a friend, you may by all means continue to have Google as a friend. I, however, am getting increasingly uncomfortable with Google sitting in my living room, and am increasingly tempted to escort them politely but firmly to the door and then deliberately misplace their address.