There's one crucial difference between GMail and a lot of other schemes: Google says up-front to the subscriber that this is what they're going to do. It's not hidden, they don't even try to divert attention away from it. The subscriber knows exactly what's going to be done. I object to a service doing this behind the user's back and without their informed consent, but at the same time I object to the idea that a user should never be allowed to consent to something like this.

Also, this isn't new. I've been running all my e-mail through procmail for 15 years or more now, doing the same sort of keyword scanning to automatically file messages in folders. I've had SpamAssassin in the mix for the last few years too. What exactly is the difference between Google's software scanning my messages and procmail or SpamAssassin scanning my messages?

In addition, I'd look at those all-party-consent laws a little closer. I don't think any of them has ever been read as prohibiting a person's secretary or the mail room from reading the mail. An entity appointed as my agent isn't a third party for the purposes of the law. I think "agent" pretty much summarizes how my ISP or Google would be acting here. Note that this covers most of the problems: the law already recognizes the limits of an agent's authority and has rules for how to handle an agent acting outside the scope of the agency, and it already addresses how an agent responds to things like subpoenas (both their obligations and their protections).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/248/26705#26705