Recently we have received numerous communications challenging the warning in our Privacy & Identity Overview (among other places) that Google scans and indexes private email sent from or to any GMail email address.
The claim is not an idle paranoia, but merely a reporting of Google’s own public statements.
"Like most email services, Gmail uses software to scan emails for viruses and to filter out spam. Google uses this same kind of software to scan for keywords in users’ emails which we can then use to match ads. When a user opens an
email message, computers scan the text and then instantaneously display relevant information that is matched to the text of the message. Once the message is closed, ads are no longer displayed. The whole process is automated and involves no humans."
http://www.google.com/privacy_faq.html
And that if you use the Google Toolbar, Web Accelerator or other browser services such as Gears, Google will record every single web site you visit and everything you view on all web sites.
"Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.
For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs."
So you see here that not only do they record your private email for their private purposes, but they also record sometimes highly personal information contained in URLs that you visit. The statement that Google does not exercise any control over those web sites is a complete red herring. Google does exercise control over how it handles the capture and storage of URLs or the contents of email messages. An easy example is that Google could set its robots to not gather any information beyond the base url.
Understand that all urls does NOT mean simply the main address of a web site. So if you go to somemedicalsite.com and then select information on herpes, Google will record first the main page url you entered to get to the sites homepage, say http://somemedicalsite.com
and then, when you click on the Herpes Inf link Google will record that as well, perhaps
http://somemedicalsite.com/stds/herpes.html
If you then have to enter log in information to access your own medical file on the site, the url might look like this:
http://somemedicalsite.com/stds/herpes.html?id=john_doe&city=Denver&medication=YippeeBrandAntiVir
Google could chose to only collect the information before the ?
That would leave a huge amount of information on the web unindexed, so it is not really a viable solution. Still they cannot be allowed to flatly state they have no control.
When it comes to the email issue, we stand by our restatement of Google’s own FAQ and this indexing of private communications is something they could stop with great ease.
