Forum Moderators: phranque
Email, while it's great for sending regular communications back and forth, is not, nor ever has been, intended to be a secure line of private communications. Anyone that believes otherwise is severly misinformed. Your ISP, or mail provider, or the recipient's ISP, or their mail provider, or the company they work for, or the company you work for, and anyone that has access to those machines in between can rather easily read your email. The messages on the server, as they're waiting to be picked up, are generally stored in plain-text format. I don't even need your login and password.. I just need to get shell access to the account, then I can read your email with a text editor.
It's common sense to *not* send sensitive data (like credit card information) over an unsecure webpage. It's common sense, or at least it use to be, to also not send sensitive data through email. "Sensitive data" is anything that you don't want other people to know.
If you don't backup the data on your hard drive, then you don't care if you lose it enough to put the effort into backing it up. That comparison works the same for email. If you care about the privacy of data, don't email it. That's how it's always been on the internet. And I find it so difficult to believe that so many people think that their email is supposed to be private, in spite of the unarguably unsecure nature of email. I can only imagine that those concerned with the "security of their email" (oxymoron) have to be those new to the internet, as those of us that have been online for years already know that there is no security or privacy in email.
You can customize your own mail server, you can setup SSL connections, and you can store your mail on the server in an encrypted format. Unfortunately, 1) Most people don't have the technical ability to do this, and 2) It wouldn't matter anyway because it'd only be secure until it left your network, you have no control over it once it's on someone else's network. I'm sure this sounds redundant by now, but email is inherently unsecure.. it is not an accepted medium for sensitive data. If you have something to send that the whole world can not know about, don't email it.
This is not about Google's web-based mail service, or that they may store mail even after you use it, and it has nothing to do with them crawling your mail for advertising purposes. I can find online multiple emails that I have sent several years ago, never intended for public viewing, but doing a search for a string of text within the email.. someone has posted it to a site, or the recipient was on a mailing list and it's not archived and accessible via the web. You never know what is going to happen to an email that you send. Google now simply has the potential to view your email, or make it publicly accessible to others. And it's not even that.. it's simply that this ability is now publicly known. Because, guess what.. this has *always* been true.
Your mail has always been accessible by third-parties, more accessible than most people are aware of. Because people weren't aware of this, they believe that the "email privacy" that they thought they had is now going away. Obviously there are steps that individuals and companies can take to protect their storage of email, but intercepting email (or pop3 or http settings to view email) has always been fairly easy.
Your email is not safe, it is not secure, and it is not private. It never has been, and it was never intended to be. And this has been true since long before Google ever came into existance.
I think it's a cultural thing because of the use of the word 'mail' and it's associations with the historic privacy of communication via the postal service. No matter how much people would like it to be, email is not private - end of story.
Maybe Gmail should link back to this on their FAQ. Good one, NickCoons.
Your email is not safe, it is not secure, and it is not private. It never has been, and it was never intended to be.
regardless what the original intention was 35 or so years ago - people expect email to be private. If you work as a sysadmin at an established company/ISP you are usually required to sign an agreement to not spy on other people's email. If you do spy a lot of people get upset and you might get fired.
Just because 0.001% (whatever...) of all sysadmins do not respect privacy does not justify google (and the many companies that will follow) to massively invade people's privacy and exploit private communications for commercial gain.
Certainly, emails have never been private. RFC 1855 [stanton.dtcc.edu] advises against putting anything in an email that you wouldn't put on postcard. No one should be surprised if a third party reads their emails, just as they shouldn't get angry if a third party read a postcard they sent by snail mail. But I, for one, would get angry if some company announced that they were going to systematically read postcards in order to create targetted advertising. That's the real cause for objection.
Never let mundane facts stand in the way of a good conspiracy theory... ;)
Just because you THINK there are assassins behind every tree doesn't mean there AREN'T! (probably badly misquoting Misty Lackey....)
Anyway, I've just always assumed that unencrypted email will be read by anyone who wants to read it. I never send anything email that needs to be strictly private. I ALSO never talk truly private concerns on a cell phone.... and even a cordless phone in a city is problematic (not where I live however: 40 families, and most do NOT have either computers or cell phones.... back of beyond, it is!)
Edit for a later thought: actually, anyone who objects to Google's intended use of their version of email simply can decline it, right?
But I, for one, would get angry if some company announced that they were going to systematically read postcards in order to create targetted advertising.
If someone offered a 'postcard' service where 'they were going to systematically read postcards in order to create targetted advertising' you may not want to use it and you may not want to receive them - it's your choice. But why deny the freedom of choice to others?
<regardless what the original intention was 35 or so years ago - people expect email to be private.>
Most people on the internet are extremely naive regarding it's use and etiquette, and therefore have set expectations that are far skewed from reality. A lot of people expect that you can post a brand new ecommerce site and you will be a millionaire overnight. Though those of us who know better should educate those that don't, versus catering those wild expecations, for instance, by being outraged when "email privacy" has been jeopardized.
<If you work as a sysadmin at an established company/ISP you are usually required to sign an agreement to not spy on other people's email. If you do spy a lot of people get upset and you might get fired.>
That's true, but...
<Just because 0.001% (whatever...) of all sysadmins do not respect privacy does not justify google (and the many companies that will follow) to massively invade people's privacy and exploit private communications for commercial gain.>
...there's the problem right there, the term "private communications." Again, email is not private communications. An HTTPS connection to an ecommerce site when entering in credit card information is private, and my SSH connection to my server for maintenance is private. I can ensure that privacy, that's what makes it private.
But there's a bit of miscommunication there. One can easily, but is not recommended to do so, relay private information over a non-private medium. I can have a "private" conversation with a friend in a crowded bar, but I'd better only do so if I don't mind the people standing next to me eaves-dropping. It is my fault if I am naive enough to believe that they can't hear what I'm saying.
So there are private communications, and there are private mediums. And yes, people often send private communications via email, and they intend it to be private. If it is critical that this information is not read by someone else, then they should choose a private medium.
TheDoctor,
<But I, for one, would get angry if some company announced that they were going to systematically read postcards in order to create targetted advertising. That's the real cause for objection.>
I feel more comfortable with your scenario than other forms of people reading my communications. Let me put it another way.
If someone observes my email (as in, they have singled me out), then they have an interest in what I'm actually saying. They are looking for specific information about me, and they're likely going to record or otherwise remember it.
If a company announces that it is going to mass-read emails for the purpose of tagging it with targetted ads, then they are going to read my message, likely forget it, and move on to the next with placing no interest in what they read in my communications. This makes me much more comfortable than someone eaves-dropping otherwise.
Plus, and correct me if I'm wrong, Google has not stated that they are going to have people reading messages (except to verify the functionality of their algorithm).. obviously they couldn't hire enough people to read all the emails of all the people that will ultimately be subscribing to their service. In fact, I'd be willing to bet that even if they did have someone spending a great deal of time personally reading emails that it would still be less than the number of emails read by the previously mentioned rogue sysadmins.
I personally won't be using Gmail mainly because 1000MB is not enough space. I run my own IMAP server at home, and I've configured a web interface to access my mail when I'm not at one of my preconfigured IMAP client machines :-).
If you work as a sysadmin at an established company/ISP you are usually required to sign an agreement to not spy on other people's email. If you do spy a lot of people get upset and you might get fired.
What absolute rubbish,
Most companies have sysadmins that are PAID to monitor inbound and outbound mail some of whome share this information with their colleagues (although this should be included in a non disclosure agreement). In fact many companies purchase pieces of software that display these Emails in clear text on their sysadmin's screens. I am speaking from first hand experience, I was providing evidence that lead to the demise of many an employee, including directors at board level.
...there's the problem right there, the term "private communications." Again, email is not private communications. An HTTPS connection to an ecommerce site when entering in credit card information is private, and my SSH connection to my server for maintenance is private. I can ensure that privacy, that's what makes it private.
Exactly NickCoons....
Privacy is not the reason I will be refusing to join. Nor is it the reason I will ban incoming gmails.
I make good money from Adsense - if they want to put ads in my e-mails they should pay me, not bribe me with disk space and webmail.
Disk space and Webmail I can do myself.
They just screwed up the PR on this one.
Might be OK for some, but it offers nothing to me.
that just about sums it up the best ...
No way will I sign up for it ...
and no way do I want my mails used for generating it because someone at some time sends them or a piece of them to a gmail user account...
Spam is probably the most destructive thing on the net after childporn and hate sites ...
and google is setting up to become the biggest smam house of them all ....
the maths should be interesting ...
How many accounts anticipated?
How many mails per day?
how many bytes extra on the networks ( not just the google servers but the backbones the dialups etc )..
And if some one sends me mail from agmail account I 'm supposed to pay to receive it in my internet access bill ....
Spam is spam ...
Although not in the USA ..I did think you had just passed a law against the unsolicited sending of it...
I get around 2000 pieces per day from various companies all touting North American products ..sent in English to what they know are blocks of 1000's of addresses in non English speaking countries ...
75% of all commercial site space is probably hard core porn and 80% of all traffic on the net is Spam and Google propose to increase it....
Gmail is just a form of opt-in spam.
More or less my point. But it may not be obvious at first sight to most people.
Hopefully, the hoohah about Gmail may alert people to what they might be signing up for, and will enable them to make an informed decision (rather than it suppressing "free choice").
Of course, once people realise the implications of signing up to Gmail - and that isn't just the usual type of insecure email - and they decide to sign up anyway, that's their decision. But I don't think it shoud be the role of IT professionals and other in the know to attempt to cover up the implications.
<Gmail is just a form of opt-in spam.>
If you widen the definition of "spam" to mean something that it's not ("spam" is unsolicited commercial email), then you're right. However, using the actual definition of the word, Google is not spamming because they are not sending you solicitations (unless I'm wrong on that and they are planning on sending solicitations).
There's very little difference here. If you use Yahoo's free mail, you see ads. If you use Hotmail's free mail, you see ads. And if you use Google's free mail, you also see ads. The difference here is that the advantages actually lie with Google. 1) The ads are text, not banner or flash, and 2) They are targeted toward your message.. so "grandma" isn't seeing ads on how to stock her network operations center with high-end IBM servers. And this is done automatically, not by someone manually going through your email and saying "this one is about baking," and "this one is about football" and tagging them.. no, that happens by a computer.
Leosghost,
<and no way do I want my mails used for generating it because someone at some time sends them or a piece of them to a gmail user account...>
You have no control over what happens to your emails once you've sent them.. you never have, and you're not likely to in the future. Why are you convinced that even if you don't have a Gmail account, and even if you don't send to people with Gmail accounts, and even if you don't receive email from people with Gmail accounts, that you could possibly prevent this? You could email me, and I could forward it to a friend with a Gmail account.
<Disk space and Webmail I can do myself.>
Me too, and I have.. that's why I won't use Gmail. But most users don't have the technical ability to do that, and Gmail would work great for them.
<and google is setting up to become the biggest spam house of them all ....>
Please explain this one.. I don't see Google spamming anyone.
TheDoctor,
<once people realise the implications of signing up to Gmail - and that isn't just the usual type of insecure email>
What other implications? Unsecure email already has every implication of unsecure email. In the past, it's unsecure, and anything can happen to it. With Gmail, it's unsecure, and anything can happen to it. What other implications are there?
A good time to post that message of yours and worth posting also if only to make people think a bit more about these issues and how they are affected by them.
However I think you may also confuse a few issues here in the minds of readers.
Yes many users (in fact probably most) do not realise the very easy access various specific types of people have to their straight email in transit to its destination and in the organisations they use with or without their knowledge to send it.
Indeed within companies most users and senior directors are usually unaware of the weaknesses in the security of their own computer systems and thus the threats to loss of confidentiality of the vital data that they store there.
Nevertheless significant legislation covers access to other peoples property and communications, including email. [Note 1]
So take for example a sysadmin at an ISP
Were such a person without suitable legal authority to collect together a list of all the specific identified correspondents communicating with a particular company and perhaps some recent communications traffic in all its detail and sell this to an interested commercial third party perhaps a competitor of the company in question for their own profit. They would as far as I can tell without a doubt be committing a criminal act and assuming they are caught would likely serve a jail sentence for this. [please correct me if you think I am wrong and in this aspect it would not matter what the terms of service of the ISP were as national legislation would likely rule it unlawful if it permitted such practice]
So,
Q1: Is normal email "private" in that no other human will ever read it?
A1: no normal email is certainly you are quite right not private at all in that sense.
Q2: is normal email "private" in the sense that it is not legally easily available to people or organisations whose interests commercial or otherwise are the complete opposite to yours?
A2: Yes there is certainly privacy expected in thi regard and legislation in the UK, Europe and USA to support this.
Q3: with respect to encrypted communications whether GSM telephone PGP email or SSL or other, is this then "private" in that no other human will ever access it?
A3: no, there is no encryption method which the respective US or UK governments will allow its populations and organisations to use which they would not be able one way or another to gain access to.
Q4: with respect to encrypted communications mentioned above, can this type of data or communication be considered "private" in the sense that it is not legally easily available to people or organisations whose interests commercial or other are the complete opposite to yours?
A4: yes and this is supported also by legislation.
The fact that the IT industry has so far failed so badly to delivery products with suitable levels of security implicit in their very design, or educate their users to the failings of existing products and systems being sold to them, and the implications of this is certainly nothing to be proud of :-)
[1] just mentioned a bit of it in a post 87 here
[webmasterworld.com...]
All email is insecure. We should always point that out. Just the other day, someone emailed me concerning a message board I run, including her password in the email. There's not much damage that can be done with the possession of the password, but I felt obliged to remind her that sending passwords by email wasn't a good thing (as well as sorting out her problem).
We're agreed on that. Someone could have read the password - or could in future by getting hold of a copy of the email from her ISP, mine, or from somewhere in between.
But Gmail goes one step further. It promises industrial scale processing of people's emails for someone else's commercial objectives. It means that the contents of emails are going to be machine analysed for keywords and the results used to produced "targetted advertising".
This is not the same as the old situation. The lack of privacy inherent in emails is going through an industrial revolution.
Now, maybe a lot of people don't mind that. Maybe most people don't mind that. A lot of people like receiving advertising. A lot of people sign up for catalogues so that they get some mail every morning.
This is their right. But they also have a right to make a conscious decision about this, not to have it slipped through in the small print. This is why I think the fuss has been worthwhile.
But the problem goes further than that. What I'm also worried about is that other email providers will follow suit, on the lines of "we've changed your terms of service". In other words, the decision as to whether emails can be processed for advertising purposes then becomes the provider's, not the user's. This is why I think we ahould not treat Gmail as normally insecure email, or it could become the norm. The best protection against this would be, not the law, but, rather, public perceptions.
<So take for example a sysadmin at an ISP
Were such a person without suitable legal authority to collect together a list of all the specific identified correspondents communicating with a particular company and perhaps some recent communications traffic in all its detail and sell this to an interested commercial third party perhaps a competitor of the company in question for their own profit. They would as far as I can tell without a doubt be committing a criminal act and assuming they are caught would likely serve a jail sentence for this. [please correct me if you think I am wrong and in this aspect it would not matter what the terms of service of the ISP were as national legislation would likely rule it unlawful if it permitted such practice]>
That may be true.. I'm not a legal professional so I'm not really qualified to argue in that respect -- I'm a technical person. I believe that if people want to keep their information private, they should be educated in how to do that, not rely on their government (made up of even more people that don't know how it works) to try and protect their privacy.
But I also believe that legislation should not be passed that cannot be enforced. I have no problem if the "majority rules" wants to make email legally private (and, according to you, they have done so already), but that's the last step to the process. The first step to the process is creating an email infrustructure that actually is private and can be secured.
AFAIK, spam is illegal in many places as well.. though the amount of spam in my Inbox continues to increase, so passing useless legislation is.. well.. useless.
<Q1: Is normal email "private" in that no other human will ever read it?
A1: no normal email is certainly you are quite right not private at all in that sense.>
I agree with you.. the medium is not private.
<Q2: is normal email "private" in the sense that it is not legally easily available to people or organisations whose interests commercial or otherwise are the complete opposite to yours?
A2: Yes there is certainly privacy expected in thi regard and legislation in the UK, Europe and USA to support this.>
If I was an organization concerned with my competitors' ads showing on messages that I sent, then I would think that it would be my responsibility to make sure I can communicate with my customers in such a way that those ads don't show. In my view, this is not an area for government regulation. Besides, it's likely that competitors' ads do show in current free email services, though less likely since they are not specifically targetted to the body of the email.
<The fact that the IT industry has so far failed so badly to delivery products with suitable levels of security implicit in their very design, or educate their users to the failings of existing products and systems being sold to them, and the implications of this is certainly nothing to be proud of :-)>
Right, but it is something to let people know exists. Right now, there are very few ways to easily send encrypted information to a recipient. The best way to do it would be to encrypt the information and send it without going through an MTA, so the sender and receiver could use a real-time key exchange for encryption. The problem is that it is difficult to find a recipient of email, at least on the consumer level, that has computers running 24/7 that can accept their own email as it is sent. It will progress to this. But in the meantime, people should pretend that their email used to be private and someone, like Google, is threatening it.
TheDoctor,
<All email is insecure. We should always point that out. Just the other day, someone emailed me concerning a message board I run, including her password in the email. There's not much damage that can be done with the possession of the password>
As long as she used that password exclusively for your message board :-).
<But Gmail goes one step further. It promises industrial scale processing of people's emails for someone else's commercial objectives. It means that the contents of emails are going to be machine analysed for keywords and the results used to produced "targetted advertising".>
Google, and hundreds of other search engines, have done this for awhile now with content they have found on websites, which are, like email, not private. That is, as you've mentioned, they are using someone's content for someone else's commercial objective. The complaint is either that people are worried about the privacy of their email, or they are worried that someone is making money from the content of their email. Neither of those arguments hold any water, since email was not private before Google, and other companies also make money from content that they didn't write.
<This is not the same as the old situation. The lack of privacy inherent in emails is going through an industrial revolution.>
Yes, and I think it's great! It will (hopefully) make millions of people aware of the insecurities of messages that they thought were originally private, and it will spawn a whole new sector of organizations creating ways to send communications securely. This is all speculation, of course, but I see it having positive consequences, not negative ones.
<This is their right. But they also have a right to make a conscious decision about this, not to have it slipped through in the small print. This is why I think the fuss has been worthwhile.>
Okay, I agree here that people should be informed about this. I think Google should be very upfront about what they are doing and that people should understand that a computer that belongs to Google is going to be automatically parsing their emails for the purposes of providing targettged advertising. I do think you have a good point there. However, I don't believe Google is trying to slip this by anyone.. I think they are being very upfront about it.. and with all of the publicity, I think a lot of internet users will know in a short period of time, so there won't be any secrets about it.
<But the problem goes further than that. What I'm also worried about is that other email providers will follow suit, on the lines of "we've changed your terms of service". In other words, the decision as to whether emails can be processed for advertising purposes then becomes the provider's, not the user's. This is why I think we ahould not treat Gmail as normally insecure email, or it could become the norm. The best protection against this would be, not the law, but, rather, public perceptions.>
The decision to process email for advertising is the provider's, and not the user's, you're right.. but it is the user's decision to continue using that email service. There are always pros and cons to using any email service. If it's the POP3 account provided by your ISP, then it's not portable.. switch ISPs, and you lose your email account. If you use a web-based service, you don't have local access to your email.. it's stored elsewhere, and you don't know what could happen. For people that have all of these concerns, then they do what I do.. run their own mail server. If they don't know how, then they hire someone to do it.
