Wiretap Claims Against Gmail Scanning Survive Motion to Dismiss — In re: Google Inc. Gmail Litigation

[Post by Venkat Balasubramani]

In re: Google Inc. Gmail Litigation, 13-MD-02430-LHK (N.D. Cal. Sept. 26, 2013)

This is a consolidated multi-district lawsuit challenging Google’s practice of scanning emails for the purpose of delivering advertising. In a harshly toned order, Judge Koh rejects Google’s motion to dismiss.

Ordinary course of business exception unavailable: The Wiretap Act excludes from the definition of “device” (1) equipment furnished to and being used by a subscriber or user in the “ordinary course of [the provider or subscriber’s] business]” or (2) equipment “being used by a provider . . . in the ordinary course of its business”. The court says that “ordinary” must limit the course of business in some way:

[the] limitation . . . means that the . . . provider . . . must demonstrate that the interception facilitated the communication service or was incidental to the functioning of the . . . service.

The case law is not particularly helpful to Google, and the court says that the statutory scheme and legislative history also counsel in favor of a narrow reading of this exception. A separate exception limited “random monitoring” to mechanical or quality control checks. Similarly, a Senate report regarding ECPA noted that a provider may have to monitor a stream of communications to properly route or manage these communications. The same report also noted that this monitoring was not problematic because it did not involve humans listening in on conversations. Google cited the report for the latter purpose, but the court says that the language reflects an intent to keep the ordinary course of business exception narrow (i.e., limited to providing the service, rather than broader business practices or interests).

The court also says that Google may lose the benefit of this exception since it is alleged to have violated its own internal policies. Plaintiffs allege Google’s privacy policies preclude the collection of information in question. This is a separate basis to deny Google the benefit of the ordinary course of business exception.

No consent under the privacy policy or terms of service: Google’s backup argument was that even if the exception is not available, users consented and this precludes a violation under the statute. The court reviews both the terms of service and the privacy policy, which went through various iterations, and finds:

those policies did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising.

With respect to the terms, they stated that Google has the right to screen “Content” (a defined term) but this is mentioned in the context of screening for objectionable content. Separately, the terms also said that “advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.” This is equivocal, according to the court, but also talks about information stored or queries, rather than emails. The privacy policies similarly said that Google may collect various categories of information and use this for advertising, optimizing, or research purposes. Again, while the policy called out “user communications to Google,” it did not call out user communications in email to others.

Google updated the policies in March 2012, but the court says the updated policies are “no clearer” in establishing consent.

Finally, Google tried to argue that non-Gmail users, who had not agreed to Google’s terms of use, nevertheless impliedly consented. The court rejects this argument also:

Google has cited no case that stands for the proposition that users who send emails impliedly consent to interceptions and use of their communications by third parties other than the intended recipient of the email. Nor has Google cited anything that suggests that by doing nothing more than receiving emails from a Gmail user, non-Gmail users have consented to the interception of those communications. Accepting Google theory of implied consent – that by merely sending emails to or receiving emails from a Gmail user, a non-Gmail user has consented to Google’s interception of such emails for any purposes – would eviscerate the rule against interception.

Claims under CA wiretapping and eavesdropping statutes: With respect to these claims, Google argued both that plaintiffs lacked standing that that they failed to allege violations of the statute.

The court easily disposes of the standing argument citing to Edwards v. First American, a case that said alleging a statutory violation was enough for standing. (See also In re Facebook Privacy Litigation.) Google said that plaintiffs had to allege “injury” separate from a statutory violation, but the court says the statutory violation is itself the injury.

On the merits, the court says, noting the absence of definitive authority on this issue, that the wiretapping statute does apply to email. California courts have interpreted the statute in question to provide for broad privacy protection and as such is intended to be construed broadly. Google argued as a backup that it was a “public utility,” and was entitled to a statutory exception on this basis, but the court says public utility is a highly regulated entity that is subject to precise definitions. The court declines Google’s request to dismiss the claims under the California wiretapping statute.

The court does dismiss plaintiffs’ claim under the eavesdropping statute, finding that email conversations are not likely to be confidential. The court analogizes email conversations to instant message conversations, which one case said were not confidential purposes of the eavesdropping statute. (People v. Nakai, discussed here.) The court grants leave to amend, but is skeptical of the plaintiffs’ chances on these claims.

Finally, the court denies Google’s request to dismiss claims under the wiretapping statutes of Florida and Maryland, and grants in part its motion to dismiss claims under Pennsylvania’s wiretapping law.

___

YIKES!!

This is a ruling that does not give Google any breaks at all. Even in losing, it was possible to soften the blow, but Judge Koh takes Google to the woodshed.

I know Eric will lambast this lawsuit as pointless, and it’s tough to disagree with that assessment. After all, it’s highly unlikely that any human being ever sat down and read the contents of one of your emails. That said, it makes sense to curtail the ordinary course of business exception. It’s easy to see how a broader definition of this term as encompassing the provider’s “business interests” could swallow the rule.

Google’s failure to be able to point to clear language in its policy (granted that no one actually reads) that highlights its scanning practices is inexplicable. They should have just said: “we scan your private communications, including chats and emails, for purposes of targeting and building profiles.” End of story. Judge Koh’s conclusion that the policy failed to clearly flag this issue for users employs a consumer privacy-friendly mode of interpretation, but seems reasonable.

The ruling generates many questions, ranging from whether any third parties who use Gmail services face potential liability (likely answer: no) to the extent to which its scanning practices “infect” other parts of Google’s business. Given the scope of the ruling, an appeal is assured. And maybe there are other ways to trim this lawsuit down or avenues of attack. But it’s a serious smackdown ruling for Google. Along with its recent loss for Wi-Fi sniffing in the Ninth Circuit, the referral header litigation, and its settlement with the FTC, it has racked up a string of losses on the privacy front.

______

Eric’s Comments

* The ECPA is broken. Irreparably. No one understands it, which leads to weird and unpredictable court rulings. The only solution is to tear up the existing statute and try again.

* Where is the statute of limitations in all of this? Google’s been doing the challenged activity for almost a decade.

* I don’t understand the meaning of “interception” in the ECPA. To me, algorithmic processing without any human acquisition of the contents categorically cannot be an ECPA interception. [UPDATE: Prof. Bruce Boyden (Marquette) explains this issue in more detail].

* The court’s distinction between Gmail’s ad services and its anti-spam/anti-virus/spelling check services was quite unsatisfying. In a footnote, the court says:

The Court does not find persuasive Google’s slippery slope contention that a narrow interpretation of the ordinary course of business exception will make it impossible for electronic communication service providers to provide basic features, such as email searches or spam control….Some of these may fall within a narrow definition of “ordinary course of business” because they are instrumental to the provision of email service. Further, a service provider can seek consent to provide features beyond those linked to the provision of the service.

The court already indicated that it wasn’t possible to get consent from non-member senders, so the last sentence is disingenuous. And notice the weasel-words about the anti-spam services–it MAY be OK, which of course means it MAY NOT be OK. Is Judge Koh prepared to smack down the entire email service industry?

* Even if Gmail technically violates the ECPA, how have any email senders suffered any real harm from the violation? For more on this, see this article.

* As Venkat says, there is no excuse for Google’s marbled-mouth description of its program in its privacy policy. If you’re going to argue user consent, the language ought to be clear enough that we don’t need tendentious inferences to connect the dots.

* Of course, Google could set up a consent system here even for non-Gmail users. It could, for example, have an auto-bounceback for every incoming email from an address it hasn’t seen before, saying something like “By sending further emails to a Gmail address, you agree to our privacy policy.” Compare the Spam Arrest case. The first incoming email would need to be segregated from Gmail’s ad indexing, at least until the sender consents, Google could also attach automated footers (like Hotmail did in the 1990s) announcing its intent to index any emails sent in reply. But is this the kind of world we want?

* I am SHOCKED that Google tried to argue it was a public utility. Really, Google? What a shortsighted argument. Being a public utility is the path towards increased regulation of its activities across the board, including (among other things) limits of First Amendment rights to exclude folks from its network or search index. Hey plaintiffs’ lawyers, it seems like Google gave you a gift. For more on ways Google’s public utility argument seems destined to backfire, see my 2005 and 2012 articles.

[UPDATE: I haven’t traced through the briefs, but I was told that Google didn’t claim to be a public utility. Instead, it argued that it fell under the ECPA exception for being a telephone/telegraph operator, and Judge Koh recharacterized that argument as saying Google claimed it was a public utility. This mischaracterization would be just one of unusually high number of quirks in Judge Koh’s opinion here, which has prompted a slew of emails to me from other baffled readers.]

* PLEASE PLEASE PLEASE don’t take away my Gmail account. It has materially improved my life, and I hope and pray that I’m not downgraded into some second-rate email account due to this litigation.