Privacy Groups' "Chicken Little" warnings

Dear Friend,

The e-mail above was recommended by EPIC, the Electronic Privacy Information Center, in response to Google’s launch of GMail. They urged pewople to rise up and send that e-mail to GMail subscribers.

They also urged politicians to pass laws restricting or eliminating Google’s scanning of mail for ads.

That was in 2004.

The parade of horribles that EPIC imagined does not seem to have been much of a deterrent to GMail, and now, eight years later, their inveighing against the service seems kind of silly to me.

I contend that EPIC – and the other privacy groups that urged GMail be ratcheted down or banned – missed the boat.

Hat tip to Prof. Volokh’s blog for the reminder.

There were really other services offering 1+ GB of space back in 2004? I remember being super excited about the storage potential of gmail back when I got into the beta.

I try and use friends’ alternate addresses and (try to) avoid Google products. Not a grand crusade or anything; I just value generic definitions and conceptions of privacy. Similar to the silent vegetarians out there, I don’t make a big deal of it. Perhaps I’m not quite a chicken little.
I’m more active (er, minimally so; letter writing) in resisting encroachments on the Fourth Amendment. Unlike First Amendment issues, private conduct does affect the extent of the Fourth–reasonable expectations and the like. More closely related to the thread, I hold a severe definition of ‘unreasonable’, not because I’ve got anything nefarious going on in my back yard (I swear I have licenses for all those corpses), but because I value privacy simply for the sake of privacy.

Further, there are constant pushes for real identities. Facebook (I believe) requires an actual name. Aren’t Google + and YouTube trying to move in that direction? Wasn’t Disney and a few other companies just chastised for keeping children’s data? Just because the sky hasn’t crashed down on us yet does not mean it’s not in the process of cracking.

Whether government, marketing firm, or insurance company, I prefer as little information about me out there and saved as possible–irrespective of pragmatic possibilities.

Yea, I’m pretty sceptical of privacy worries for stuff like this (and Facebook, and other Google services). Frankly, the stuff in my email or Facebook isn’t really interesting or valuable enough that I think Mark Zuckerberg is going to be prowling through the email my Mom sent me about the health problems her cat has developed. Taken as aggregate with a billion other peoples data, it might be valuable. But as long as the anonymize it (and I don’t really see any reason they wouldn’t, aggregate data is by definition valuable because its take in aggregate), I don’t mind them selling it to marketers or whatever either. After all, its a free service, and presumably they need to make a buck somehow. I’d rather them sell data to marketers then have to pay them money.

That said, I don’t think its really accurate to say these were all “chicken little” concerns. I usually think of a “Chicken Little” concern as something someones worried about that never materializes. Some of the concerns were actually happening when EPIC was writing the FAQ you link to(that Google would data-mine emails from non-subscribers) , and IIRC, Google does now correlate data across its different services as EPIC warned they might, so some of the things they said might happen did.

As I said, this doesn’t really bother me. I think people that don’t like having their data aggregated across services are being silly. There’s no harm in it, and it helps keep these services free.

But they obviously do bother a lot people. So people that were worried that it would happen were right. EPIC wasn’t being a “chicken little”, the sky did really fall.

Anonymized data actually isn’t. It’s much easier to determine someone’s identity and other information from anonymized data than it is to successfully anonymize the data. There have been a number of research papers and technical articles to support this. Here are two examples.


I’m not saying this because I’m one of the chicken littles. I don’t feel strongly either way about Gmail or Google, but I am for people making informed decisions.

Maybe, but why? Aggregate data is valuable because its aggregate data. Knowing that a million people are complaining about their cats throwing up might be valuable to a pet-supply company. Knowing that at some point my mother sent me an email complaining about her cat throwing up is worthless.

Knowing that a threshold percentage of your emails use speeding-related keywords would lead to your paying higher insurance rates. Similarly, a set of health-related keywords could be used to increase your health insurance rates. Mention a SDMBloombox and how well it produces? It’s public information to which you have no expectation of privacy. There are already inroads there, but this just expands them.

Those are examples of parade-of-horribles outcomes that have not happened.

Correct; I was responding to “but why?”, and the contention that data is only valuable in the aggregate–I was suggesting reasons/harms that *could *come to pass (also note that I didn’t say the sky had fallen, but that there are still cracks).
Regardless, is there anything stopping an insurer from doing such data mining?

I’m particularly uneasy with the eroding of reasonable expectations of privacy. If I’m sending you a package or letter via a third party, I’m already entrusting it to other parties for which I don’t have standing to mount a Fourth Amendment challenge. But the government’s reach is not limitless. On the other hand, if I’m sending you information in which I am on notice that the third party routinely reviews it and uses it to its advantage, that makes it much easier for the government to reach.

Basically, there are a lot of cleaver people out there in need of a job. It’s my subjective believe that some of those people will think of ways to use personal information to my disadvantage. Note that it’s not necessarily my personal information. But just as I’m not likely to run afoul of an illegal Fourth Amendment search, I still benefit when some defence attorney successfully challenges an incursion.

Here is a discussion of individual profiling and the way it is used for profit: http://epic.org/privacy/profiling/

I did, at one point, acquire the ‘mailing list’ for all people in my local area above a set level of income. It provided their names, phone numbers, addresses and two other elements that I was curious about. I was purchasing a set of mailing lists and had one left over, so I decided to be snoopy about my neighbors. I took that list and managed to acquire about 60% of their social security numbers through a state database that has since been locked down. Now, would I ever do anything with the info? Unfortunately, I didn’t get what ever gene there is that allows you to commit fraud.

Another legal question. Say I’m suing my neighbour. Could I subpoena a third party that has a record/index of *all *my email communications and demand information on a particular account with a set of keywords?

It’s not chicken little, because all those things are true. The only mistake they made was presuming people would care.

It’s also probable that the privacy concerns that many groups highlighted prompted Google to be more careful with how they use the information, or at least, how publicly they use it.

I’m not a civil lawyer, so take this with a large grain of salt: no.

Analysis on request, but I am actually hoping someone who has some better experience will come in with a more confident answer.

My area is mostly a civil law area, but I’m no expert in discovery or evidence, so I can’t offer any more confidence.

But my WAG answer to this question would be “why not?”

(Federal) Stored Communications Act. It’s a high bar to overcome in civil litigation. I’m not sure I understand the original question, though; does he mean he wants to subpoena his own account?

I was given the impression that courts/judges are rather permissive when granting subpoenas. If the request wasn’t unduly burdensome, had some tangible nexus to the case, and there were no overriding concerns, they would default to granting.

There are many, many exceptions, of course. One couldn’t go to a company and demand their internally performed market analysis or proprietary data mining results. But raw data, data that fits certain parameters, is retrieved without an undue burden, and was created by others (i.e. the entity is merely the repository)?
Any good meatspace analogue? Storage lockers generally entail a particularized relationship and control resting with the individual. Anything else where you willingly share information/content with a third party?

ETA:

I’m suing you and Bricker for conspiracy to commit mopery outside the Pit. I’ve served both of you with subpoenas, but you verifiably have deleted all e-mail older than one year (the offence was committed two years ago). There were no shenanigans there, so I’m mostly out of luck.

Then I remember that you used Giggle, an email provider that reads and stores your emails in order to better market products. I issue them a subpoena saying that I want all emails they have in your account that contain “rhythmdvl” “bricker” and “mopery” in them.

(note: I took civ pro and a bunch of other courses, but write policy books; I don’t practice in the civil arena at all. Ignorance is rampant)

This:

Plus the request is burdensome and seeks to replicate information the man should already have stored himself.

From Warshak v. US, 490 F. 3d 455, 471 (Sixth Cir. 2007)

But again, I’m just spitballin’ here, since obviously this rationale applies to a government search.

Ahhh! This is clearer; your first hypo had you subpoenaing your own e-mails.