DRM and the False Privacy of Email

by David Sklar

Much of the Gmail-inspired outrage has focused on what happens to email messages sent by non-Gmail subscribers to Gmail subscribers. "If you want to sign up to have Google's version of SkyNet scan your messages for ads," some objectors say, "that's fine, but don't involuntarily subject me to that scanning just because I send you a message."

That is, Gmail subscribers themselves may willingly opt-in to whatever onerous TOS Gmail provides, but third party correspondents are afforded no such opportunity, nor should they have to.

This faulty objection springs from the seductively misleading "privacy" of email.

When I send you an email message, that message is out of my control the instant I send it. This is a lesson that has been learned by countless Internet users who accidently include someone they're mocking on a CC: list, mistakenly send personal correspondence to a mailing list, or send something so outrageous that their friends can't keep it to themselves and it ends up in the New York Times.

It is this last circumstance that is most relevant to the Gmail debate. The custodianship of email messages you send lies with the recipient. Shared values of (on- and off-line) etiquette, friendship, and sociability usually govern that custodianship acceptably. When I share sensitive personal thoughts with friends, whether via e-mail, phone, or good old face to face conversation, they don't rebroadcast those thoughts to others. Not because of a legal requirement or a Terms of Service agreement, but because of our friendship. Even handwritten letters (with ink and paper, remember those?) are subject to unauthorized distribution. In a professional context, I choose to whom and how I disclose confidential or sensitive information based on my judgement about the trustworthiness and motivations of the recipient of the information. A non-disclosure or other legal agreement helps, but doesn't prevent disclosure. It just makes punishing the disclosure easier.

The technology that underlies e-mail doesn't remove the need for the same kind of social guidelines for how it is used. If I find the computerized scanning of e-mail text to generate context sensitive ads repellent (which I don't), then I must balance my repulsion with my desire to communicate with whomever@gmail.com. It is certainly impractical for me to familiarize myself with the practices of all handlers of all destinations of all email messages I send, but that is not a new problem.

When you send someone an e-mail message, what do you know about the server that it eventually ends up on? Do you trust the administrators of that server? Where do that server's backups live? Who is the night manager at that off-site storage facility? All of these unknowns certainly affect your privacy as an e-mail author. These mysterious individuals and locations guard your prose. Any one of them could give or sell it to the world.

Encrypting your correspondence doesn't really buy you much more bulletproof protection. Yes, a PGP encrypted e-mail message gives you some protection against snoopers while the message is in transit and probably guarantees that the first person to read the decrypted message is your chosen recipient. But what happens then? Does the recipient save a plain text copy of the message to his computer? Forward on the decrypted contents to others? The same social necessities and system administration unknowns apply.

So, how to prevent nefarious, rude, encryption-inexperienced, or just plain disagreeable correspondents from making (dare I say it) fair use of your email messages that you don't like? One way is to cuddle up to the DRM boogeyman. If the Internet has made everyone a publisher, no personal printing press turns out more content than the email client. Individual publishers of email now have something very much in common with the media behemoths that want to squash song sharing. The same technology that is derided for putting restrictive encumbrances on legally acquired PDFs, DVDs, and MP3s could also prevent perceived villains like the Gmail ad-bot from operating on your lovingly crafted email content.

Such a restrictive solution as bad a policy for most email messages as it is for most other digital content. Email authors must realize that they give up control when they send an email. This has always been true, but perhaps the Gmail fuss makes it clearer.

Over and over again, I read and hear that the communication implications of the Internet mean distributed publishing power, grassroots efforts, infinite channels, reduction in centralized control, insert starry-eyed phrase of choice. If true, this applies to everyone, not just large corporations. If we are publishers, we all must give up some control of our creations.

What do you expect of people to whom you send e-mail messages?


2004-05-03 15:19:39
False premise of article: reality check
The article is wonderfully rational, but only if you ignore the law and the last couple of decades of communications policy. Nice idea, but sorry, but this article fails the reality check test.
2004-05-03 16:15:51
Carrier Equipment
The reality check needed is by those who think their email is 'secure' or even sacred -- am I the only one who remembers the war correspondent who's letter home to a reputable newspaper ended up in the FBI's inbox? Or if you prefer hard first-person facts, concerned that my email was being filtered through alledged "spam filters" where the definition of "spam" was not disclosed, I was assured by the Privacy Commissioner of the Government of Canada that email falls under the general domain of "carrier equipment" -- this places it under the same category as couriers, and they have the right to examine anything carried by their trucks and aircraft.

Thus Canada.com is within their rights to silently block any package they just don't feel like carrying, and under no obligation to say way or even to admit that the message was blocked. Sure enough, the fine print of their EUA does say there is no guarantee on delivery for any reason.

True, most of this snooping is likely benign or even humourous, and in most cases, like the border-guards in Canada deciding what is or is not 'pornography', ISPs simply let their head geeks decide what is or is not 'spam' (often with hilarious results) but sometimes it is more sinister -- I caught one ISP blocking any email offering better deals from their competitors!

Nonetheless, right or wrong, benign or sinister, fact of the matter, they can and do scan every scrap of your email and it's not just hotmail and gmail and yahoo!, but likely every ISP account out there. They scan it, they act upon it, and they are under no legal obligation to either disclose their snooping or to tell you what they are seeking, what they find, or what they intend to do with it.

2004-05-04 06:58:06
False premise of article: reality check
A brief but tantalizing retort. Please elaborate. I'm sure there are legal angles I'm missing.

Note, however, that I'm not really talking about third-party interception or monitoring of communications in transit, even in a "two-party consent" (or "all-party consent") state like California.

Has the message reached its destination (and therefore no longer in transit) once it lands in the user's inbox on a mail server? Once it is sent from the mail server to a user's web browser and displayed on the user's screen? In either case, the service could be constructed so that the allegedly objectionable behavior (such as scanning for ads) happens after the message reaches its "destination" and (more importantly, perhaps) at the initiation of the recipient. Perhaps the ads are inserted by a Java applet running on the recipient's computer with a local cache of ads, perhaps the java applet talks to the network to learn what ads to display, etc.

2004-05-04 19:27:07
False premise of article: reality check
You dismiss the entry off hand without giving further explaining yourself. What's the point of a reply that amounts to an unqualified "you're wrong"?