Judge Says Google Must Do More To Disclose That It Intercepts, Scans Emails From Non-Gmail Users

Google recently tried to settle a class-action lawsuit with non-Gmail users who sued because their emails to Gmail users were being intercepted and scanned for the purposes of providing targeted advertising to the recipient. However, that settlement has been rejected by the judge in the case, who says it doesn’t go far enough in requiring proper disclosures from Google about this invasive practice.

This particular lawsuit [PDF] was filed in 2015 by a San Francisco man who alleged that Google violated the Electronic Communications Privacy Act by “intercepting, reading, and analyzing the content of private email messages” without permission.

The plaintiff is not a Gmail user and says he has no other Google accounts, so he contends there is no way he could have given Google permission to access the content of the emails he sends to people with Gmail accounts.

After Google’s motion to dismiss the case was largely denied [PDF] by the court in Sept. 2016, a settlement deal was reached.

That proposed settlement [PDF] includes a technical change to the point at which Google can scan a Gmail user’s email. Rather than intercept and analyze these messages in transit, Google says it will wait “until a Gmail user can retrieve the email in his or her mailbox.”

It’s a minor point, but one that the lawyers contend will put the practice in compliance with California and federal laws. Since the message is no longer being “intercepted,” they maintain that no statutes are being violated, as Gmail users have given their consent to this sort of scanning.

Since Google is not discontinuing the practice of scanning and analyzing emails — even from outside email providers — the deal also includes a plan to notify consumers about this practice. It’s this disclosure that the judge found lacking.

“The notice does not clearly disclose that Google intercepts, scans, and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail user,” explains Judge Lucy Koh in her rejection [PDF] of the proposed settlement. “It does not disclose that Google will scan the email of non-Gmail users while the emails are in transit for the ‘dual purpose’ of creating user profiles and targeted advertising and for detecting spam and malware.”

Judge Koh also points out that, while the lawyers for both sides might agree that Google’s tweaks to its email-scanning practice now comply with federal and California statutes, the lawyers don’t actually back that assertion up with any argument or legal precedent.

The judge similarly takes issue with the lawyers’ contention that this settlement should be approved because it’s similar to deals reach in other cases involving intrusive email scanning.

“Every case and every settlement are different,” counters Koh, noting that one deal cited as precedent — a previous case involving Yahoo’s screening of users’ emails — included disclosures that were more robust than what Google has proposed.

What’s more, explains Koh, the previous similar settlements cited by the lawyers only came about after going through the discovery process, allowing for a more thorough assessment of possible risk to consumers. Comparatively, no one has been deposed in this Gmail lawsuit and all documents cited in the dispute were turned up in previous litigation.

Judge Koh says it is “particularly questionable” for the plaintiffs to reach a settlement deal using discovery material that is anywhere from three to six years old, especially since Google has only pledged to maintain the agreed-upon technical change for another three years.

It’s now up to the parties in the lawsuit to hash out a new settlement that will meet the court’s standards.

[via Courthouse News]