A federal judge in California has ruled that Google may have committed wiretapping when it used the contents of e-mails to choose ads to display to its own customers. The poorly reasoned decision isn't just unfair to Google, it threatens to impose unpredictable legal liability on other online businesses.
The plaintiffs' argument goes like this: When Google receives an e-mail on your behalf, it doesn't just deliver it to your inbox. It also "intercepts" the e-mail and "reads" it to scan for ads. That, in the plaintiffs' view, violates the wiretapping provisions of the Electronic Communication Privacy Act (ECPA).
The plaintiffs should have lost right there. To provide a useful e-mail service, Google needs to perform a number of complex operations on each e-mail a user receives. Google servers read e-mail headers to decide whom to deliver the e-mails to, scan e-mails for spam and viruses, index them to aid in searching, categorize them for its priority inbox feature, convert them to HTML for display in the user's browser, and, yes, scan them to help select ads to display next to each e-mail. If "reading" an e-mail for ad-serving purposes is "interception" under the wiretap act, those other functions could be illegal wiretapping, too. And that would create a huge headache for anyone who runs an e-mail service or social media site.
Luckily, Congress excluded activities that are part of the service provider's "ordinary course of business" from the ECPA's definition of wiretapping. Google argues that its advertising system is part of the "ordinary course of business" of running its e-mail service.
Judge Lucy Koh disagreed. In her Thursday ruling, she held that only activities that were "instrumental to Google’s ability to transmit e-mails" were excluded from the definition of wiretapping. But scanning e-mails for spam, indexing them for search or organizing them into categories aren't "instrumental to Google’s ability to transmit e-mails" either. They're extra features Google added to the basic e-mail service. Could spam-filtering also run afoul of wiretapping laws?
Not to worry, Judge Koh writes, "a service provider can seek consent to provide features beyond those linked to the provision of the service." If Google wanted to show users ads, it just needed to ask users for permission.
The problem is that Google did seek consent for advertising. Gmail's terms of service state that "advertisements may be targeted to the content of information stored on the Services." Koh says this disclosure isn't good enough for two reasons. First, she says, "it demonstrates only that Google has the capacity to intercept communications, not that it will." And second, she says, wiretapping law "protects communications in transit, as distinguished from communications that are stored."
Neither of these arguments makes sense. Google's ad-targeting policies have never been a secret. They were widely debated at the time the service was launched. And Koh's distinction between e-mails in transit and in storage is incoherent. Every e-mail "transmitted" to a Gmail user is "stored" on Google's servers before it's delivered to a user.
In short, Judge Koh's ruling is a conceptual mess. It would have been much better for her to avoid this entire quagmire by simply ruling that an e-mail provider scanning its customers' messages, for spam filtering, search indexing, ad targeting or any other purpose, isn't wiretapping. If her logic is upheld on appeal, then online services will have to hire lawyers to carefully parse the ECPA every time they add a new feature. That's not good for entrepreneurs, their customers or anyone else.
Luckily, Koh's ruling is only preliminary. It allows the lawsuit to go forward to trial, where Google may yet prevail. But this should not have been a close case, and Koh's ruling creates needless legal uncertainty for others providing online services.