In March 2014, Google fell under fire for scanning emails in Apps for Education, a collection of online tools and services that include Google Drive and Google Mail.
Now, nearly two years later, four UC Berkeley students and alumni filed a lawsuit against Google Inc. on Wednesday, alleging that UC Berkeley emails were the target of such data mining between 2012 and 2014.
In 2014, nine plaintiffs in California accused Google of scanning emails — or collecting information on users for advertising purposes without permission. Similarly, the four UC Berkeley plaintiffs — Ryan Corley, William Dormann, Shannon Mehaffey and Teddey Xiao — involved in the current lawsuit allege they did not agree to have their emails intercepted and read by Google for advertising purposes.
The plaintiffs allege Google scanned emails and thus violated the Electronic Communications Privacy Act, a federal statute that protects electronic communications while in transit and in storage. Google has not released any information verifying whether the emails were scanned, although attorney Ray Gallo of Gallo, LLP, who is filing the lawsuit on behalf of UC Berkeley students and alumni, and the plaintiffs believe that a 2014 post by Google acknowledging that Apps for Education emails had been scanned prove it.
“The point is that you should be entitled to decide what information you share,” Gallo said. “In this particular case, people did not consent to Google having that information.”
According to Gallo, claims could be worth $10,000 per person in damages.
Google representative William Fitzgerald said in an email that the company does not comment on pending litigations.
Previous legal challenges
Google previously avoided charges by offering evidence that some Google Apps for Education users had consented and knew that Google was scanning emails. Judge Lucy Koh said in 2014 that it would be impossible to determine which email users consented to Google’s privacy policies so cases could not go through as a class action lawsuit, which means one plaintiff could not file the lawsuit on behalf of a large group of people.
This meant that small groups could mount a wiretapping challenge to Google’s services, said Chris Hoofnagle, campus law professor and faculty director of the Berkeley Center for Law and Technology, in an email.
“Of course we use Google on campus but we do not have a reliable answer about how Google is scanning student and faculty email,” Hoofnagle said in an email.
On April 30, 2014, the company announced that it had disabled ads scanning in Apps for Education.
“This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on,” said Google for Education Director Bram Bout in the statement. “Google cannot collect or use student data in Apps for Education services for advertising purposes.”
Gallo said this meant Google acknowledged in April that it had been scanning Apps for Education users’ emails after all.
Nationwide, 30 million students, teachers and administrators used the free Google Apps for Education email accounts in 2014.
How does Google use email scanning for advertising purposes?
Data mining allows Google to develop user profiles to target ads more successfully. While most Gmail users may have authorized scanning by accepting some terms and conditions, Gallo said, Google Apps for Education users from UC Berkeley and many other schools may not have.
According to a statement from the campus, Google cannot scan emails under the contract it has with UC Berkeley.
“The agreement that UCB utilizes for our Google Apps for Education Service does not allow for Google’s use of our data for any purposes other than to fulfill its obligations to deliver the service to us under our agreement,” the statement reads. “UCB does not believe that scanning for the purpose of serving ads anywhere is an allowed use under the agreement.”
UC Berkeley is not involved in the lawsuits, Gallo said. The suit he filed alleges that other UC Berkeley Apps for Education users between 2012 and 2014 including faculty and staff would have also had their emails scanned, based on Google’s 2014 announcement.
According to the U.S. Department of Education, under the Family Educational Rights and Privacy Act, outside parties like school-sanctioned email services must adhere to conditions that govern students’ education records.
Outside parties can only use information such as that obtained in email data mining for the specific “legitimate educational interests” the disclosure was made, according to a statement from U.S. Department of Education.
After the initial lawsuits in 2014, Hoofnagle explained in a blog post that Google switched to a new technology in 2010 called a Content Onebox that allows the company to intercept emails in transit from other email systems rather than scan those already stored in Google Mail.
At UC Berkeley, where students and faculty are privy to everything from confidential data and patient information to valuable research on new technologies, a system that scans emails is even more threatening, Hoofnagle said in the post.
“(The data mining) would allow Google to understand the meaning of all of our communications: the identities of the people with whom we collaborate, the compounds of drugs we are testing, the next big thing we are inventing,” Hoofnagle wrote. “Imagine the creative product of all of Berkeley combined, scanned by a single company’s ‘free’ email system.”
UC Berkeley senior Ryan Corley and a plaintiff in the current lawsuit against Google, said in an email that the alleged scanning of emails by Google would constitute an “invasion of (his) privacy.”
The scanning of potentially sensitive information is “creepy,” staff technologist at the Electronic Frontier Foundation Jeremy Gillula said. The Electronic Frontier Foundation filed a complaint December 2015 under the Federal Trade Commission for unfair and deceptive trade practices.
The complaint says Google scanned people’s emails while leading them to believe otherwise, which Gillula alleged is false advertising.
“A lot of these platforms are emails you have to use to participate in college,” Gillula said. “You’re forced to give up any sense of privacy in your communications to turn in your homework.”
In general, scanning of emails containing confidential health information is an example of data collection that is “potentially very dangerous” and should not be available to Google for targeting users for ads, Consumer Watchdog’s Privacy Project director John Simpson said.
Hoofnagle wrote in 2014 that Google would have a hard time defending its claim that users and campuses consented to the interception of their communications.
“Those campuses that negotiated a ‘no data mining’ provision are in the best position to argue that there was no consent, because they specifically rejected such data analysis,” Hoofnagle wrote. “And they are likely to have a claim because the placement of the content one box suggests that data mining is taking place over the entire stream of traffic.”
As people become more aware of allegations of Google’s data mining, Gallo expects to file more cases on behalf of students from other schools using Apps for Education in addition to UC Berkeley.
“I think that people at a minimum should be entitled to not just the opportunity to consent, but a very prominent disclosure,” Gallo said.
Michelle Leung covers student life. Contact her at [email protected].