In another privacy flap, Google email riles spam fighters
Mar 27, 2006
Last month, Matthew Schwingel became collateral damage in a low-grade conflict between Google Inc. (GOOG) and a handful of spam fighters.
Important messages the former Bank of America trader sent using Gmail, Google's free Web-mail service, went missing over several key days while he and his partners were setting up a new fixed-income trading firm. The delivery problems forced Schwingel to spend hours making sure messages were received and business was getting done. They also sent him back to Hotmail, the service from Google's arch rival Microsoft Corp. (MSFT), until his new company's email got off the ground.
"Just knowing one of your emails didn't go through makes you worry about the last dozen you sent," Schwingel says. "I don't mean to bash Google - I love the company and their products - but email is a sensitive item....It's a commodity that's expected to work 100% of the time."
The problems experienced by Schwingel and possibly thousands of other Gmail users are a consequence of Google's sometimes-hawkish policy on privacy. In an unusual practice, Google makes Gmail users virtually anonymous. That's led some spam blockers to occasionally blacklist entire Gmail servers, the massive Google computers that hold many Gmail accounts, because they can't separate the spammers from the legitimate emailers.
'Ticking People Off'
Some publicly available black lists, including the widely used Spamhaus list, have a hands-off approach to Gmail to avoid blocking legitimate email. Others, most notably IronPort Systems Inc.'s SpamCop, aren't willing to give Gmail a free pass.
"Gmail has taken an extreme position on privacy that inhibits the antispam community from doing their job, and it's ticking people off," says Tom Gilles, co-founder of IronPort.
Some 10% to 15% of the spam IronPort sees comes from free Web-mail accounts, too big a slice to turn a blind eye to.
"From time to time, Gmail mail is getting blocked because spam is leaking out of their service," Gilles says. "Sometimes the babies get thrown out with the bath water, and that is the rub."
It's difficult to gauge how widespread the problem of missing Gmail is, since no blocking records are available, though experts worry it's growing along with the Gmail service. Gmail had 6.7 million visitors in February, up 4.1 million from a year ago, according to measurement firm comScore Networks, a jump that suggests lost email has yet to hurt the service's growth. Yahoo Mail is still nearly 10 times bigger, hosting 64.6 million visitors last month, and AOL and Hotmail are also orders of magnitude larger.
The situation reveals again how the studiously iconoclastic search engine is wrangling with where to draw the line on Internet privacy. As in other recent cases, Google is taking a harder line than its peers.
Google considers user trust to be a cornerstone of its business and has guarded its privacy record jealously. It recently fought a subpoena for search data from the U.S. Department of Justice that Microsoft, Yahoo Inc. (YHOO) and Time Warner Inc.'s (TWX) America Online complied with.
That said, privacy advocates still have concerns, particularly about how Google might use the vast amounts of data it collects about users' Internet activities. And Gmail itself has come under fire for serving "relevant" advertisements that are based on keywords in users' messages.
In this case, Google decided not to put account holders' IP addresses, which are numerical identifiers for computers on the Internet, onto its email routing information, a convention followed by Yahoo Mail and Hotmail.
"Personal information, including someone's exact location, can be gathered from someone's IP address," Google says on its Web site. Leaving it off "prevents recipients from being able to track our users, or uncover what may be potentially sensitive personal information."
Sensitive Information
Law enforcement and parties to civil lawsuits can use an IP address to subpoena communications, says Ari Schwartz of the Center for Democracy and Technology, an online privacy-advocacy group. As such, IP addresses are considered personally identifiable information in some European countries where there are tighter privacy rules.
In the U.S., however, IP addresses have been considered a gray area. "It's a complicated issue, but it's an important one," he says.
A Yahoo spokeswoman said in an emailed statement that user IP addresses "are exposed to any Web site that a person visits," suggesting they aren't private information. Microsoft said in a statement that senders' identities and reputations "can be provided without putting customers' privacy at unnecessary risk."
Indeed, assessing reputation, which requires knowing a senders' identity, is now at the cutting edge of antispam technology. Black lists, which are rosters of spammer IP addresses, are used by many organizations as a first line of defense, though experts stress they should be used with care to avoid blocking legitimate email.
Google's strategy seems to be to attain both reliability and privacy for its email service through the sheer force of its engineering prowess, rather than by hewing to the informal protocols of the Internet community.
"We have been pleased with our success at preventing spammers from exploiting or using Gmail to send spam," a Google spokesman said in an emailed statement.
Gilles of IronPort says Gmail servers only land on the SpamCop list "every few months," and that Google is good at keeping spammers out of its system and at fixing any problems so its servers are delisted.
But others think that approach won't suffice. "They think they can solve the problem technically," says Alan Murphy of Spamhaus. But "any lock in the world can be picked. They underestimate that social aspect, and they overestimate their technical ability, and they are not able to block all outgoing spam."
