Yottabytes: Storage and Disaster Recovery

Aug 25 2014   11:50PM GMT

What Crimes Do Vendors Look for In Our Email?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


We’ve written before about how people’s storage privacy rights seem to go out the window whenever child pornography is mentioned, whether it’s on hard disks and USB drives, the cloud, or whatever.

Now we’re finding it’s true of email too.

(Stipulated: Child pornography is bad. Moving on.)

John Henry Skillern, of Texas, was arrested earlier this month for child pornography in his Gmail account, after Google alerted police. Police then came with a warrant, searched his home, found other evidence, and arrested him.

Wait a minute. How did Google know? Doesn’t the company talk all the time about how it doesn’t really look at the content of our email? That it’s just looking for keywords so it can sell ads?

It works like this. Really, there’s not that many newly generated child porn images out there; old ones keep getting sent around. As we’ve written about before, companies such as Dropbox, Facebook, and LinkedIn have a database of known child pornography images that have been hashed, or reduced by algorithm to a much smaller size. This is helped by an organization called the Internet Watch Foundation, which is co-funded by Google. Those companies compare the hashes of files being sent or stored with the database of child pornography hashes, and look for a match. It saves time, it saves space, and it means the companies don’t need to keep a database of eeeeevil pictures around for comparison.

It’s also why you don’t get arrested for sending a picture of your kid in the bathtub — because that picture isn’t in the database.

Turns out that Google is doing this searching with Gmail as well. It claims, in fact, that it is required by U.S. law to do so. Sort of. It is required by law to notify the National Center for Missing and Exploited Children if it finds people sending child pornography. It is less clear whether it is required to search for them doing so.

Either way, what’s the problem? If you don’t send out or receive child pornography in your Gmail, you don’t have to worry, right?

First of all, this incident raises the question of, what else does Google (and, presumably, other email providers, such as Microsoft and Yahoo!, according to CNN) look for in our Gmail? What else might they be willing to turn over to the police or other government agency?

Google claims that it doesn’t do this for anything other than child pornography. “if you’re Gchatting with a friend about buying marijuana, Google doesn’t want you to worry about being turned in,” writes CNN. But according to the legal expert CNN consulted, there was no reason Google couldn’t do that — it’s right in the terms of service. 

“This kind of search technique can’t be easily translated to other crimes,” Business Insider reassures us blithely. “It’s not the same as a keyword search looking for words like ‘murder, ‘killed,’ ‘stolen’ or ‘bomb.’ Think how many times people use use those words innocently.”

On the other hand, as you may recall, Dropbox used a similar method of storing files to eliminate duplicates — by hashing them to see if a file was already stored online, and if it was, putting in a pointer rather than another copy of the file. But that would also make it easy for a law enforcement organization to determine whether a person was storing copyrighted material, such as movies, in their accounts — just create a similar hash database of popular movies and television programs. The same could be done for music files.

Not to mention anything considered to be terrorist activity, which is right up there with child pornography in terms of the throw-your-civil-liberties-out-the-window card. Or, as GigaOm suggests, fraud or illegal drugs. 

Second, just how automated is this process? If someone receives a child pornography file through email that they didn’t want and didn’t ask for, how likely is it that the email provider is going to turn them in? What a great way to take care of your enemies!

Third, what other online products do this? If someone Googles “child pornography,” is this going to come back to haunt them later? The CNN piece indicated that it applied to search as well. What if they’re doing research for an article or a blog post?

Hypothetically, of course.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Genderhayes
    A fee for processing added by the vendor subscribe and unsubscribe as you choose all information will be kept confidential
    10,720 pointsBadges:
  • Sharon Fisher
    I think that's kind of fraught. Do we really want our civil liberties to be based on how much money we pay?
    9,660 pointsBadges:
  • Mccarthy
    First, we didn't find out Google was checking for child porn until after it happened. Google implied that your email was private.

    Second, if Google (and others) make this exception for child porn - without making this clear (and terms of service famously don;'t make things clear), then they could start checking for other things -- anything, really. And if the government tells them to search for something, then they will -- Google did this because, they say, they had to by law. 

    So it's a reassurance that doesn't really reassure. Google may say it doesn't check for other potential violations of the law, but they are just saying that. At the moment.

    The only thing that makes this child porn exceptional is the specificity and technique - hashes of known lawbreaking images compared to hashes of user attachments means the searches are very specific and unambiguous; and also means Google workers aren't reading your email or looking at your pictures.

    Still, it makes one a bit uneasy.
    50 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: