As we noted last week, Google has introduced a new beta email service called "Gmail" that raises a number of privacy concerns.

While the media has largely focused on the fact that Gmail will scan the contents of your email messages in order to target ads, the more serious problem from a privacy perspective is Google's ability to link your Gmail account information with your Google web searches. By linking your complete Google search history - tagged with your name and personal details - to your email records, Google can create a highly nuanced picture of you as a reader and as a person. Such pictures present irresistible targets for government investigators, civil lawsuit plaintiffs, and even identity thieves. A single attack or disclosure could release deeply sensitive details about your life to the world without your knowledge or consent.

Below, we explain how personal information from your Gmail account can be linked to your Google searches, provide a technical "how-to" for (temporarily) keeping the two separate, and offer our recommendations for a longer-term solution to the problem. Although we focus here on Google, these recommendations apply to any business - Yahoo, Hotmail/MSN - that offers both search and email services and can link the two.

~ The Problem

Google uses cookies - bits of identifying data that automatically allow a website to "recognize" you - to link every Google search you conduct on the same computer and browser. This could be used to help Google to refine your search results or their display to match your preferences more closely. Even though Google keeps this search information stored on its servers, without your name and other personalized information it has no way explicitly to link searches to your other activities and correspondence on the Internet.

The problem is that the Gmail service may change this. All of a sudden, Google can know exactly who you are every time you search the Internet using its service. And not only that, its databases know who is sending you email, to whom you respond, and even what you write about. With innumerable search results and up to 1 gigabyte of email messages per Gmail account at its disposal, Google could pull together an extremely detailed dossier on each of the millions of people who use its services every day. Such a vast assemblage of nuanced personal information could become a bigger privacy nightmare than government projects such as Total Information Awareness (TIA).

As we note above, Google isn't the only threat. Yahoo and Hotmail, although they're not (yet) offering to archive a full gigabyte of your personal email messages, can also link your email account to your search history - and to your instant messaging as well. Amazon is getting in on the game, too, announcing this week its new "A9" search service, which will allow the company to correlate your book browsing and purchases with your search and click history via
cookies.

~ The Fix

Contrary to what we suggested last week, merely deleting cookies "often" is not enough to prevent this from happening. You would have to delete cookies both before and after you use Gmail - each and every time. There's a better way.

Delete Past Linkability

For current and prospective Gmail users, we suggest that you start by deleting your existing Google cookies before you use Gmail (and before you enter your real name or existing email address in any Google form). This will help prevent your pre-existing search history from becoming associated with your identity in the future. (Note that it will also cause you to lose any Google preferences you have entered, such as language or adult content preferences.)

Prevent Future Linkability

In addition, we suggest that you use one of the two following schemes to prevent a link between your Gmail account and your Google searches:

(1) If you don't already have two or more web browser programs installed on your computer, obtain a second browser. Use the second browser only to access Gmail, and never use it for Google searches. To serve as a reminder for which browser to use, you could configure your second browser to load Gmail automatically when it starts.

(2) Use an "anonymizing" or cookie-controlling proxy service such as Anonymizer.com whenever you use Google search. For example, if you are an Anonymizer.com subscriber, you can create a web browser bookmark to the URL https://anon.ssl.anonymizer.com/http://www.google.com/ Use this bookmark whenever you want to make a Google search. You can then feel free to log on to the Gmail service using your ordinary web browser.

~ Our Recommendations to Google

Google doesn't have to make us jump through these kinds of technical hoops in order to protect our search privacy. In fact, Google could easily reassure its users about linking email to search with one simple step. Because each cookie is associated with a particular domain, Google could move the Gmail service from gmail.google.com to www.gmail.com - thereby keeping the gmail.com cookie separate from the google.com cookie. While using separate domains may not be as convenient for some users as a single sign-on at a single domain, single sign-on could easily be offered as an opt-in feature, giving people a fair opportunity to assess the privacy/convenience trade-off before Google starts collecting their data.

Finally, Google has said that it will not use Gmail to determine who is using the Google search engine for particular searches. This is a good policy, but it needs to be spelled out clearly on the Gmail privacy policy page.

~ What's Next?

EFF is pleased that Google has so far been forthcoming about many of the features and issues raised by Gmail. We plan to continue our talks with the company, and we hope that Google will adopt our recommendations. When the final version of the Gmail service is released, we'll take a fresh look and let you know whether or not the service makes the grade for protecting your privacy.

~ The Big Picture

What we've offered here is a short-term fix for current/prospective Gmail users and a few brief recommendations for Google, barely scratching the surface of the privacy issues surrounding Web mail. A temporary work-around is just that - temporary. In the longer term, we are exploring bigger picture issues including:

* Concern over the growing trend to move large portions of people's
lives online via 3rd party providers, abandoning hard-won legal
protections.

* Risks of potential correlation of large swaths of private online
activity beyond mail and searching at all the major providers:
MSN, Yahoo, AOL and now potentially Google.

* Different legal rules that may apply to mail that is indexed,
searched or keyword matched by a third party - even when all these
tasks are entirely automated.

* What risks users should be aware of, what technical measures they
can take to protect their privacy, and what legal and contractual
measures they should demand to protect their rights.

Related Issues