Gmail, End User Privacy, and Harassment

Gmail gets a lot of things right, but gets one really important thing very wrong.

I'm going to tear into Google momentarily, but before I do that, let's start with the good things. Praise before criticism, and all that. And rightly so -- I don't want to skim over the fact that Gmail has some cool features that really do take email to the next level. Here's just a few of the things that I really like about their email platform:
  • Tons of storage,
  • Easy-to-use interface,
  • Strong search capabilities,
  • Support for automatic filtering and forwarding rules,
  • Support for sending mail using your vanity email address, and
  • Free POP3 support.
I'm on a few different high-traffic mailing lists, and I wouldn't be able to manage the traffic without Gmail. Their automatic rolling up of discussion by topic ("threading") makes it very easy to skim updated discussions at a glance and decide which ones I want to participate in. Since search is Google's forte, I'm able to easily look back and see if a discussion point was already raised by somebody else in the past few months before bringing it up myself. Managing email on multiple computers with Gmail is a breeze. I use Mozilla Thunderbird on my desktop computer at home, retrieving mail with Google's free POP3 support. On the road, I have easy access to Gmail's web interface from my laptop, and from my PDA phone.

Google has done a great job with search integration into Gmail, as well as adding cool geek-friendly features like POP3, custom from address support, and the ability to set up mail filtering and forwarding. That makes sense. They've hired some of the smartest people in the world to help them imagine, design and deploy new things that people will want, even if they might not have realized they wanted them before. Often, their new features are things you don't usually see in a free webmail service.

But, Google's not perfect. Some of their views on email handling, spam, and end user privacy are out of date and extremely myopic. I think that also makes sense; a side effect of hiring a bunch of very smart people, who all think they can change how the world thinks of email, like they did (successfully) for search. In the search realm, they really did create something new and amazing. Unfortunately, email is different. There are a base set of issues that all mailbox providers (ISPs and webmail services) have to deal with, and have been dealing with for many years. It's not just about search and threading and a neat interface. It's also about: Blocking spam into their systems. Preventing bad guys from using their services. Providing guidance and feedback (both positive and negative) to people who want to send mail to Google users. These are all areas where it seems to me that Google's views are about ten years out of date.

I could go on for days here, but instead, I'll focus on the most important thing I think they're getting wrong: preventing bad guys from using their services. Google enables use of Gmail for bad things by hiding the source IP address on mail sent by their users; and it's lame. It's scary. It's outdated. It lets bad guys use their services as long as they stay under the radar. If you want to start a low-level harassment campaign against somebody, Gmail's the way to do it.

To give you a bit more understanding, let's take a walk down memory lane together. I've been in this industry a long time, and I've angered a lot of morons over the years. Getting spammer accounts shut down often draws harassment and threats. Lots of idiots think that a Yahoo or Hotmail account is anonymous. It's not. They clearly stamp all outgoing mail with the IP address showing from where the user logged into Yahoo or Hotmail. This is important, because it tells you the real ISP that somebody is harassing you from. You are then able to contact that ISP, and provide them more proof, showing what the guy's doing wrong, which helps nudge the ISP to get it stopped.

In the case of one idiot spammer, he thought it would be cool to harass me from Hotmail, not realizing that the email headers clearly told me that this "new person" was really connecting from, the same ISP that I was working to get the guy thrown off of. It turned out to be another nail in his coffin; feigning ignorance (and putting up web pages about how I'm a big meanie, and that I made it all up) while sending me harassing email from an IP address traceable back to him was ultimately what ended up getting him banned from that ISP.

(If you want to read this guy's rant about me, perform a Google search on my name, and it'll be somewhere down the list. Look for a small man crying in a loud voice about dictators and nerds. Pretty funny. That dude in particular was quite clearly a spammer, and quite clearly unhappy that I busted him for it. I'm not linking directly to him here though, as there's no point in helping his search ranking.)

Anyway, that's how it works with Hotmail. And Yahoo, and AOL, and just about any other ISP or webmail provider. But not Gmail. Google hides that source IP address, preventing you from determining which ISP the harasser connected to Gmail from. Why do they do that? I don't know for sure, but I theorize that it's done in the name of end user privacy. I take issue with that, because an IP address isn't a private piece of data. It's a license plate, not a social security number. Any website you connect to for any reason knows your IP address. An IP address doesn't trace you, it just traces your ISP. That means somebody can tell you emailed them from a computer at the Chicago Library. It doesn't tell them who you are or what books you checked out of the library. That means that somebody can tell I'm one of 25 million AOL users. It doesn't tell them which one of those 25 million users I am.

Sure, Google has record of the connecting IP address. (That goes without saying, because as I said, every connection you make to every website you visit tells that website your IP address.) And they have the cell phone number (or friend's invite) that was involved in creation of the Gmail account. If they get a subpoena from law enforcement, they'll provide this info. So, if somebody stalks you via Gmail and then actually kills you, then Gmail can do something about it. Yikes.

Problem is, that's not how most harassment works. Most of it is low level F-bombs and racist taunts sent by morons who think that the internet is untraceable, though it's not. I've been able to get people fired before for sending harassing emails from work. I can't identify them personally; I don't have to. I just contact the company and provide them the info showing the date and time and IP address of the source of the harassment. They check their internal logs, figure out who did it, and deal with it. Reprimand, training, termination, whatever their company policy dictates.

This works well, except if the harassment originates with Gmail. Because if somebody harasses you via Gmail, and it's not serious enough to get law enforcement interested in pursuing it, the best you can do is complain to Google. And hope something happens. And maybe the harasser loses their Gmail account. Which was free to begin with, and probably set up just for this purpose.

Strangely, if you post to Usenet newsgroups via Google Groups, your source IP address is included in the headers. Smarter people than me tell me that this is because Usenet is a smaller, more directly cooperative environment of server operators. Google previously found that when they didn't include the source IP address, lots of sites got fed up with spammers and harasses attacking Usenet through Google Groups, and started "aliasing out" (filtering out) all posts from all Google Groups users. This is fairly common in the world of usenet; run your site poorly and you're pretty quickly shunned by way of being aliased out, or by way of applying the Usenet Death Penalty.

How long until somebody proposes a similar "email death penalty" for Gmail? Eventually, other ISPs (and frustrated end users) get tired of not being able to track the source IP of harassment (and other bad things) from Gmail users. I'm not sure how long it'll take, but my bet is that it will happen eventually. I know I'm not the only one frustrated by their ill-conceived IP address-hiding policy, and the buck stops right at Gmail's SMTP servers.