Will Google Mine Your Postini E-Mail?

By Larry Seltzer  |  Posted 2007-07-12 Print this article Print

Opinion: If I were a Postini enterprise customer, I'd be re-reading the TOS and privacy policies carefully right now.

When I heard about the Google-Postini deal the first thought I had was about how Google would have a field day mining all the data that Postini filters. The second thought I had was that the first thought was ridiculous. Theyd never do such a thing with Postini data, which belongs to enterprise customers who would be completely outraged by such practices. Certainly Postini would never have anything to do with it. End of story. Stupid idea.

Then I read Karl Auerbachs blog on the matter:
Google just bought Postini—and one would have to be fairly naive to believe that Google does not intend to dredge through all of that e-mail passing through Postini.
Karl gets carried away, but hes not a stupid guy, so I decided to address the question directly. I would find the Postini or Google policy that forbid such practices.

Google is making aggressive moves into the enterprise market and revving up for a battle with Microsoft Exchange. Click here to read more.

Let me begin by summing up: I didnt find one. Its no surprise that Googles privacy policies dont limit them in such matters; thats not the Google way. But I was surprised at Postini, which has an excellent reputation and a client list filled with companies that—as I have already said—wouldnt take any such misbehavior sitting down.

Authors note: It turns out that Postinis most important privacy protection language is in their standard contract. They didnt find this for us until after this column was published. See my blog for details. Postini has several policy statements on its Web sites. The one that comes closest to addressing the privacy of your data passing through its facilities is its Privacy Statement at http://www.postini.com/legal/privacy.php. Unfortunately, this page only seems to address the privacy of the use of its Web sites. (Im not a lawyer, but thats how it reads to me. Please tell me if Im wrong. I didnt read the EU-specific parts.)

Time to contact Postini, I figured, and they sent me a PDF file containing marketing about Postinis privacy commitment. Some relevant excerpts:
Postini is also committed to honoring the privacy of users. The following excerpts are taken from its privacy policy statement[6], and demonstrate its professional code of integrity and responsibility:
  • Postini never sells or makes available individual names, lists of users, or aggregate data to any third parties for gain.
  • All user-specific information and email message information, including content, addresses, categorizations, and IP addresses, is kept strictly confidential.
The text in the PDF file addresses the concerns dead-on as far as Im concerned. The problem is in the footnote, which the PDF says is the address of Postinis Privacy statement. Last night when I tested it the address redirected back to the other Privacy Statement at http://www.postini.com/legal/privacy.php. This morning it is just a dead link.

I pointed this out to Postinis representatives and they said "Our customers privacy is obviously vital to our business." Of course it is. But why dont they have a policy that says that?

Not quite believing my eyes, I asked Richi Jennings, lead analyst at Ferris Research, for an opinion. First he called me "mad" for even suggesting such a possibility. After hearing all of what I had found, he said that Google would be nuts to do that with the data of paying Google Apps customers, or indeed of classic Postini customers. Just because they dont have a policy against something doesnt mean theyll do it; "...after all, theres no policy that says they wont poke customers in the eye either, but I bet theres no plans to start a Google ocular-digital interface project." Well, none that weve heard of anyway.

Look, Im totally with Jennings on this. I cant believe Google would be stupid enough to mine Postini customer data, and Postini would never do it either. And yet it appears that the company may have changed its policy at some point recently. This leaves me uneasy. Perhaps this is an attempt, for the long term, to keep its options open. Or maybe its just a mistake. I havent heard anything about customers being mad about this or anything else.

And its worth pointing out, as Jennings did to me, that any service such as Postinis has to do some form of data mining in order to be effective. It records and tracks, for example, IP address of senders, monitors links in the messages, etc., and checks all this against databases it maintains. Any policy the company sets has to be able to let them do the job for which they were hired while, at the same time, preventing it from tracking, for example, which companies are sending e-mail to which other companies, and how much. It can be a subtle distinction.

Unfortunately, in this day and age you need to take policies such as these, or the absence of them, very seriously. Im sure Postini has only the right intentions for their customers privacy and theyll clear up the matter before too long.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel