Will Google Mine Your Postini E-Mail?

Opinion: If I were a Postini enterprise customer, I'd be re-reading the TOS and privacy policies carefully right now.

When I heard about the Google-Postini deal the first thought I had was about how Google would have a field day mining all the data that Postini filters.

The second thought I had was that the first thought was ridiculous. Theyd never do such a thing with Postini data, which belongs to enterprise customers who would be completely outraged by such practices. Certainly Postini would never have anything to do with it. End of story. Stupid idea.

Then I read Karl Auerbachs blog on the matter:

Google just bought Postini—and one would have to be fairly naive to believe that Google does not intend to dredge through all of that e-mail passing through Postini.

Karl gets carried away, but hes not a stupid guy, so I decided to address the question directly. I would find the Postini or Google policy that forbid such practices.

/zimages/7/28571.gifGoogle is making aggressive moves into the enterprise market and revving up for a battle with Microsoft Exchange. Click here to read more.

Let me begin by summing up: I didnt find one. Its no surprise that Googles privacy policies dont limit them in such matters; thats not the Google way. But I was surprised at Postini, which has an excellent reputation and a client list filled with companies that—as I have already said—wouldnt take any such misbehavior sitting down.

Authors note: It turns out that Postinis most important privacy protection language is in their standard contract. They didnt find this for us until after this column was published. See my blog for details.

Postini has several policy statements on its Web sites. The one that comes closest to addressing the privacy of your data passing through its facilities is its Privacy Statement at http://www.postini.com/legal/privacy.php. Unfortunately, this page only seems to address the privacy of the use of its Web sites. (Im not a lawyer, but thats how it reads to me. Please tell me if Im wrong. I didnt read the EU-specific parts.)

Time to contact Postini, I figured, and they sent me a PDF file containing marketing about Postinis privacy commitment. Some relevant excerpts:

Postini is also committed to honoring the privacy of users. The following excerpts are taken from its privacy policy statement[6], and demonstrate its professional code of integrity and responsibility:
  • Postini never sells or makes available individual names, lists of users, or aggregate data to any third parties for gain.
  • All user-specific information and email message information, including content, addresses, categorizations, and IP addresses, is kept strictly confidential.
The text in the PDF file addresses the concerns dead-on as far as Im concerned. The problem is in the footnote, which the PDF says is the address of Postinis Privacy statement. Last night when I tested it the address redirected back to the other Privacy Statement at http://www.postini.com/legal/privacy.php. This morning it is just a dead link.

I pointed this out to Postinis representatives and they said "Our customers privacy is obviously vital to our business." Of course it is. But why dont they have a policy that says that?

Not quite believing my eyes, I asked Richi Jennings, lead analyst at Ferris Research, for an opinion. First he called me "mad" for even suggesting such a possibility. After hearing all of what I had found, he said that Google would be nuts to do that with the data of paying Google Apps customers, or indeed of classic Postini customers. Just because they dont have a policy against something doesnt mean theyll do it; "...after all, theres no policy that says they wont poke customers in the eye either, but I bet theres no plans to start a Google ocular-digital interface project." Well, none that weve heard of anyway.

Look, Im totally with Jennings on this. I cant believe Google would be stupid enough to mine Postini customer data, and Postini would never do it either. And yet it appears that the company may have changed its policy at some point recently. This leaves me uneasy. Perhaps this is an attempt, for the long term, to keep its options open. Or maybe its just a mistake. I havent heard anything about customers being mad about this or anything else.

And its worth pointing out, as Jennings did to me, that any service such as Postinis has to do some form of data mining in order to be effective. It records and tracks, for example, IP address of senders, monitors links in the messages, etc., and checks all this against databases it maintains. Any policy the company sets has to be able to let them do the job for which they were hired while, at the same time, preventing it from tracking, for example, which companies are sending e-mail to which other companies, and how much. It can be a subtle distinction.

Unfortunately, in this day and age you need to take policies such as these, or the absence of them, very seriously. Im sure Postini has only the right intentions for their customers privacy and theyll clear up the matter before too long.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer