The second thought I had was that the first thought was ridiculous. Theyd never do such a thing with Postini data, which belongs to enterprise customers who would be completely outraged by such practices. Certainly Postini would never have anything to do with it. End of story. Stupid idea.
Then I read Karl Auerbachs blog on the matter:
Karl gets carried away, but hes not a stupid guy, so I decided to address the question directly. I would find the Postini or Google policy that forbid such practices.
Let me begin by summing up: I didnt find one. Its no surprise that Googles privacy policies dont limit them in such matters; thats not the Google way. But I was surprised at Postini, which has an excellent reputation and a client list filled with companies that—as I have already said—wouldnt take any such misbehavior sitting down.
Authors note: It turns out that Postinis most important privacy protection language is in their standard contract. They didnt find this for us until after this column was published. See my blog for details.
Postini has several policy statements on its Web sites. The one that comes closest to addressing the privacy of your data passing through its facilities is its Privacy Statement at http://www.postini.com/legal/privacy.php. Unfortunately, this page only seems to address the privacy of the use of its Web sites. (Im not a lawyer, but thats how it reads to me. Please tell me if Im wrong. I didnt read the EU-specific parts.)
Time to contact Postini, I figured, and they sent me a PDF file containing marketing about Postinis privacy commitment. Some relevant excerpts:
- Postini never sells or makes available individual names, lists of users, or aggregate data to any third parties for gain.
- All user-specific information and email message information, including content, addresses, categorizations, and IP addresses, is kept strictly confidential.
I pointed this out to Postinis representatives and they said "Our customers privacy is obviously vital to our business." Of course it is. But why dont they have a policy that says that?
Not quite believing my eyes, I asked Richi Jennings, lead analyst at Ferris Research, for an opinion. First he called me "mad" for even suggesting such a possibility. After hearing all of what I had found, he said that Google would be nuts to do that with the data of paying Google Apps customers, or indeed of classic Postini customers. Just because they dont have a policy against something doesnt mean theyll do it; "...after all, theres no policy that says they wont poke customers in the eye either, but I bet theres no plans to start a Google ocular-digital interface project." Well, none that weve heard of anyway.
Look, Im totally with Jennings on this. I cant believe Google would be stupid enough to mine Postini customer data, and Postini would never do it either. And yet it appears that the company may have changed its policy at some point recently. This leaves me uneasy. Perhaps this is an attempt, for the long term, to keep its options open. Or maybe its just a mistake. I havent heard anything about customers being mad about this or anything else.
And its worth pointing out, as Jennings did to me, that any service such as Postinis has to do some form of data mining in order to be effective. It records and tracks, for example, IP address of senders, monitors links in the messages, etc., and checks all this against databases it maintains. Any policy the company sets has to be able to let them do the job for which they were hired while, at the same time, preventing it from tracking, for example, which companies are sending e-mail to which other companies, and how much. It can be a subtle distinction.
Unfortunately, in this day and age you need to take policies such as these, or the absence of them, very seriously. Im sure Postini has only the right intentions for their customers privacy and theyll clear up the matter before too long.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer