nore on California Gmail legislation misguided; Gmail has more serious privacy flaws

[dave () farber net]

 ..... Forwarded Message .......
From: Richard Wiggins <richard.wiggins () gmail com>
To: David Farber <dave () farber net>
Cc: galler () umich edu
Date: Sat, 29 May 2004 10:19:32 -0400
Subj: California Gmail legislation misguided; Gmail has more serious privacy flaws

Dave,

The prospect of this becoming law is frightening.  The cure is far
worse than the purported risk.  I have to wonder how many people who
pontificate over the risks Gmail might pose have actually used or even
seen it.  And now they've leapt to legislating.

I've been a Gmail beta tester for 6 weeks now.  The targeted ads are
similar to what a Google search pulls up -- unobtrusive and often
quite relevant to the topic of the mail.  Also, often hilariously off
target, but relevant or not, easy to ignore.

The State of California proposes to declare that it trusts some robots
-- those that inspect for spam or viruses -- and to outlaw other
robots.  Look, folks, either you trust a robot to examine your
content, or you don't.   I don't want a legislator deciding which
robots and intelligent agents I can subscribe to freely.

Now here's the big irony: There is a huge, real privacy flaw in Gmail.
 As a beta tester I've informed them of the flaw but no word yet as to
a fix.

Suppose I visit your office, Dave, and sign in quickly to look at
Gmail using your computer.  Suppose I forget to sign out.  From, now
on you can continue to read my mail.  You can read my mail FOREVER --
until you shut down your computer or your Web browser.

Even if I log in at another computer, you stay logged in. I can't
detect that you're reading my mail, and I can't stop you from reading
my mail.  I've tested this with multiple computers, including over a
10 day span.

Google's Gmail team needs to do two things:

-- Implement an aggressive session timeout.  With up to 1 gig of your
life searchable, it's a big deal if you leave a public terminal logged
it.  The timeout should be maybe 15 minutes.  The Web client -- a
brilliant piece of work otherwise -- should save state across the
password challenge.

-- Detect when you log in from a second computer, and disconnect the
older session.

Google will fix these flaws. Gmail is young.  It's in beta. In the
meantime, any call for legislation is WAY premature.  There might be
good reason to regulate what Google does with data it gathers, but
basically outlawing the Gmail concept is way over the top. I hope the
California legislature contemplates that Google could easily take
their $25 billion and relocate to another state.

/rich

On Fri, 28 May 2004 16:48:00 -0500, David Farber <dave () farber net> wrote:
> Begin forwarded message:
>
> From: "Annie I. Anton" <aianton () mindspring com>
> Date: May 28, 2004 1:46:19 PM EDT
> To: David Farber <dave () farber net>
> Subject: For IP? California votes for Google mail safeguards
>
> The Register » Internet and Law » Digital Rights/Digital Wrongs »
>
> Original URL: http://www.theregister.com/2004/05/28/gmail_legislation_passed/
>
> California votes for Google mail safeguards
> By Andrew Orlowski in San Francisco (andrew.orlowski () theregister co uk)
>  Published Friday 28th May 2004 03:17 GMT
>
>  The Californian state Senate has voted to
> introduce safeguards on email services that, like

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/