Thursday, August 14, 2014

CENSORSHIP - As Practiced by Google Gmail

"Gmail scanning becomes censorship" by Alexander Hanff, Privacy Beyond Compliance Blog 1/5/2014

Earlier this weekend I was asked by a journalist friend of mine if I would mind answering a few questions for an article he was writing about the draft Data Protection Regulation and Safe Harbour.  The comments were for a feature article in the first 2014 print edition of Infosecurity Magazine.  Needless to say, I was happy to comment on the issue which, I know well and have worked on for the better part of the last 4 years; so this morning I sent my response - a little wordy but relevant none the less and hopefully useful for his article.

To my surprise, just seconds after hitting the send button, I received the following email back from Google's Gmail servers:

Our system has detected that this 550-5.7.1 message is likely unsolicited mail.  To reduce the amount of spam sent 550-5.7.1 to Gmail, this message has been blocked.  Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. c2si3563013wie.0 - gsmtp (in reply to end of DATA command)

Obviously, the first thing I did was visit the link which provided me with the following information:

Why has Gmail blocked my messages?

Here at Gmail, we work very hard to fight spam.  While in some cases we may classify a message as spam and deliver it to the spam folder, we also try to find ways to reduce the amount of spam being sent to Gmail in general.  If we detect that a message has a strong likelihood of being spam, we’ll block the message from being sent to Gmail.

A message might be blocked if it contains suspicious-looking or spammy text or if the sending IP has had a history of sending unsolicited messages.

Is all of the mail I’m sending being blocked?

It’s likely that only a subset of the messages which have a strong likelihood of being spam are being blocked and not all of your messages.  However, to help improve your deliverability, we recommend reviewing our Bulk Sender Guidelines.

If you’re forwarding mail to Gmail and your domain also forwards spam, we recommend reviewing our mail forwarding best practices.

As you can see there is no information on how to have your emails removed from Google's filters.  Thinking that maybe the IPv4 address of my mail server was perhaps caught in some sort of RBL from the past (before I was provisioned with it for my server) I pointed my browser to http://mxtoolbox.com to check.  Neither my domain or my IP address were included in any blacklists on the site (which granted is not a definitive list but is pretty well populated).

This leads me to believe that the only reason the email was rejected by Google's Gmail servers was based on the content of the email and I have a couple of issues with this.

1.  I am deeply opposed to Google's scanning of emails - I have argued for a number of years that this is a breach of privacy and probably illegal - although trying to get a regulator to take action has been impossible.

2.  Even if we accept scanning of email content for the purpose of preventing spam, there were a number of key elements to my email which should have made it clear the email was not spam as listed below:

a.  The email was a reply to an email with my response inline.  The previous email I was responding too was indicated with ">" in the left margin next to each original line.  It should have been clear to any automated scanning system that this was a reply and therefore probably not unsolicited.

b.  The email requested both a delivery receipt and read receipt (I wanted to make sure the journalist received and read the email before their indicated deadline so I could phone them before that time if it was clear they hadn't).  Most spammers do not request delivery/read receipts as it uses up technical resources to process them as well as significantly increases their bandwidth usage - imagine if a spammer received two receipts for every single mail they sent to a list of millions.  So again any automated scanning system should have been configured to "understand" this.

c.  My email was signed with my PGP key.  Now granted this might not seem like an obvious reason not to mark something as spam, but have you ever received spam which is signed with a PGP key?  I certainly haven't.

d.  Neither my domain or my mail server's IP address are listed on any blacklist that I could find, so really it was unlikely that my server had suddenly started sending out bulk spam emails.

Google's filtering system for spam is completely arbitrary and quite simply doesn't work.  All four of the individual points above should have indicated to Google's systems that the email was probably not spam but for all four of those points to have existed together and yet the email was still marked as spam, illustrates a complete failure of Google's filters, which seem to be acting more as a form of censorship that anything else.

What makes this even more ironic, is the email content was all about an EU Regulation of which Google would be one of the corporations it impacts most - an email about privacy, scanned by a filter which goes against privacy and run by a company that has declared war on privacy because this single, fundamental right interferes with their illegitimate and unethical revenue model.

No comments: