The simple advice to journalists who use Gmail to communicate with their contacts over sensitive stories is: Don’t. You cannot guarantee to keep their details confidential.
Google now uses software to analyse emails and can potentially work out who sent them, who to, and what they said. This now makes it difficult to protect the source of a sensitive story and presents journalists with an ethical worry.
In fact it’s worse than that. Google analyses incoming emails, too. So if you email someone with a Gmail account, the content can be analysed, extracted and stored, even if you don’t use Gmail.
The changes come in new Google terms and conditions, which confirm: ‘“Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”
The new T&Cs came into force last month. They are already causing privacy concerns in America and may also breach EU data protection laws.
But journalists conducting investigations shouldn’t wait for a court case. They should buy their own email domain – and insist on contacts using an alternative to Gmail top protect their own security.
It has been suggested to Press Gazette that this article is inaccurate because Google only scan emails for spam, viruses and for the purposes of targeting advertising and that their commitment to email confidentiality is absolute.
Here is my response:
This article talks about the JOURNALIST’S moral and legal responsibility to protect their sources – not Google’s.
That means guaranteeing a contact that no-one can discover that a) they emailed a journalist, b) the journalist replied, and c) what was written.
Google admit that their system scans for email text and sender. What could be plainer?
This is enough to warn a journalist working on a sensitive story that they cannot 100 per cent guarantee to protect their source when using Gmail.
No journalist would be daft enough to accept Google’s re-assurances at face value. Especially after last summer’s revelations that the NSA secretly spies on Google data.
Google responded to the NSA revelations by very belatedly improving its email security … after the horse had bolted.
But I don’t think I’m the only journalist who is prepared to accept that this is enough. Why would we risk exposing our contacts' details to Google, when more secure options are available?