If you think your emails are private, think again

Koh is the same judge who denied class action certification in a similar e-mail privacy case against Google last year. The key difference, as Judge Koh noted in her May ruling, is that the plaintiffs in the Yahoo case sought to include in the class of plaintiffs only non-Yahoo Mail subscribers, while the plaintiffs in the Google case tried to include subscribers as well.

This is important because of the issue of notice and consent: did non-Yahoo Mail subscribers have notice of (and thereby consent to) Yahoo’s publicly disclosed policy of scanning, and possibly sharing, e-mails simply by corresponding with a subscriber?

Given the express language in the SCA that lawful consent of the originator or an addressee or the intended recipient of such communication is sufficient, and given Judge Koh’s prior ruling that Yahoo’s terms of service establishes consent of the Yahoo Mail subscribers – the answer appears to be yes.

In its request to the Ninth Circuit Court of Appeals for permission to appeal Judge Koh’s class action order, Yahoo argued in part that the court improperly decided that the issue of consent could be analyzed within a class action. Yahoo argued that since consent is an issue that is specific to each potential plaintiff’s behavior and action, it would not be appropriate to examine it on a “class” basis, but rather it should be looked at on an “individual” basis. Yahoo’s request was denied without discussion. A preliminary trial date for the Yahoo case has been set for 8 February.

Consumer expectations of privacy
At first blush, it’s tempting to say that e-mails are different from online behavior and internet search histories, and therefore deserve a heightened level of privacy. An e-mail, like its offline counterpart U.S. mail, is personal, private and akin to a confidential one-on-one conversation written with a specific recipient in mind.

And recent lawsuits underscore this temptation. A new case filed a few weeks ago in California federal court alleges that Twitter is “eavesdropping” on users’ private messages in violation of federal and state privacy laws. Another suit filed earlier in September in the Northern District of California alleges that Google unlawfully diverted non-Gmail users’ e-mail messages to extract content.

But one of the key issues in the case against Yahoo is whether e-mail users — specifically those who do not subscribe to Yahoo Mail — consented to Yahoo’s publicly stated policy that e-mails sent through its service are scanned and analyzed by the company.

Yes, Yahoo’s publicly available web pages, including the Yahoo Mail page, disclose its scanning practices and the possible sharing of e-mail content with third parties, yet the plaintiffs argue that before sending an e-mail to a Yahoo user or before receiving an e-mail from a Yahoo user, they were not given notice of that policy and therefore did give their consent to it.

The plaintiffs’ argument, while superficially plausible, will be a challenging one to make. Companies such as Yahoo and Google have long provided notices and disclosures to consumers, yet consumers rarely read privacy policies or terms of use.

So given this persistent choice either to not read or to disregard privacy disclosures, can plaintiffs (whether as individuals or as a group) really object to scanning e-mails for targeted advertising – whether they’re subscribers or not?

Leaving aside the issue of consent for the moment, is our online behavior or our internet searches really any less personal – or any less private – than the content of messages sent by users of a free e-mail service that publicly discloses that their e-mails will be scanned and possibly shared with third parties?

No, they really aren’t.

As the New York Times noted in April 2014 in Sweeping Away a Search History: “Your search history contains some of the most personal information you will ever reveal online: your health, mental state, interests, travel locations, fears and shopping habits. And that is information most people would want to keep private.”

Given the intensely private nature of internet searches and e-mail messages, it’s hard to think that consumers would somehow expect more privacy in one than in the other, especially when they use Yahoo Mail, Gmail or other services that users know rely on advertising to support the product. And neither should we expect complete privacy if we use a paid e-mail service to send a personal message to a user of one of the free services.

Realistic levels of privacy
It’s clear from Judge Koh’s earlier rulings that Yahoo users do not have a right to privacy in the messages that they send to or receive from a Yahoo e-mail user given the respective terms of service governing Yahoo Mail.

But do the non-Yahoo users who willingly sent an e-mail to a Yahoo account holder (and presumably received some) have a right to privacy when the account holder has none?

The plaintiffs allege that Yahoo intercepts and scans subscribers’ incoming and outgoing e-mails for content, including the content of e-mails to and from nonsubscribers. The plaintiffs further allege that Yahoo copies the entirety of such e-mails and: “extracts keywords from the body of the e-mail, reviews and extracts links and attachments, classifies the e-mail based on its content[,] … [and] subjects the copied e-mail and extracted information to additional analysis to create targeted advertising for its subscribers, and stores it for later use.”

Plaintiffs allege that Yahoo intercepts, reads and learns the content of non-Yahoo subscribers’ e-mail communications without the non-Yahoo subscribers’ consent. The plaintiffs say such conduct violates the California Invasion of Privacy Act (CIPA). Judge Koh certified the nationwide class action with regard to the SCA claim and a California-only subclass with regard to the California state law claim under CIPA.

Unlike the Google case, in which Koh denied the plaintiffs’ request for class action certification, the alleged privacy claims in the class action against Yahoo are no longer for money damages (since plaintiffs abandoned their claim for money damages when they moved the court for class action certification). Rather, it is about asking the court to determine that Yahoo’s acts violate the SCA and, if so, that Yahoo be prohibited from engaging in that practice in the future.

The plaintiffs won a short-term victory in achieving class action certification, but this bigger issue over whether they can object to the scanning process — based on a right to privacy — given Yahoo’s disclosure of its scanning and possible sharing practices and given that they chose to send and/or receive an e-mail to a Yahoo user, is far from being decided in their favor.

And they’ll have a tough road ahead making their case, because an important lesson we’ll all learn eventually is that e-mail privacy can sometimes be a digital paradox.

Lydia A. Jones is Adjunct Professor of Law, Vanderbilt University. This article is published courtesy of The Conversation (under Creative Commons-Attribution/No derivative).