'

Gmail is more promise than threat

Will Gmail lead Google into temptation or deliver us from evil?

We've been here many times before, and will be again. Big company takes cudgel to rights of users, users squeal, knights on white chargers roll up and save the day. According to Privacy International, it's time to take up lances and don helms against Google's new Gmail service and its robotic hoardes of scanners. Free email with huge storage sounds nice, but PI has already complained to information authorities across Europe that Gmail is not to be trusted because it will take our data and not guarantee its security. The user agreement is dangerous, says PI.

So far, though, Google hasn't behaved in an aggressive way towards its users. It may do in the future -- it's all very well saying that the company will "do no evil", but you'll be hard pressed to find any organisation outside Satanists'R'Us who'll say different. Yet on existing evidence, Google has been good. It hasn't lied to me or taken my money under false pretences. Or at all: it's merely delivered years of fabulous service for nothing. It deserves the benefit of the doubt, and Google is working hard at addressing the more draconian analyses of its user agreement before launch. And if it doesn't -- well, you can always just not sign up.

The fact is that email is woefully insecure. The only time you have any hope of contractual control is if you and your recipient are on the same ISP -- otherwise, the moment your message has left your outbox, you're at the mercy of everyone who relays your email to your recipient. They could be anyone -- in fact, different chunks of the same message could be relayed by completely different companies. That's the Internet. It doesn't matter what's in your contract with your email provider -- they cannot guarantee security, privacy or delivery. They can and should say that they won't get naughty with your stuff when it's on their system -- as Gmail seems to do -- but that won't make your data secure. The only person who can make your email secure is you, through decent encryption.

So, Gmail isn't going to make your email any less secure than now. The complaints of Privacy International are off-key. Its alacrity in publicly submitting them to information security bods across Europe before Gmail is even launched smells of an organisation rather keener on publicity than on effective, focussed advocacy. Au contraire. Gmail is going to make our email a lot more secure -- if it gets the technology right. We already have robots reading all our email: they're called spam filters, scanning emails as they arrive in our inboxes. As you know, this doesn't work very well. Spam isn't a transmission problem, it's a database problem.

The only thing that makes a message spam is that it's been sent to lots of people who didn't want it -- something that's hard to spot if you can't look at lots of inboxes at once. Google is very, very good at finding patterns in large datasets. Gmail will be able to look back in time across millions of inboxes, giving it an unparalleled opportunity to characterise spam and spammers in multiple dimensions. Of course, we can't tell until the system's in use by millions whether things will work out like this, but once again Google has earned the benefit of the doubt. Spam is email's biggest security problem today, and it has the chance of tackling it head-on.

Which is not to say Gmail couldn't go further. Do you know how to encrypt your emails -- and how to make sure your recipients can read them afterwards? It's never been painless, but it may become necessary. At first glance, it would look as if encrypted emails would be the death of Gmail: even smart robots can't scan pseudorandom binary, so there goes the revenue stream.

But if Gmail offered the encryption itself over a secure link, then this is no longer a problem. It could store the emails in clear on its own system, en- or decrypting them as they leave or enter. It could offer the cryptographic engine as a web service for other clients, other ISPs. It may have to -- if encryption outside its control becomes normal, then the service is finished.

All this is in the future. If Gmail deals with its critics coolly, promptly and civilly, and provides a service that matches its promises and maintains its policy of "users first", it will deserve all the success it can handle.