Police in Texas arrested 41-year-old John Henry Skillern last month after he allegedly sent an email to a friend containing child pornography. The tipster that blew Skillern's cover? Google.
The search giant alerted local law enforcement after detecting the allegedly illicit images in Skillern's Gmail account, part of the company's ongoing effort to root out child porn online. In doing so, it offered a glimpse of the vast power it wields over its users.
Federal law requires that Google and other tech companies report instances of child porn discovered on their services to the National Center for Missing and Exploited Children, a nonprofit group that maintains a database of URLs and file information associated with known child pornography.
Google (GOOGL) and other companies like Facebook (FB) and Microsoft (MSFT) go a step further by voluntarily policing their services, including search and email, for this material. The companies use algorithms to test whether the digital information encoded in images matches against the child pornography database at the NCMEC.
Related: How Google dominated the email business
Google emphasizes that it only uses this email-scanning technology to detect these kinds of files, "not email content that could be associated with general criminal activity (for example using email to plot a burglary)." Translation: if you're Gchatting with a friend about buying marijuana, Google doesn't want you to worry about being turned in.
Hanni Fakhoury, a lawyer with the Electronic Frontier Foundation, called Google's child-porn-detection system "a targeted, narrow way to get at the problem." But he warned of the potential dangers involved in allowing services like Google or Facebook to police their users.
"Child porn is terrible, but what if someone sends an email with a pirated episode of Game of Thrones?" Fakhoury said. "What if I write an email that's harassing or contends offensive language? Will Gmail police that too, and do we want to live in a society where companies are policing that?"
Google already scans your emails and search queries for commercial purposes, presenting you with targeted ads. You give up that right to privacy in the terms of service.
And those terms of service go beyond advertising, stating that Google "may remove or refuse to display content that we reasonably believe violates our policies or the law."
"[T]hat does not necessarily mean that we review content, so please don't assume that we do," Google adds.
Ryan Calo, a tech policy expert at the University of Washington School of Law, said that if Google "decided to take it upon themselves to police other things, they could do it and it wouldn't violate the terms of service or the Fourth Amendment," which bans unreasonable searches of private citizens. You invite Google to look in on your communications by signing up for its services.
Related: Google's plan to rid the world of cyberattacks
As for the company's assurances that it doesn't police user accounts for evidence of illegal activity beyond child pornography, Calo said that promise "needs to go into the terms of service for it to matter."
The concerns about this kind of corporate surveillance aren't abstract. Earlier this year, Microsoft admitted in federal court documents that it forced its way into a blogger's Hotmail account to track down a leak of proprietary software.
Microsoft pointed to its terms of service in justifying the search. But after the incident sparked criticism online, the company pledged that it would no longer investigate customer accounts following reports of stolen property, and would instead refer such issues to law enforcement.
Fakhoury said the Microsoft episode demonstrates the importance of keeping tech companies accountable to their users.
"We have to be really careful with how far we allow these service providers to go," he said.