Google's patent for email snooping? Microsoft offers your boss email spying powers now

Google's 'Policy Violation Checker' patent may give your boss new snooping powers in the future; but in the name of 'data loss prevention,' Microsoft already gives your boss that power to monitor your emails.

Filing for a patent does not always mean a company will follow through and make that product a reality, but it is still interesting to see what patents are filed. Such is the case regarding Google's patent for a "Policy Violation Checker," or as Slashdot termed it, "Google seeks do-no-discoverable-evil patent." The abstracts states:

Methods and systems for identifying problematic phrases in an electronic document, such as an e-mail, are disclosed. A context of an electronic document may be detected. A textual phrase entered by a user is captured. The textual phrase is compared against a database of phrases previously identified as being problematic phrases. If the textual phrase matches a phrase in the database, the user is alerted via an in-line notification, based on the detected context of the electronic document.

Some Slashdot comments described it as a "lawyer in a box," to help employees avoid phrases that could be misconstrued or otherwise get a company sued. It's "software to peek over people's shoulders," wrote the Huffington Post. "With Policy Violation Checker, Big Brother isn't just watching you. He's getting some control over what you write."

However, if your company uses Microsoft Office 365 Enterprise/Exchange 2013, then Microsoft already offers your boss the power to monitor your email for problematic phrases. Instead of calling it a "Policy Violation Checker," Microsoft offers this scanning of email "for keywords and 'sensitive' data" under an umbrella of data loss prevention (DLP) services.

The Google patent spells out numerous scenarios, such as when "text created by a user in a document is captured and compared against a database of phrases previously identified as problematic phrases. If a match between a phrase in the document and a phrase in the database is found, the user is alerted via an in-line notification."

Microsoft Exchange 2013 policy tips explained, "We can notify a sender if he/she is about the send information that violates a DLP Policy. But how is the sender notified? By including a Policy Tip notification message!" In explaining how DLP worked as of November 2012, the tutorial stated, "These Policy Tips only work on Outlook 2013 for now but it is just a matter of time until they appear in Outlook Web App as well."

The Google "Policy Violation Checker" patent mentions scanning "computer readable storage medium" several times, including: "A computer readable storage medium having instructions stored thereon that, when executed by a processor, cause the processor to perform operations including: detecting a context of an electronic document; capturing a textual phrase entered by a user; comparing the textual phrase against a database of phrases previously identified as problematic phrases; and alerting the user via an in-line notification when the textual phrase matches a phrase in the database, based on the detected context."

While there wasn't anything about scanning readable storage mediums that jumped out, Microsoft Exchange can spot "resume" in an attached Word document, even if it has been ZIP-compressed, Ars reported, then "forward the message to the employee's manager, or bounce it back, silently delete it, or send it to the spam quarantine for further analysis."

Google patent: "In one embodiment, a document being created by a user is checked for problematic phrases as it is being created. As a problematic phrase is identified, a notification appears to notify the user of the existence of a problematic phrase. For example, as the user finishes a sentence, the system may perform a policy violation check on the phrases in the completed sentence in the background to alert the user of a problematic phrase. This allows the user to nearly immediately be aware of a potential violation of policy or law while the text is fresh in the user's mind."

While it's not Johnny-on-the-spot sentence checking, Microsoft Exchange 2013 has DLP "templates for monitoring email with the 'rules configured to meet specific legal and regulatory requirements' regarding financial and PII data. A Microsoft tutorial explained, "The interesting part is that these rules are smart enough to detect 'valid' credit card numbers. If you simply type a random 16-digit number it will not flag it as being a credit card number! Also, no matter if you put spaces or not in-between each 4-digit set of numbers, Exchange will still detect it."

Regarding privacy, and probably a little bit of Scroogled-esque sniping at Google's practice of scanning email to serve up relevant ads, Microsoft wrote, "Your data belongs to you. Microsoft does not scan emails or documents for advertising purposes." With Google, you get free services like email, but your life is pretty much data-mined.

Most companies have a notice attached to all outgoing email about privileged and/or confidential information meant only for the intended recipient(s). In fact, most have policies about not using email for personal correspondence. That doesn't mean everyone complies with those company policies, but no company wants sued and you can't expect any level of privacy when using company email. According to William Shakespeare, "A rose by any other name would smell as sweet." Monitoring by any other name, is still stinky-privacy invasion, whether it is accomplished by methods described in Google's "Policy Violation Checker patent, Microsoft's data loss prevention services, or the government capturing and storing all your digital communication.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.