If the people I know who work at google are any example, google hires mostly good, responsible people.

This is true in my experience as well, but really beside the point. A good, responsible hire can easily become a bad apple, for any number of reasons. That’s just human nature. There should be some checks to make sure the ones that go bad are properly dealt with.

Do we actually live in a world where major corporations can promise a certain degree of privacy, but when they violate that privacy, there is no legal ramifications whatsoever?

Yes.

Next stupid question?

They could easily incorporate digital signatures (which would be a very good thing), but actual encryption would break the business model.

A half-way approach would be for them to have access to your private key, but only use it for keyword/relevance scoring. This would be nice since it would make your email pretty much secure against third-party snooping, but it wouldn’t be any real barrier against google employees breaking the rules and reading your mail. Actually, I take that back a bit, access to the key repository could be monitored/audited pretty damn well… you’d still have to trust Google, but Google wouldn’t have to rely so much on trusting their employees.

All that said, there is no good reason that a live person at Google should routinely be accessing anyone’s email. Some system engineers / admins certainly need access privileges which would allow them to access emails, but they don’t have any reason to actually read any of the content (from their job POV, it is just data they have to be able to move around and manipulate.)

One final caveat… there are algorithm folks at Google who do need access to a corpus of email content. The relevance stuff and spam filtering both depend on using such a corpus in development. So again, Google’s business model has to include legal rights to access the contents of emails. But they should always be trying to do a better job making sure that access is not misused.

“Personally I consider anything by email to be public knowledge.”

(Fixed that for ya.)

Congress would probably set unrealistic expectations on service providers making it difficult or impossible to roll out new systems without some horrific regulatory hurdle. Or they would set government standards for back door access to everyone’s information making it illegal to use a system that can’t be read by the FBI.

I also wonder how many people really want all of their messages to be secure. It’s been years since I sent any message using PGP of any kind. I know my messages can be read by admins, but just don’t care. (Can I even find my PGP private key? I’ll have to check…)

I still think it would be neat to have security integrated into Gmail in an easy to use fashion, but don’t really have a feel for how much demand there is for such a system.

A good first step would be to remind more people that they are still sending digital post cards. Then we would need to see what additional complexity they are willing to add to their messaging experience (such as maintaining key pairs) to gain more security.

Personally I consider anything sent to a free mail service (gmail, hotmail etc) to be public knowledge.

And besides, google’s position is hardly unique in this regard. Any laws you apply to google need to apply to anyone who runs a mail server. If you’re really concerned about your privacy, get your pgp on.