How Secure is your Email?

By Andrew Gelbman, August 8, 2019

In the modern world, email has come to replace the telephone and written letter for many business and personal applications. Many people, including many lawyers, use online or “cloud” email services such as Gmail, Outlook, Yahoo, or Hotmail. Inevitably, confidential information or private matters will come up in emails sent or received over such services. Many users of cloud email believe those emails are private – but is that really so?

It is worth noting how email works, as many are unaware of how the Internet handles the information put into an email. When one composes and sends an email, several copies of the message end up being created and stored at various locations. A copy, of course, resides on the sender’s computer and another on the recipient’s computer. What many people do not realize is that a copy remains on the sender’s Internet Service Provider’s (ISP) server. Additionally, a copy remains on the recipient’s Internet Service Provider’s (ISP) server. If you are using a cloud email service, a copy is also retained on the cloud service provider’s servers as well. Deleting an email from your inbox does not remove that email from other servers or computers.

How can we be free when our every movement is tracked and every conversation is recorded and can easily be held against us?

— Tom Green

Legal Protections for Cloud Email

Tom Green raises a valid question. Most people believe and expect that privacy laws protect their email. The Supreme Court created a two-part test to determine whether the Fourth Amendment applies to a search: 1) whether an actual (subjective) expectation of privacy exists; and 2) whether society is prepared to recognize that expectation as reasonable.  See United States v. Jacobsen, 466 U.S. 109, 113, 104 S. Ct. 1652, 80 L. Ed. 2d 85 (1984); Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring); see also California v. Ciraolo, 476 U.S. 207, 211, 106 S. Ct. 1809, 90 L. Ed. 2d 210 (1986) (citing Smith v. Maryland, 442 U.S. 735, 740, 99 S. Ct. 2577, 61 L. Ed. 2d 220 (1979))..

Seems pretty straight forward, right? Well, not so much. It is true that 18 U.S.C. § 2701 prohibits unauthorized access to certain electronic communications and 18 U.S.C § 2702 places restrictions on a service provider’s disclosure of certain communications. However, 18 U.S.C. § 2703 permits a “governmental entity” to compel a service provider to disclose the contents of communications in certain circumstances.

For emails “in electronic storage” with an electronic communication service for 180 days or less, 18 U.S.C. § 2703(a) permits government access “only pursuant to a warrant.” For electronic communications stored for 180 days or more on a remote or “cloud” computing service, however, 18 U.S.C. § 2703 permits the government to: (1) get a warrant from the court; (2) issue an administrative subpoena; or (3) obtain a court order.

“The Stored Communications Act (S.C.A.), 18 U.S.C. §§ 2701 et seq., the government to compel a service provider to disclose the contents of [electronic] communications in certain circumstances.” United States v. Warshak, 631 F.3d 266, 282 (6th Cir. 2010)

The S.C.A. begs the question whether one who sends an email via cloud services or any service for that matter has an actual or reasonable expectation of privacy. Email by its very nature passes through several servers and remains on several computers. Sending or receiving email through a cloud-based service compounds the problem by adding another layer of storage servers to the mix. Because of this, governments and other interested parties have argued that the expectation of privacy for email is lower than for other forms of communication, or even unreasonable altogether.

Generally, a prosecutor, or plaintiff’s lawyer in a civil matter, has the power to issue a subpoena with very little judicial oversight. A self-representing party has the same power. As a result, issuing a subpoena for one’s emails is very simple. Of course, the facts of each case vary, and you should consult a competent attorney to see what your legal options are.

Legal Protections for Emails Sent from Private Domains

Okay, but what if you are using an ISP provided email like johnsmith@ISP.com? Using an ISP provided email has the virtue of removing a cloud-based service’s servers from the discussion. Copies of the email, however, are still retained on the ISP’s servers and on the receiving end. Law enforcement may need a warrant to legally access one’s private computer and local copies of the emails sent from it. However, it is much easier for the government to get an ISP to turn over subscriber emails. Just as with cloud-based services, your emails lose their status as a protected communication after 180 days storage on the ISP servers and require only a mere subpoena to obtain. Moreover, ISPs increasingly force users to sign End-User Service Agreements that reduce any user expectation of privacy. These agreements often require the user to consent to the ISP monitoring of network traffic or to permit the ISP to turn over records at the request of any government agency.

The same is true if you own a website and use a private email server. Let’s say one puts up a site called mysite.com. As part of the hosting package, the site owner gets access to a branded a POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) incoming server and an SMTP (Simple Mail Transfer Protocol) outgoing server. You are secure, right? Yes and no.

You are certainly more secure than using an ISP provided email and far more secure than if you use a cloud-based service. However, you still have the problem that your email will be resident on multiple computers and your host company’s servers. In most cases, the server on which your “private” email servers reside host several other sites on the same computer. In such cases, it is likely that an email loses its status as a protected communication in 180 days and would, again, require only a mere subpoena to obtain.

Moreover, like ISPs, Webhosting providers increasingly require users to sign End-User Service Agreements that reduce any user expectation of privacy. These agreements often require the user to consent to the host provider monitoring of network traffic or to permit the hosting provider to turn over records at the request of any government agency.

If you have private, dedicated Webhosting (no other sites but yours resides on the webserver), you may have a stronger case for “reasonable expectation of privacy.” Such hosting, however, costs on average, ten to twenty (10 to 20) times as much for the hosting service.

Legal Protections for Work Emails

Most people know that an employee has no reasonable expectation of privacy in emails sent or received on an employer computer or through an employer’s local network. This is likely to be true even whether there is a formal policy about email or not. The reason for this, beyond the obvious need to maintain productivity, is liability. In today’s business environment, harassment lawsuits are increasingly common, and businesses are wise to monitor communications to prevent harassment. Increasingly, companies are deploying software to identify problematic emails.

Beyond harassment concerns, stored emails can be crucial evidence in lawsuits filed years after the emails in question were sent. Many companies do not have established, reasonable practices of purging old emails. Old emails are a veritable gold mine for plaintiffs suing the company. Many employees write informally in emails and write things they would never put in formal, professional correspondence.

The caveats for private sector actors are even more true for public sector employees. State-level public records acts and the federal Freedom of Information Act (FOIA) grant the public access to almost any document that a government employee creates. FOILable records can include emails that are part of the governing or decision-making process. Courts typically find that government employees never have a reasonable right to privacy in their work communications.

So How Does One Keep Email Private?

There is only one way to keep mails confidential – encryption. Encryption scrambles email into gibberish, and only someone with the correct digital “key” can read them. OpenPGP and S/MIME remain the most popular email encryption protocols. User desires for speed and convenience issues mean few people use encryption, and most email remains unencrypted and unsecured.

A law professor of mine who once said, “write emails as if they were going to be read in open court.” If encryption is impractical or impossible, then be circumspect when composing an email. Do not say anything that would not be appropriate to say in a public setting. Bear in mind that even deleted emails will be available for years from various sources.

To preserve a reasonable expectation to privacy, avoid cloud-based services for anything sensitive. Never send emails from a computer or email client that is not password-protected. Set up password protection on your own machines and do not send emails from public computers at all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s