Email privacy

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

In 2022, a lookback at an 1890 law review article about personal privacy (the "right to be left alone”) noted how "digital technology has been allowed to invade our lives" both by personal choice and behavior, and also by various forms of ongoing monitoring.

An email has to go through potentially untrustworthy intermediate computers (email servers, ISPs) before reaching its destination, and there is no way to verify if it was accessed by an unauthorized entity. Through the process of information being sent from the user's computer to the email service provider, data acquisition is taking place, most of the time without the user knowing. There are certain data collection methods (routers) that are used for data privacy concerns, but there are others that can be harmful to the user. This is different from a letter sealed in an envelope, where, by close inspection of the envelope, it might be possible to determine if it had been previously opened. In that sense, an email is much like a postcard, the contents of which are visible to anyone who handles it.

There are certain technological workarounds that make unauthorized access to email difficult, if not impossible. However, since email messages frequently cross national boundaries, and different countries have different rules and regulations governing who can access an email, email privacy is a complicated issue.

Companies may have email policies requiring employees to refrain from sending proprietary information and company classified information through personal emails or sometimes even work emails. Co-workers are restricted from sending private information such as company reports, slide show presentations with confidential information, or email memos.

In 2004, consumer privacy advocates and civil rights organizations urged Google to suspend Gmail over privacy rights concerns. The 31 organizations signed a letter calling upon Google to be more transparent about its information handling practices regarding data retention and sharing within its business units. They voiced concerns about Google’s plan to scan the text of all incoming messages with the information to be used for ad placement. They noted specific concerns regarding the scanning confidential email for inserting third party ad content, which violates the implicit trust of email service providers, possibly establishing a dangerous precedent.

Technological workarounds
There are some technical workarounds to ensure better privacy of email communication. Although it is possible to secure the content of the communication between emails, protecting the metadata, for instance who sent email to whom, is fundamentally difficult. Even though certain technological measures exist, the widespread adoption is another issue because of reduced usability.

Encryption
According to Hilarie Orman, mail encryption was first developed in the mid-1980s. She states that mail encryption is a powerful tool that protects one's email privacy. Although it is widely available, it is rarely used, with the majority of email sent at risk of being read by third parties. In general, encryption provides protection against malicious entities. However, a court order might force the responsible parties to hand over decryption keys, with a notable example being Lavabit. Encryption can be performed at different levels of the email protocol.

Transport level encryption
With the original design of email protocol, the communication between email servers was plain text, which posed a huge security risk. Over the years, various mechanisms have been proposed to encrypt the communication between email servers. One of the most commonly used extension is STARTTLS. It is a TLS (SSL) layer over the plaintext communication, allowing email servers to upgrade their plaintext communication to encrypted communication. Assuming that the email servers on both the sender and the recipient side support encrypted communication, an eavesdropper snooping on the communication between the mail servers cannot see the email contents. Similar extensions exist for the communication between an email client and the email server.

End to end encryption
In end-to-end encryption, the data is encrypted and decrypted only at the end points. In other words, an email sent with end-to-end encryption would be encrypted at the source, unreadable to email service providers in transit, and then decrypted at its endpoint. Crucially, the email would only be decrypted for the end user on their computer and would remain in the encrypted, unreadable form to an email service, which would not have the keys available to decrypt it. Some email services integrate end-to-end encryption automatically.

OpenPGP is a data encryption standard that allows end-users to encrypt the email contents. There are various software and email-client plugins that allow users to encrypt the message using the recipient's public key before sending it. At its core, OpenPGP uses a Public Key Cryptography scheme where each email address is associated with a public/private key pair.

OpenPGP provides a way for the end users to encrypt the email without any support from the server and be sure that only the intended recipient can read it. However, there are usability issues with OpenPGP — it requires users to set up public/private key pairs and make the public keys available widely. Also, it protects only the content of the email, and not metadata — an untrusted party can still observe who sent an email to whom. A general downside of end-to-end encryption schemes—where the server does not have decryption keys—is that it makes server side search almost impossible, thus impacting usability.

Architectural impact
The architecture of the system also affects the privacy guarantees and potential venues for information leakage. The email protocol was originally designed for email clients — programs that periodically download email from a server and store it on the user's computer. However, in recent years, webmail usage has increased due to the simplicity of usage and no need for the end users to install a program. Secure messaging is in use where an entity (hospitals, banks, etc.) wishes to control the dissemination of sensitive information. Secure messaging functions similarly to webmail, in that the user must log on to a website—operated by the company or entity in question—to read received messages.

With both secure messaging and webmail, all email data is stored on the email provider's servers and thus subject to unauthorized access, or access by government agencies. However, in the case of email clients, it is possible to configure the client such that the client downloads a copy of the message as it arrives, which is deleted from the server. Although there is no way to guarantee whether a server has deleted its copy of an email, it still provides protection against situations where a benign email server operator is served with a court order.

Other workarounds
Although encryption provides for a way to protect the contents of the message, it still fails to protect the metadata. Theoretically, mix networks can be used to protect the anonymity of communication (who contacted whom).

Another workaround that has been used is to save a message as a draft in a webmail system, and share the webmail login credentials with an intended recipient. As an example of a dead drop, this method defeats any kind of monitoring based on the actual email sent. However, this method infamously failed to protect the privacy of the participants in the Petraeus scandal; after coming under investigation for unrelated activities, communication between the parties was accessed by the FBI.

Protection under the United States constitution
The Fourth Amendment to the United States Constitution provides that “[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This Amendment guarantees the privacy, dignity, and security of persons against certain arbitrary and invasive acts by officers of the government or those acting at their direction. The Fourth Amendment is often invoked to protect individual privacy rights against government activities.

In the case of employer emails, although the words “the people” may appear to be broad and to include any employee, this amendment (or any other part of the United States constitution) has not been interpreted to protect the privacy interest of private-sector employees. By contrast, public-sector employees of federal, state, and local governments usually have privacy protection under the United States Constitution.

The protection under the fourth Amendment is not unlimited. For example, in O'Connor v. Ortega, the officials at a State Hospital, after placing Dr. Magno Ortega on administrative leave pending an investigation into possible workplace improprieties, searched his office. Dr. Ortega filed an action against the hospital alleging that the search violated his Fourth Amendment rights. The district court found that the search was proper, but on appeal the circuit court found that the search did violate Dr. Ortega's Fourth Amendment rights. The Supreme Court disagreed with both the lower courts. The Court's decision was based on consideration of two factors (i) whether Dr. Ortega had a reasonable expectation of privacy, and (ii) whether the search of Dr. Ortega's office was reasonable. The Court held that because Dr. Ortega had a private office, he had a reasonable expectation of privacy. However, the Court also found the search of his office to be reasonable because it was work-related. It considered the government's need to ensure efficient operation of the workplace as outweighing an employee's expectation of privacy, even if the privacy expectation is reasonable. Since work environments vary, a public-sector employee's expectation of privacy must be determined on a case-by-case basis. Factors the Court considered included (i) notice to employees, (ii) exclusive possession by an employee of keys to a desk or file cabinet, (iii) the government's need for access to documents, and (iv) the government's need to protect records and property.

In view of the Ortega decision, the extent of constitutional protection with respect to emails is unclear. Unlike a locked desk or file cabinet, emails are not locked; the employer has access to all messages on the system. Thus, it may be argued that with respect to email, the public-sector employee's legitimate expectations of privacy are diminished.

In some cases, the US constitutional protection can also extend to private-sector employees. This is possible when a private-sector employee can demonstrate "involved sufficient government action".

Protection under state constitutions
State constitutions in at least 10 states (Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington) grant individuals an explicit right to privacy. The privacy protections afforded by some of these states mirrors the Fourth Amendment of the US Constitution but often add more specific references to privacy. Further, general constitutional provisions in other states have also been interpreted by courts to have established privacy rights of various types. Like the rights under the US constitution, the privacy rights under state constitutions also usually extend to protection from the actions of state governments, not private organizations.

In 1972, California amended Article I, Section 1 of its state constitution to include privacy protections. A California appellate court then held that the state's right of privacy applied to both public and private sector interests. Further, in Soroka v. Dayton Hudson Corp., the California Court of Appeals reaffirmed this view and held that an employer may not invade the privacy of its employees absent a "compelling interest".

In August 2014, Missouri became the first state to provide explicit constitutional (art. I, § 15) protection from unreasonable searches and seizures for electronic communications or data, such as that found on cell phones and other electronic devices.

Federal statutes
The real-time interception of the contents of electronic communication is prohibited under the wiretap act, while the Pen Register Act provides protection from the interception of the non-content part of the electronic communication. The "From" and "To" fields along with the IP address of the sender/receiver have been considered as non-content information, while the subject has been considered as part of the content.

Unlike the European Union, which provides the General Data Protection Regulation (GDPR), the United States lacks an overall data privacy protection law.

Once the email is stored on a computer (email server/user computer), it is protected from unauthorized access under the Stored Communications Act (Title II of Electronic Communications Privacy Act).

After 180 days in the US, email messages stored on a third party server lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. After this time has passed, a government agency needs only a subpoena—instead of a warrant—in order to access email from a provider. However, if the emails are stored on a user's personal computer instead of a server, then that would require the police to obtain a warrant first to seize the contents. This has been criticized to be an obsolete law; at the time this law was written, extremely high-capacity storage on webmail servers was not available. In 2013, members of the US Congress proposed to reform this procedure.

An exception to these laws, however, is for email service providers. Under the provider exception, the laws do not apply to "the person or entity providing a wire or electronic communications service." This exception, for example, allows various free of charge email providers (Gmail, Yahoo Mail, etc.) to process user emails to display contextual advertising.

Another implication of the provider exception is access by employers. Email sent by employees through their employer's equipment has no expectation of privacy, as the employer may monitor all communications through their equipment. According to a 2005 survey by the American Management Association, about 55% of US employers monitor and read their employees' email. Attorney–client privilege is not guaranteed through an employer's email system, with US courts rendering contradictory verdicts on this issue. Generally speaking, the factors courts use to determine whether companies can monitor and read personal emails in the workplace include: (i) the use of a company email account versus a personal email account and (ii) the presence of a clear company policy notifying employees that they should have no expectation of privacy when sending or reading emails at work, using company equipment, or when accessing personal accounts at work or on work equipment.

State statutes
Privacy protections of electronic communications vary from state to state. Most states address these issues through either wiretapping legislation or electronic monitoring legislation or both.

Unlike the EPCA, most state statutes do not explicitly cover email communications. In these states a plaintiff may argue that the courts should interpret these statutes to extend protection to email communications. A plaintiff can argue that the wiretapping statutes reflect the general intent of the legislature to protect the privacy of all communications that travel across the telephone line (including emails). Further, the plaintiff may argue that email communications may be analogized to telegraphic communications, which are explicitly protected under most state statutes.

Generally, such efforts are not effective in protecting email privacy. For example, in Shoars vs. Epson America, Inc. case (Cal. Sup. Ct. filed July 30, 1990) a California superior court refused to find employee email privacy protection in California's criminal code. California Penal Code Section 631 prohibits wire-tapping without the consent of all parties involved, adding that a person may not "read or attempt to read, learn the contents or meaning of any message, report, or communication while the same is in tran- sit or passing over any such wire, line, or cable, or is being sent from, or received at any place within the state." The court dismissed the lawsuit, ruling that Section 631 did not apply since the legislation did not specifically refer to email communication.

State common law protection
The protection of email privacy under the state common law is evolving through state court decisions. Under the common law the email privacy is protected under the tort of invasion of privacy and the causes of action related to this tort. Four distinct torts protect the right of privacy. These are (i) unreasonable intrusion upon the seclusion of another, (ii) misappropriation of others name and likeliness; (iii) unreasonable publicity given to another's private life and (iv) publicity that unreasonably places another in a false light before the public. Of these the tort of "unreasonable intrusion upon the seclusion of another" is most relevant to the protection of email privacy. "Unreasonable intrusion upon seclusion of another" states that the invasion was intended to be private and the invasion was offensive to an individual.

European Union
The fifty-five article long Charter of Fundamental Rights of the European Union grants certain fundamental rights such as "right to be left alone" and "respect for private life" to both the European Union citizens and the residents. According to article 7 of the charter, everyone has the right to respect for his or her private and family life, home, and communications. The charter came into full legal effect when the Lisbon Treaty was signed on 1 December 2009.

The individual member states cannot enforce local laws that are contradictory to what they have already agreed upon as a European Union member. It was established in Costa v ENEL that the European Union law is placed above the laws of its individual member states.

Email at work
Most employers make employees sign an agreement that grants the right to monitor their email and computer usage. Signing this agreement normally deprives an employee of any reasonable expectation of privacy which means that employer can legally search through employee emails. Even without an agreement, courts have rarely found that the employee had a reasonable expectation of privacy to their email at work for a variety of reasons. For example, one court held that emails used in a business context are simply a part of the office environment, the same as a fax or copy machine, in which one does not have a reasonable expectation of privacy. Another court found that by corresponding with other people at work, work email was inherently work-related, and thus there could be no reasonable expectation of privacy. Employers usually do not have very many obstacles preventing them from searching employee emails. Employers may take the position that employees are sending communications from their equipment that could affect their business; this is usually considered to be a sufficient justification to search through employee emails. Employers may also monitor work emails to ensure the email system is being used appropriately for work purposes. Furthermore, as workplace harassment lawsuits are prevalent, one way for employers to protect themselves from liability is to monitor and attempt to prevent any harassment in the first place. Many employers run software that searches for offensive words and highlights problematic emails. The other main concern with liability is that old emails may be used against the employer in a lawsuit. Many employers consider the monitoring of emails to be a right, as well as a necessity, because they take ownership of the resources. The justifications that employers use to reason their monitoring appears to be legal, like preventing misuse of resources that they own.

Beyond the lack of privacy for employee email in a work setting, there is the concern that a company's proprietary information, patents, and documents could be leaked, intentionally or unintentionally. This concern is seen in for-profit businesses, non-profit firms, government agencies, and other sorts of start-ups and community organizations. Firms usually ask employees or interns to not send work-related material to personal emails or through social media accounts, for example. Even within the firm's email network and circle of connections, important information could still be leaked or stolen by competitors. In order to remedy this, many firms hold training sessions for employees that go over common unethical practices, what employees should do in order to share files/send emails, and how employees can report incidences where company information is in jeopardy. This way of training employees enables employees to understand email privacy and know what type of information can be shared and what documents and information cannot be shared with others. The information privacy agreement that states an employee cannot send proprietary information to others applies not just to people outside the firm but also other employees in the firm. Most firms, for example, do not allow employees to exchange slide show presentations or slide decks that contain proprietary information through personal emails.

Government employees and email
Government employees have further reduced privacy than the private sector employees. Under various public records acts and the Freedom of Information Act (FOIA), the public can gain access to almost anything a government employee writes down. Government employees may also have their personal emails subject to disclosure if the email pertains to government business. Due to the nature of their job, courts are typically unwilling to find that government employees had a reasonable right to privacy in the first place.

Email from home/personal accounts
Unlike work emails, personal email from one's personal email account and computer is more likely to be protected as there is a much more reasonable expectation of privacy, but even personal emails may not be fully protected. Because emails are stored locally, at the ISP, and on the receiving end, there are multiple points at which security breakers or law enforcement can gain access to them. While it may be difficult for law enforcement to legally gain access to an individual's personal computer, they may be able to gain access to the person's emails easily from the ISP.

ISPs are also increasingly creating End User Service Agreements that users must agree to abide by. These agreements reduce any expectation of privacy, and often include terms that grant the ISP the right to monitor the network traffic or turn over records at the request of a government agency.

Mental Healthcare
Mental healthcare professionals frequently use email for scheduling appointments and delivering treatments, offering benefits such as permanence and spontaneity compared to oral conversations. However, communicating Protected Health Information (PHI) via email poses risks due to vulnerabilities in email systems and the potential for unintended breaches. Providers have less control over third-party email systems, increasing the likelihood of confidentiality breaches through human error, malicious acts, or phishing attacks.

Global surveillance
From the documents leaked by ex-NSA contractor Edward Snowden, it became well known that various governments have been running programs to tap all kinds of communication at massive scales, including email. While the legality of this is still under question, it is clear that the email of citizens with no ties to a terrorist organization have been intercepted and stored. Whistleblower and former National Security Agency (NSA) employee William Binney has reported that the NSA has collected over 20 trillion communications via interception, including many email communications, representing one aspect of the NSA warrantless surveillance controversy.

A lawsuit filed by the American Civil Liberties Union and other organizations alleges that Verizon illegally gave the US government unrestricted access to its entire Internet traffic without a warrant and that AT&T had a similar arrangement with the National Security Agency. While the FBI and NSA maintain that all their activities were and are legal, Congress passed the FISA Amendments Act of 2008 (FAA) granting AT&T and Verizon immunity from prosecution.

Spy pixels
Spy pixels, which report private details (IP address, time of reading the email, event of reading the email) to the sender of the email without the recipient's conscious approval to send the information, were described as "endemic" in February 2021. The "Hey" email service, contacted by BBC News, estimated that it blocked spy pixels in about 600,000 out of 1,000,000 messages per day.