Whether your e-mail communications are secure depends on what you mean by security. In general, sending and receiving e-mail is about as secure as using a mobile phone. Listening in is possible, but it is also fairly unlikely.

Of greater concern, given the government’s propensity in recent years to snoop around in everything—without a warrant, if possible—is the ease with which it can obtain information stored on internet servers.

The Stored Communications Act

The Stored Communications Act, passed in 1986, says that the government may obtain any e-mail stored on a server for longer than 180 days by court order or administrative subpoena without showing probable cause. Back in 1986, e-mail left on a server for 180 was probably abandoned and unwanted. Now, nearly everyone leaves e-mail on a server for much longer. The law is quite obviously outdated.

Google, Microsoft, and others with a vested interest in cloud security are leading a campaign to repeal the Stored Communications Act, but it remains in place for now.

Government (over)reaching

Under 180 days, the government is supposed to show probable cause and get a search warrant, but it does not want to. This is the subject of intense litigation in Colorado, where Yahoo is challenging a court order for it to release e-mail under 180 days old.

So how secure is e-mail? Gmail tells me I have “hundreds” of messages older than 180 days, which the government could apparently obtain from Google with a simple administrative subpoena. Even though I doubt the government wants my e-mail, that is a major cause for concern.


Cloud software like Gmail and e-mail protocols like IMAP make it easy to access your e-mail from any computer. They are also, unfortunately, subject to the Stored Communications Act. The language of the Stored Communications Act is so broad that it seems to apply to any e-mail server (including Exchange servers), whether it is in your office or Google’s data center.

The only technological alternative I can think of is to use POP to download all your e-mail to your computer, instead of leaving it on the server. This means, of course, that you could only access your e-mail on the computer to which you downloaded it, and it would be difficult, if not impossible, to share your e-mail with co-workers. And imagine re-assembling communications related to a file when you cannot do it centrally. This is a terrible alternative for anyone but a solo practitioner with a laptop he or she takes everywhere, including on vacation.

If that sounds as unworkable to you as it does to me, call your representatives in Congress and ask them to repeal the Stored Communications Act.

Yahoo, Feds Battle Over E-Mail Privacy | Wired Threat Level

(photo: squacco)