Whether your e-mail communications are secure depends on what you mean by security. In general, sending and receiving e-mail is about as secure as using a mobile phone. Listening in is possible, but it is also fairly unlikely.

Of greater concern, given the government’s propensity in recent years to snoop around in everything—without a warrant, if possible—is the ease with which it can obtain information stored on internet servers.

The Stored Communications Act

The Stored Communications Act, passed in 1986, says that the government may obtain any e-mail stored on a server for longer than 180 days by court order or administrative subpoena without showing probable cause. Back in 1986, e-mail left on a server for 180 was probably abandoned and unwanted. Now, nearly everyone leaves e-mail on a server for much longer. The law is quite obviously outdated.

Google, Microsoft, and others with a vested interest in cloud security are leading a campaign to repeal the Stored Communications Act, but it remains in place for now.

Government (over)reaching

Under 180 days, the government is supposed to show probable cause and get a search warrant, but it does not want to. This is the subject of intense litigation in Colorado, where Yahoo is challenging a court order for it to release e-mail under 180 days old.

So how secure is e-mail? Gmail tells me I have “hundreds” of messages older than 180 days, which the government could apparently obtain from Google with a simple administrative subpoena. Even though I doubt the government wants my e-mail, that is a major cause for concern.


Cloud software like Gmail and e-mail protocols like IMAP make it easy to access your e-mail from any computer. They are also, unfortunately, subject to the Stored Communications Act. The language of the Stored Communications Act is so broad that it seems to apply to any e-mail server (including Exchange servers), whether it is in your office or Google’s data center.

The only technological alternative I can think of is to use POP to download all your e-mail to your computer, instead of leaving it on the server. This means, of course, that you could only access your e-mail on the computer to which you downloaded it, and it would be difficult, if not impossible, to share your e-mail with co-workers. And imagine re-assembling communications related to a file when you cannot do it centrally. This is a terrible alternative for anyone but a solo practitioner with a laptop he or she takes everywhere, including on vacation.

If that sounds as unworkable to you as it does to me, call your representatives in Congress and ask them to repeal the Stored Communications Act.

Yahoo, Feds Battle Over E-Mail Privacy | Wired Threat Level

(photo: squacco)


  1. Josh Camson says:

    This issue, in a different form, is also under debate in the Third Circuit. In the Matter of the Application of the United States of America for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, the Third Circuit is looking at what level of proof the government must present to access cell site location data. I’m not positive, but I’m pretty sure that the government was utilizing the 180 day clause in the Stored Communications Act in that case as well, thus alleging that they did not need to show probable cause.

  2. Chris Bumgarner says:

    I would not consider using POP any more secure than IMAP from the standpoint of the SCA. First, POP and IMAP control how email is retrieved, not how it’s sent. Switching to POP won’t change the status of your or anyone else’s “outbox”. Those emails will still be there, either in your own or someone else’s “sent items” folder. Second, using a POP server may not truly “delete” the email that you download. It probably just archives it–making it unavailable to you but available to your ISP. Not to mention the ISP back-up habits could make that email available for a long time. I don’t think using POP will help.

  3. Sam Glover says:

    It depends on how you use POP, of course, but the default for most e-mail software (Outlook, Thunderbird) is to download e-mail to your own computer, where the SCA does not apply.

    If you are using Outlook with a Gmail account and POP, you are right that you are leaving an archived copy of your e-mail on the server. This is not true with most “generic” e-mail providers, though, as far as I can tell.

  4. Anonymous Poster says:

    Sam, you ought to reread Chris’s post. He’s saying that regardless of POP, many ISPs are going to retain a copy of the emails. And since those copies are still on the remote server, they’re still subject to SCA.

  5. Sam Glover says:

    I read it correctly; I think Chris is wrong. ISPs do keep backups, but not usually for 180 days. Internet mail providers like Google, Yahoo, and Live may archive downloaded e-mails, but regular ISPs do not.

  6. Rohan KApur says:

    Easy solution, configure your server to automatically download all emails 179 days old to a local backup and delete all server copies.

  7. James A. says:

    The fact of the matter is that once the content (email, file, whatever) leaves your computer, it’s at the mercy of whoever touches it. A provider may archive all messages even after ‘deletion’, may scan and flag based on key words, an employee with access may be snooping regardless of policy, etc.

    The only way to use a communication medium, whatever it may be, privately is to encrypt locally and then transfer. E.g. public/private key encryption, which is difficult, but strong:


    Or, ‘grade’ your message’s sensitivity, and use an online tool like PointMX to send those things that need to be private end-to-end:

    If you’re an enterprise, of course, and can afford to pay for a policy encryption server then you have a pretty good assurance of security.

Leave a Reply