E-Mail Privacy: Myth and Illusion

The questions raised by many users are part of a growing consciousness and concern about e-mail privacy. The average individual, who uses e-mail, naively believes that their e-mail is private and secure. They believe that the use of their password will keep their e-mail messages secure. They are mistaken.

Who’s reading your email?

E-mail is as private as sending a message on a postcard and is notoriously unprivate. When an e-mail message is sent, it travels from the originating host computer to the destination and often passes through several relaying hosts. Every e-mail system has administrators who have unlimited access to all mail messages sent from, to, and through that system. It's possible to design a system that doesn't have this feature, but there aren't many. In fact, when you send an email message across the Internet, it often hops from server to server several times before it reaches its destination. As a result, it can be read by system administrators (sysadmins) all over the world.

This isn't necessarily a bad thing. If a message is incorrectly addressed, the sysadmin can open it up and determine who should get it. If messages get garbled, the sysadmin may be able to restore them. If you forget your password, the sysadmin can do a "reset" and give you a new one. A system administrator with any sense of ethics -- or even one who's reasonably busy -- won't routinely read other people's mail. But it's not a safe assumption that all sysadmins are too honest or too overworked to snoop.

Similarly, if the mail bounces because it can't reach the addressee, a copy of the message is often sent to the postmaster of the originating system who can read the e-mail addresses of the sender and the addressee and the contents of the mail.

Email in the workplace

The privacy problem extends beyond nosy sysadmins. The technology needed to automatically screen large volumes of email is widely available. Sometimes, as a matter of company policy, businesses routinely screen employees' email. Many government agencies can readily monitor vast quantities of email, automatically searching for key words.

Having said that, I think it should be made clear that in the United States the Electronic Communications Privacy Act (ECPA) of 1986 makes it illegal to intercept electronic messages sent over public systems (for example, America Online or MCI Mail) without a search warrant. The law, however, does not address the privacy rights of employees whose e-mail accounts are provided by their employers. Even in states like California, where citizens have a constitutional right to privacy, the rules aren't clear. That leaves the legal ball in the court of the company policy - which means essentially that your boss can read, copy and keep every message you send.

As for the workplace, since there's no strong legislation that specifically addresses electronic privacy concerns, it's not surprising that the courts have overwhelmingly supported employers in cases of workplace monitoring.

Probably the best-known case involving e-mail privacy is Flanagan et al. vs. Epson America, Inc. In this case, Alana Shoars, an Epson employee, arriving for work one day discovered her supervisor reading and printing out e-mail messages between other employees. She says she was told by the same manager that all messages on the system were private. She questioned the practice and said she was told to mind her own business. A day later she was fired for insubordination. She filed a $1M wrongful-termination suit. Shoars filed a class-action suit on behalf of herself and other employees, claiming invasion of privacy (under California's constitution and a wiretapping statute). The state court ruled against Shoars on the grounds that email was not covered by California's wiretapping statute and that the right to privacy guaranteed by the state constitution covered personal but not business information. (Incidentally, Shoars also lost her wrongful-termination suit, which she filed after being fired from Epson.)

In another high-profile case, Eugene Wang, a former Borland International vice president, was accused of disclosing confidential corporate information in email messages sent to Symantec CEO Gordon Eubanks shortly before Wang left Borland to go work for Symantec (a Borland rival). Borland executives discovered the messages and filed suit against Wang, Eubanks, and Symantec; a California grand jury also issued criminal indictments against both executives. Although the incident took place in 1993, the case still has not been resolved.

In a case decided earlier this year, Michael A. Smyth vs. The Pillsbury Company, executives at Pillsbury fired a manager after finding a printout of an email message in which the manager referred to several of his supervisors as "backstabbing b*****ds." A U.S. District Court in Pennsylvania upheld the company's right to subsequently read all the manager's e-mail. The court ruled: "We do not find a reasonable expectation of privacy in email communications voluntarily made by an employee to his supervisor over the company email system notwithstanding any assurances that such communications would not be intercepted by management...Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its email system outweighs any privacy interest the employee may have." Notably, the court differentiated searching through an employee's email account from an invasion of an individual's person, personal information, or personal effects.

Your own worst enemy?

Perhaps even more common and troublesome than active snooping is human error.

Here are some of the things that can happen:

• You accidentally send your note to the person about whom you wrote unflattering things in the message. (Don't laugh, I've seen it happen.)
• The person who received your note forwards it to the person about whom you wrote unflattering things. (I've seen this one too.)
• You accidentally send your message to every member of the mailing list, rather than a private recipient. (Be careful when using the "reply" feature in response to mailing list messages.)
• You mass mail a message to everyone on your mailing list, therefore exposing every one of their e-mail addresses to every recipient of the message.
• You save your racy email messages in a text file on your computer. Then, unthinking, you publish your computer to the network as a server, or share the folder with the network. Any network cruiser who cares can now find out exactly what kind of underwear you think is sexy. (Again, I'm not making this up. Users of Kazaa and other P2P programs have discovered this to their dismay.)

What can you, as an individual, do to protect yourself from email invasion of privacy?

• Understand how your email system and network are set up, and just who can see what
• Use common sense. Do not send confidential or personal information via email.
• Delete mail as you read it. It's not a foolproof solution, but deleting messages after you've read or sent them at least makes them harder to access. Be sure to check the preferences in your email program and choose any option that allows you to delete mail from a central server.
• Use a separate account for personal or confidential messages, preferably one with an Internet Service Provider (ISP) on your home computer.
• Ask your employer about their policies regarding privacy issues.
• Encrypt confidential messages. The most secure way to keep your email private is to encrypt confidential messages. Encryption allows you to translate a message or file into code that the recipient then decodes. The most popular encryption program is called Pretty Good Privacy, created by Philip Zimmermann. The problem with that is that most companies ban its use on their e-mail systems (for obvious reasons) and it’s like a red flag.

When it comes to e-mail privacy I tell most questioners that the best thing is to pay heed to my grandmother's advice: Never put anything in writing that you wouldn't mind seeing on the front page of the New York Times.

David Tschanz is a medical/military historian currently based in Saudi Arabia. He is also an epidemiologist, web developer, computer systems engineer, editor and demographer. You may contact him by sending your emails to: Desertwriter1121@yahoo.com.