Email privacy
Email privacy
In 2022,[1] a lookback at an 1890 law review article about personal privacy (the "right to be left alone”)[3] noted how "digital technology has been allowed to invade our lives" both by personal choice and behavior, and also by various forms of ongoing monitoring.[4]
An email has to go through potentially untrustworthy intermediate computers (email servers,
There are certain technological workarounds that make unauthorized access to email difficult, if not impossible. However, since email messages frequently cross national boundaries, and different countries have different rules and regulations governing who can access an email, email privacy is a complicated issue.
Companies may have email policies requiring employees to refrain from sending proprietary information and company classified information through personal emails or sometimes even work emails.[7] Co-workers are restricted from sending private information such as company reports, slide show presentations with confidential information, or email memos.[8] [9]
In 2004, consumer privacy advocates and civil rights organizations urged Google to suspend Gmail over privacy rights concerns.[10] The 31 organizations signed a letter calling upon Google to be more transparent about its information handling practices regarding data retention and sharing within its business units. They voiced concerns about Google’s plan to scan the text of all incoming messages with the information to be used for ad placement. They noted specific concerns regarding the scanning confidential email for inserting third party ad content, which violates the implicit trust of email service providers, possibly establishing a dangerous precedent.[11]
Technological workarounds
There are some technical workarounds to ensure better privacy of email communication. Although it is possible to secure the content of the communication between emails, protecting the metadata, for instance who sent email to whom, is fundamentally difficult.[12] Even though certain technological measures exist, the widespread adoption is another issue because of reduced usability.
Encryption
According to Hilarie Orman, mail encryption was first developed in the mid-1980s.[13] She states that mail encryption is a powerful tool that protects one's email privacy.[13] Although it is widely available, it is rarely used, with the majority of email sent at risk of being read by third parties.[13] In general, encryption provides protection against malicious entities. However, a court order might force the responsible parties to hand over decryption keys, with a notable example being Lavabit.[14] Encryption can be performed at different levels of the email protocol.
Transport level encryption
With the original design of
End to end encryption
In end-to-end encryption, the data is encrypted and decrypted only at the end points. In other words, an email sent with end-to-end encryption would be encrypted at the source, unreadable to email service providers in transit, and then decrypted at its endpoint. Crucially, the email would only be decrypted for the end user on their computer and would remain in the encrypted, unreadable form to an email service, which would not have the keys available to decrypt it.[15] Some email services integrate end-to-end encryption automatically.
OpenPGP provides a way for the end users to encrypt the email without any support from the server and be sure that only the intended recipient can read it. However, there are usability issues with OpenPGP — it requires users to set up public/private key pairs and make the public keys available widely. Also, it protects only the content of the email, and not metadata — an untrusted party can still observe who sent an email to whom. A general downside of end-to-end encryption schemes—where the server does not have decryption keys—is that it makes server side search almost impossible, thus impacting usability.
Architectural impact
The architecture of the system also affects the privacy guarantees and potential venues for information leakage. The email protocol was originally designed for email clients — programs that periodically download email from a server and store it on the user's computer. However, in recent years,[when?] webmail usage has increased due to the simplicity of usage and no need for the end users to install a program. Secure messaging is in use where an entity (hospitals, banks, etc.) wishes to control the dissemination of sensitive information. Secure messaging functions similarly to webmail, in that the user must log on to a website—operated by the company or entity in question—to read received messages.
With both secure messaging and webmail, all email data is stored on the email provider's servers and thus subject to unauthorized access, or access by government agencies. However, in the case of email clients, it is possible to configure the client such that the client downloads a copy of the message as it arrives, which is deleted from the server. Although there is no way to guarantee whether a server has deleted its copy of an email, it still provides protection against situations where a benign email server operator is served with a court order.
Other workarounds
Although encryption provides for a way to protect the contents of the message, it still fails to protect the metadata. Theoretically,
Another workaround that has been used
Attachment file metadata
Another aspect of email privacy is the privacy risk that arises from embedded file metadata in email attachments. Such metadata can divulge privacy compromising data, both to unauthorized parties that gain access to the email message, as well as to the intended recipient of the email message. This problem can be mitigated by using metadata removal software. There are solution that integrate with email clients and remove metadata from outgoing email attachments. There are also server-based solutions, that automatically remove metadata from outgoing email messages at the organization network gateway.
Legal standing
United States
Constitutional protection
Protection under the United States constitution
The Fourth Amendment to the United States Constitution provides that “[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This Amendment guarantees the privacy, dignity, and security of persons against certain arbitrary and invasive acts by officers of the government or those acting at their direction. The Fourth Amendment is often invoked to protect individual privacy rights against government activities.
In the case of employer emails, although the words “the people” may appear to be broad and to include any employee, this amendment (or any other part of the United States constitution) has not been interpreted to protect the privacy interest of private-sector employees. By contrast, public-sector employees of federal, state, and local governments usually have privacy protection under the United States Constitution.
The protection under the fourth Amendment is not unlimited. For example, in
In view of the Ortega decision, the extent of constitutional protection with respect to emails is unclear. Unlike a locked desk or file cabinet, emails are not locked; the employer has access to all messages on the system. Thus, it may be argued that with respect to email, the public-sector employee's legitimate expectations of privacy are diminished.
In some cases, the US constitutional protection can also extend to private-sector employees. This is possible when a private-sector employee can demonstrate "involved sufficient government action".[21]
Protection under state constitutions
State constitutions in at least 10 states (Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington) grant individuals an explicit right to privacy. The privacy protections afforded by some of these states mirrors the Fourth Amendment of the US Constitution but often add more specific references to privacy. Further, general constitutional provisions in other states have also been interpreted by courts to have established privacy rights of various types. Like the rights under the US constitution, the privacy rights under state constitutions also usually extend to protection from the actions of state governments, not private organizations.
In 1972, California amended Article I, Section 1 of its state constitution to include privacy protections.[22] A California appellate court then held that the state's right of privacy applied to both public and private sector interests.[23] Further, in Soroka v. Dayton Hudson Corp., the California Court of Appeals reaffirmed this view and held that an employer may not invade the privacy of its employees absent a "compelling interest".[24]
In August 2014, Missouri became the first state to provide explicit constitutional (art. I, § 15) protection from unreasonable searches and seizures for electronic communications or data, such as that found on cell phones and other electronic devices.[25]
Statutory protection
Federal statutes
The real-time interception of the contents of electronic communication is prohibited under the wiretap act,[26] while the Pen Register Act[27] provides protection from the interception of the non-content part of the electronic communication. The "From" and "To" fields along with the IP address of the sender/receiver have been considered as non-content information,[28] while the subject has been considered as part of the content.[29]
Unlike the European Union, which provides the General Data Protection Regulation (GDPR), the United States lacks an overall data privacy protection law.
Once the email is stored on a computer (email server/user computer), it is protected from unauthorized access under the Stored Communications Act (Title II of Electronic Communications Privacy Act).[30]
After 180 days in the US, email messages stored on a third party server lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record.[31][32] After this time has passed, a government agency needs only a subpoena—instead of a warrant—in order to access email from a provider. However, if the emails are stored on a user's personal computer instead of a server, then that would require the police to obtain a warrant first to seize the contents. This has been criticized to be an obsolete law; at the time this law was written, extremely high-capacity storage on webmail servers was not available. In 2013, members of the US Congress proposed to reform this procedure.[33]
An exception to these laws, however, is for email service providers.[34] Under the provider exception, the laws do not apply to "the person or entity providing a wire or electronic communications service."[35] This exception, for example, allows various free of charge email providers (Gmail, Yahoo Mail, etc.) to process user emails to display contextual advertising.
Another implication of the provider exception is access by employers. Email sent by employees through their employer's equipment has no expectation of privacy, as the employer may monitor all communications through their equipment.[citation needed] According to a 2005 survey by the American Management Association, about 55% of US employers monitor and read their employees' email.[36] Attorney–client privilege is not guaranteed through an employer's email system, with US courts rendering contradictory verdicts on this issue.[37] Generally speaking, the factors courts use to determine whether companies can monitor and read personal emails in the workplace include: (i) the use of a company email account versus a personal email account and (ii) the presence of a clear company policy notifying employees that they should have no expectation of privacy when sending or reading emails at work, using company equipment, or when accessing personal accounts at work or on work equipment.[38]
State statutes
Privacy protections of electronic communications vary from state to state. Most states address these issues through either wiretapping legislation or electronic monitoring legislation or both.[39]
Unlike the EPCA, most state statutes do not explicitly cover email communications. In these states a plaintiff may argue that the courts should interpret these statutes to extend protection to email communications. A plaintiff can argue that the wiretapping statutes reflect the general intent of the legislature to protect the privacy of all communications that travel across the telephone line (including emails). Further, the plaintiff may argue that email communications may be analogized to telegraphic communications, which are explicitly protected under most state statutes.[39]
Generally, such efforts are not effective in protecting email privacy. For example, in Shoars vs. Epson America, Inc. case (Cal. Sup. Ct. filed July 30, 1990) a California superior court refused to find employee email privacy protection in California's criminal code.[clarification needed] California Penal Code Section 631 prohibits wire-tapping without the consent of all parties involved, adding that a person may not "read or attempt to read, learn the contents or meaning of any message, report, or communication while the same is in tran- sit or passing over any such wire, line, or cable, or is being sent from, or received at any place within the state."[40] The court dismissed the lawsuit, ruling that Section 631 did not apply since the legislation did not specifically refer to email communication.
State common law protection
The protection of email privacy under the state common law is evolving[timeframe?] through state court decisions. Under the common law the email privacy is protected under the tort of invasion of privacy and the causes of action related to this tort.[39] Four distinct torts protect the right of privacy. These are (i) unreasonable intrusion upon the seclusion of another, (ii) misappropriation of others name and likeliness; (iii) unreasonable publicity given to another's private life and (iv) publicity that unreasonably places another in a false light before the public. Of these the tort of "unreasonable intrusion upon the seclusion of another" is most relevant to the protection of email privacy.[39] "Unreasonable intrusion upon seclusion of another" states that the invasion was intended to be private and the invasion was offensive to an individual.[41]
European Union
The fifty-five article long
The individual member states cannot enforce local laws that are contradictory to what they have already agreed upon as a European Union member. It was established in Costa v ENEL that the European Union law is placed above the laws of its individual member states.
Email privacy concerns (US)
Email at work
Most employers make employees sign an agreement that grants the right to monitor their email and computer usage. Signing this agreement normally deprives an employee of any reasonable expectation of privacy which means that employer can legally search through employee emails. Even without an agreement, courts have rarely found that the employee had a
Beyond the lack of privacy for employee email in a work setting, there is the concern that a company's proprietary information, patents, and documents could be leaked, intentionally or unintentionally. This concern is seen in for-profit businesses, non-profit firms, government agencies, and other sorts of start-ups and community organizations. Firms usually ask employees or interns to not send work-related material to personal emails or through social media accounts, for example. Even within the firm's email network and circle of connections, important information could still be leaked or stolen by competitors.[46] In order to remedy this, many firms hold training sessions for employees that go over common unethical[according to whom?] practices, what employees should do in order to share files/send emails, and how employees can report incidences where company information is in jeopardy. This way of training employees enables employees to understand email privacy and know what type of information can be shared and what documents and information cannot be shared with others. The information privacy agreement that states an employee cannot send proprietary information to others applies not just to people outside the firm but also other employees in the firm. Most firms, for example, do not allow employees to exchange slide show presentations or slide decks that contain proprietary information through personal emails.
Government employees and email
Government employees have further reduced privacy than the private sector employees. Under various public records acts and the Freedom of Information Act (FOIA), the public can gain access to almost anything a government employee writes down. Government employees may also have their personal emails subject to disclosure if the email pertains to government business.[47] Due to the nature of their job, courts are typically unwilling to find that government employees had a reasonable right to privacy in the first place.[44]
Email from home/personal accounts
Unlike work emails, personal email from one's personal email account and computer is more likely to be protected as there is a much more reasonable expectation of privacy, but even personal emails may not be fully protected. Because emails are stored locally, at the ISP, and on the receiving end, there are multiple points at which security breakers or law enforcement can gain access to them. While it may be difficult for law enforcement to legally gain access to an individual's personal computer, they may be able to gain access to the person's emails easily from the ISP.
ISPs are also increasingly creating End User Service Agreements that users must agree to abide by. These agreements reduce any expectation of privacy, and often include terms that grant the ISP the right to monitor the network traffic or turn over records at the request of a government agency.[44]
Mental healthcare
Mental healthcare professionals frequently use email for scheduling appointments and delivering treatments, offering benefits such as permanence and spontaneity compared to oral conversations. However, communicating Protected Health Information (PHI) via email poses risks due to vulnerabilities in email systems and the potential for unintended breaches. Providers have less control over third-party email systems, increasing the likelihood of confidentiality breaches through human error, malicious acts, or phishing attacks.[48]
Global surveillance
From the documents leaked by ex-NSA contractor
A lawsuit filed by the American Civil Liberties Union and other organizations alleges that Verizon illegally gave the US government unrestricted access to its entire Internet traffic without a warrant and that AT&T had a similar arrangement with the National Security Agency.[50] While the FBI and NSA maintain that all their activities were and are legal, Congress passed the FISA Amendments Act of 2008 (FAA) granting AT&T and Verizon immunity from prosecution.[51]
Spy pixels
Spy pixels, which report private details (IP address, time of reading the email, event of reading the email) to the sender of the email without the recipient's conscious approval to send the information, were described as "endemic" in February 2021. The "Hey" email service, contacted by BBC News, estimated that it blocked spy pixels in about 600,000 out of 1,000,000 messages per day.[52][53]
See also
- Spy pixel – Hidden images to track viewing of emails
- Anonymous remailer – anonymized email sending service
- Dark Mail Alliance – Organization dedicated to creating email with end-to-end encryption
- Data privacy– Legal issues regarding the collection and dissemination of data
- Email encryption
- email tracking – To check if an email has been read
- Employee monitoring software – Software to monitor and supervise employee activity
- Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 – United States Law
- Industrial espionage – Use of espionage for commercial purposes rather than security
- Internet privacy – Right or mandate of personal privacy concerning the internet
- Secure communication – Anonymous communicating between two entities
- Secure email
- Secure Messaging
- STARTTLS– Communications protocol security extension – opportunistic transport layer security
- United States v. Councilman – Criminal case
- Email Privacy Act – US bill to update online communications law
- Bourke v. Nissan Motor Co. – US case upholding employers' right to monitor employees' emails
References
- ^ a b Zeynep Tufekci (May 19, 2022). "We Need to Take Back Our Privacy". The New York Times. Retrieved September 19, 2022.
- ^ Morrison, Steven R. "What the Cops Can't Do, Internet Service Providers Can: Preserving Privacy in Email Contents". Va. J.L. & Tech.
- ^ Warren; Brandeis (December 15, 1890), The Right to Privacy, Harvard Law Review, retrieved September 19, 2022
- ^ Dake Kang (November 6, 2018). "Chinese 'gait recognition' tech IDs people by how they walk". Retrieved September 19, 2022.
- ^ Blumenthal, Marjory S.; David D. Clark. "Rethinking the design of the internet: the end-to-end arguments vs. the brave new world". ACM Transactions on Internet Technology.
- ISSN 1833-1882.
- ^ Hornung, Meir S. "Think before you type: A look at email privacy in the workplace". Fordham J. Corp. & Fin.
- Information Week. pp. 50–51.
- ^ Pedersen, Mogens Jin (October 25, 2017). "Using Informational Videos to Elicit Participation in Online Survey Research: Evidence from a Randomized Controlled Trial". AEA Randomized Controlled Trials. Retrieved June 23, 2024.
- ^ "Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail | Privacy Rights Clearinghouse". privacyrights.org. Retrieved June 23, 2024.
- ^ "Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail | Privacy Rights Clearinghouse". privacyrights.org. Retrieved June 23, 2024.
- ^ Mattingly, Phil. "Why Email Can't Be Protected From Government Surveillance", MakeUseOf, 21 August 2013. Retrieved on 2 April 2015.
- ^ OCLC 917888709.
- ^ "Lavabit Details Unsealed: Refused To Hand Over Private SSL Key Despite Court Order & Daily Fines". Techdirt. October 2, 2013.
- ^ "End-to-end encryption". How To Geek. July 2, 2013. Retrieved April 9, 2015.
- JSTOR j.ctvc775pg.
- ^ Kaplan, Eben. "Terrorists and the Internet" Archived February 28, 2015, at the Wayback Machine, Council on Foreign Relations, 8 January 2009. Retrieved on 2 April 2015.
- ^ Perlroth, Nicole (November 16, 2012). "Trying to Keep Your E-Mails Secret When the C.I.A. Chief Couldn't". The New York Times.
- ^ "Surveillance and Security Lessons From the Petraeus Scandal". ACLU. November 13, 2012. Retrieved April 10, 2015.
- ^ "O'Connor v. Ortega, 480 US 709 (1987)". FindLaw. Retrieved April 10, 2015.
- ^ "Skinner v. Ry. Labor Executives' Ass'n, 489 U.S. 602 (1989)". Justia. Retrieved April 9, 2015.
- ^ "CA constitution Article, Section 1". Official California Legislative Information. Archived from the original on May 6, 2015. Retrieved April 10, 2015.
- ^ "Luck v. Southern Pacific Transportation Co., supra, 218 Cal.App.3d at pp. 17-19.)". Justia. Retrieved April 9, 2015.
- ^ "Soroka v. Dayton Hudson Corp., 18 Cal. App. 4th 1200". LexisNexis. Retrieved April 9, 2015.
- ^ "Missouri Electronic Data Protection Amendment 9 (August 2014)". Ballotpedia. Retrieved April 9, 2015.
- ^ 18 U.S.C. § 2510-2522
- ^ 18 USC § 3121-3127
- ^ United States v. Forrester, 495 F.3d 1041 (9th Circuit 2007).
- ^ "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" (PDF). US Justice Department. Retrieved April 10, 2015.
- ^ Burstein, Aaron. "Conducting Cybersecurity Research Legally and Ethically".
- ^ 18 U.S.C. § 2703
- ^ Erin Fuchs, "No One Is Talking About The Insane Law That Lets Authorities Read Any Email Over 180 Days Old", Business Insider, 7 June 2013.
- ^ Andrea Peterson, "Privacy Protections for Cloud E-mail", Think Progress, March 20, 2013.
- ^ 18 U.S.C. § 2701(c)(1) (1994)
- ^ Sidbury, Benjamin. "You've Got Mail... and Your Boss Knows It: Rethinking the Scope of the Employer E-mail Monitoring Exceptions to the Electronic Communications Privacy Act". UCLA Journal of Law and Technology. Retrieved April 10, 2015.
- ^ "2005 Electronic Monitoring & Surveillance Survey: Many Companies Monitoring, Recording, Videotaping--and Firing--Employees". Business Wire (Press release). Retrieved April 10, 2015.
- ISBN 978-1-4133-1326-0.
- )
- ^ a b c d Natt Gantt, Larry (1995). "An Affront to Human Dignity: Electronic Email Monitoring in Private Sector Workspace" (PDF). Harvard Law and Technology Journal. 8 (2): 345. Retrieved April 10, 2015.
- ^ "California Penal Code Section 631". Official California Legislative Information. Archived from the original on April 11, 2015. Retrieved April 10, 2015.
- ^ Meltz, Eli (May 1, 2015). "No Harm, No Foul? "Attempted" Invasion of Privacy and the Tort of Intrusion Upon Seclusion". Fordham Law Review. 83 (6): 3431.
- ^ "Charter of Fundamental Rights of the European Union". Retrieved April 10, 2015.
- ^ Green, Michael Z. "Against employer dumpster-diving for email". SCL Rev.
- ^ a b c "Email Privacy Concerns". Findlaw. Retrieved April 9, 2015.
- ISSN 0001-0782.
- S2CID 1933768.
- ^ "I work in government. Are emails on my personal email account subject to disclosure under the public records law? | Wisconsin Department of Justice". www.doj.state.wi.us. Retrieved October 9, 2020.
- ^ Lustgarten, Samuel D., et al. "Digital privacy in mental healthcare: current issues and recommendations for technology use." Current opinion in psychology 36 (2020): 25-31.
- ^ "NSA is lying". Democracy Now. April 20, 2012. Retrieved May 1, 2012.
- ^ ERIC LICHTBLAU; JAMES RISEN; SCOTT SHANE (December 16, 2007). "Wider Spying Fuels Aid Plan for Telecom Industry". New York Times. Retrieved October 30, 2011.
- ^ "Foreign Intelligence Surveillance Act (FISA)". American Civil Liberties Union. February 5, 2008. Retrieved October 30, 2011.
- ^ Kelion, Leo (February 17, 2021). "Spy pixels in emails have become endemic". BBC News. Archived from the original on February 17, 2021. Retrieved February 19, 2021.
- ZDNet. Archivedfrom the original on February 19, 2021. Retrieved February 19, 2021.
External links
- Andy Yen: Think your email's private? Think again
- Findlaw on current email privacy Laws
- Company email lacks reasonable expectation of privacy (Smyth v. Pillsbury)
- Workplace e-mail privacy from the Office of the Privacy Commissioner (Australia)
- New York Times on the dangers associated with sharing an email address
- Mills, Elinor (September 22, 2006). "Taking passwords to the grave". News.com.
- "Investigating Employees' E-Mail Use", National Public Radio, June 18, 2008
- Software That Tracks E-Mail Is Raising Privacy Concerns, New York Times, November 22, 2000