That subject line is probably a bit misleading. From my reading, it seems that the U.S. Court of Appeals for the 1st Circuit in Massachusetts has basically said you can’t expect any privacy in your email communications.
The Washington Post reports:
“The 2-to-1 decision by a panel of the U.S. Court of Appeals for the 1st Circuit in Massachusetts alarmed privacy advocates, who said it torpedoes any notion that e-mail enjoys the same protections as telephone conversations, or letters when they are sorted by mail carriers.
The court ruled that because e-mail is stored, even momentarily, in computers before it is routed to recipients, it is not subject to laws that apply to eavesdropping of telephone calls, which are continuously in transit. As a result, the majority said, companies or employers that own the computers are free to intercept messages before they are received by customers.
“This puts all of our electronic communication in jeopardy if this decision isn’t reversed.” said Jerry Berman, head of the Center for Democracy and Technology, a public interest policy group.”
I’ll say it’s in jeapardy! Time for you to start learning about GPG or PGP, if you ask me.
I’ve been using GPG for a long time now, and prefer to sign all my email and encrypt it whenever possible. It’s not that I’m paranoid about my communications or think anyone has any good reason to snoop or attempt to intercept email from me to any of those I may communicate with electronically, it’s just that I like my messages to be private.
E-mail without encryption is about as secure as a postcard. And much of my email contains information that I’d never write on the back of a postcard.
I was trying to explain this to my son the other day, and sent myself an email. Before I retrieved it from the server, I logged into the server and opened my email file in a text editor. Any email server administrator can do this to anyone’s email.
But not only can an email server admin. do this, anyone who can crack (hackers are good guys – it’s the crackers who wear black hats) into the server will also have the ability.
But getting back to the privacy issues – the expectation of privacy in the United States at least has now disappeared as far as your e-mail. According to the Washington Post article, one dissenting judge wrote that this decision “will have far-reaching effects on personal privacy and security.”
“Like several privacy advocates, the judge raised particular alarm over what the decision might mean for the ability of law-enforcement to monitor e-mail.
Based on the court’s ruling, law enforcement officers would need only a search warrant to gain access to e-mail before it reaches its recipient, instead of a wiretap order, which can be far harder to obtain.
The decision, Lipez said, “would undo decades of practice and precedent regarding the scope of the Wiretap Act and would essentially render the Act irrelevant to the protection of wire and electronic privacy.”
This is dangerous stuff.
Something else a lot of people don’t seem to realize is that email can be easily modified as well. Imagine you’re waiting for an e-mail from your lawyer as to whether or not you need to be attending court today. It’s a big case, worth something big (could be money or jail time). An entity that doesn’t want you appearing in court today could have someone attempt to crack the email server and modify the line the lawyer’s email from:
“Please be in court today.”
to:
“No need to be in court today.”
If the message was digitally signed, and you used GPG or PGP, you’d know immediately that the signature was not valid. There’d be a possibility the e-mail was tampered with and you could have a “heads-up” that something might not be quite right.
It’s really not that hard to do on some systems – especially older systems that haven’t been patched.
If you’re interested in learning more about GPG or PGP, let me know. I’m working on an outline for a class on teaching some basic privacy and encryption lessons. At first, GPG/PGP can be a bit confusing and probably one of the reasons why many don’t bother with it. But there are a number of great e-mail applications today that make the process pretty seemless without much user input required. But still, understanding some basics is important in order to ensure your security in your communications.
With this Court decision, you should be pretty motivated to learn a bit more on securing your communications anyhow.
If you already use PGP or GPG (I prefer GPG as it’s open source and free to use both for personal or business use) and want to communicate with me, my key ID is: 0x319CE936
My public key is available on the keyservers.
UPDATE 2020: The key ID here no longer works. Please see here.
Excellent advice.
the other thing to remember is that, in both civil and criminal litigation, as well as investigations of almost any sort, email can be found and used.
Discovery is a very powerful tool and it can extend to virtually all forms of communication. With a phone there is, in theory, no record. With email it is on your computer, on your ISP’s server, on your correspondent’s ISP and computer.
Remember the dictum, “No one was ever hung for something they did not say. (or email)”
Nice blog by the way!
Thanks Jay! I enjoy your site as well. I really don’t think most people understand the problems with email and privacy and your point is well taken. Another issue is the fact that so many people will leave their email on the server for days or weeks at a time instead of having it deleted upon retrieval. There may be times when it is necessary to leave the mail on the server such as when you’re accessing it while traveling or something… but the more data there, the more data that can be accessed by someone else. Thanks for your comments.
Actually, I do log in to my server to read email remotely, using pine on the unix server.
When you run an internet based business, and don’t know who are friend and foe, or whose going to send you unsolicited attachments, etc. it’s a fast way to sift through the crap and extract what you want and what you don’t want to send on to the home computer.
But even without admin rights, I’ve found I’ve been able to access raw mail logs of other users if I hunt through directories…
You’re lucky you’re provider gives you access to a shell account! Or is it your own server? Hunting through directories can be fun 🙂 Does the version of Pine you are using support GPG?