Who else reads your e-mail?
Your employer and the government can snoop legally.
Cambridge, Mass. — We use e-mail for everything from business negotiations to quick I-love-yous. Because e-mail resembles a telephone conversation, we too often assume it's private.
It's not. Just ask Sarah Palin. A college student recently broke into her Yahoo e-mail account with frightening ease; he boasted that it took just 45 minutes using Wikipedia and Google to find the answers to Yahoo's security questions about her birth date, ZIP Code, and where she met her husband.
But break-ins are hardly the only threat to our e-mail privacy.
Who can see your e-mail – even en route – is a complicated question, made more uncertain by a recent court decision.
First, your office e-mail is governed by whatever rules your company decides. For example, Harvard University, where I work, states that e-mail "may be accessed at any time by management or by other authorized personnel for any business purpose." Businesses need to be able to investigate fraud, but such sweeping authorizations create opportunities for abuse.
What about government searches? Let's start with the easy case. If you go to China and e-mail or instant message from your hotel room, the Chinese government may read your content. It's scanned for "security" purposes – the government is looking for discussions of Tibetan independence, perhaps. You may never notice anything, or you may mysteriously lose your Internet connection. It recently came out that China monitors and censors text messages among Skype users – a Canadian research group uncovered more than 166,000 censored messages.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, …."
You might think that means the government can't clandestinely search your e-mail, but it doesn't.
Suppose you use Gmail or Yahoo! mail. If the government wants to see your e-mail, it can have the warrant served on that company. Of course, the service provider has to respond to the warrant, just as you would if the feds came to your house. The difference is that the company decides whether to resist the court order, not you. You are supposed to be informed within 90 days, but in practice you may never know. E-mail stored elsewhere really isn't yours.
In 2005, The New York Times exposed a program of "warrantless wiretapping" of communications, including e-mail between individuals in the US and foreign countries. Congress codified the legality of some such searches in 2007 and again this summer. In a word, the rules change when "terrorism" is invoked as a justification. If the government demands your e-mail using a National Security Letter, your service provider is prohibited from telling you.
Searching e-mail as it crosses the US border is perhaps analogous to inspecting a laptop carried into the US Customs officials can inspect (and confiscate) your possessions; arguably they should also be able to search your e-mail – though under antiterrorism legislation, the eavesdropping can happen without your knowledge.
What about purely domestic e-mail surveillance without a warrant? The Terrorist Surveillance Program processes domestic e-mail in cooperation with Internet service providers; the Electronic Frontier Foundation has taken the government to court. But eavesdropping occurs even for nonterror-related crimes.
As part of the investigation of one Steven Warshak, Yahoo turned over his e-mail to federal agents, who had not gotten a warrant. A lower court threw out the evidence, but on July 11, a Federal Appeals Court allowed it to stand. The court didn't say that there was no constitutional issue, only that the case had enough other complexities that a Fourth Amendment ruling about e-mail would be premature. A minority of the court was not satisfied with that technical dodge, and stated in its blistering opinion,
"[H]eaven forbid that we should intrude on the government's investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen's private correspondence is now potentially subject to … unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless."
So as of today, we don't know whether the government can search your e-mail without a warrant, as happens routinely in China.
My advice? Be careful putting secrets in e-mail. Use encryption software, some of which is free. And urge Congress to act on e-mail privacy.
• Harry Lewis is a professor of computer science at Harvard University and fellow of the Berkman Center for Internet and Society. With Hal Abelson and Ken Ledeen, he is coauthor of "Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion."