A common question of late is “Should I have an expectation of privacy?”.
Some folks may believe that what they send via email is private, and those who send encrypted email would seem to have good reason to expect privacy regarding the content of their emails. Further, there are those who have nice privacy disclaimers embedded in every email. I will leave it up to an attorney to clarify whether the disclaimers provide any measure of protection for the individual or firm whose email contain such a disclaimer.
My issue is that many folks expect email to be private; after all, you send email to a specific destination or list of destinations. If you are concerned about privacy of the content, you might send that email in one of the secure (encrypted) formats and expect that this choice guarantees the privacy of your email content. A fly in the ointment is that our government (never mind other governments and their level of respect for personal and professional privacy) has been utilizing a system of court orders to compel secret (unpublished) access to mail on professional mail servers and hosts.
If an article published in ZDnet is to be believed (it agrees with and draws details from a Rueters News Service article), the NSA / FBI have on many occasions compelled services to provide emails based on some criteria for external access by those other than the intended recipient. What is worse; it is the nature of the mail servers to decrypt the incoming emails in order to perform the government requested “scan” for phrases to identify emails to be extracted. This brings into question the use of the term secure when referring to emails that are intended by the sender to be secure. Secure in this case refers to the emails being transmitted securely; but, the government requesting the emails to be scanned at the server bypasses the standard protection provided by this kind of service.
While I see this as a clear violation of our fourth amendment rights (and others), it may be some time before legal systems are enacted to alter or prevent these kinds of actions by our government agencies (never mind the acts of hackers). In the mean time, this event (which I see no reason to expect is an isolated one) serves as a reminder to us to be more careful regarding what we consider to be private in this age of expanding technologies. This kind of event combined with the hacking events that have been revealed in various news releases make it quite clear that anything published and stored electronically is at risk of becoming public or, at a minimum, viewed by unintended recipients.
What can we do? for extreme cases where privacy is important, provide a shared encryption system to the intended recipients, encrypt the contents of an email, paste that into the body or attach it and send the email(remember to never share the encryption keys electronically – this is how Yahoo, Google, Microsoft Exchange, and other large mail servers can decrypt mail they host – the encryption technique and link to shared keys are included with the email). After receiving the email, the recipient will then decrypt the contents; allowing them and, hopefully, only them to read the contents. Another solution is to avoid using the big commercial mail servers. Many businesses lease or rent web hosting for their corporate website and most of these also include mail hosting service as well. The reason this is likely to be more secure seems two fold to me; first: it is a much smaller prize and the government and hackers may simply not find it worth the effort; second: you as the owner of the hosting service are the very entity who the government will need to make a request of for access to the mails that flow through that server.
This kind of concern regarding privacy of materials should also extend to the use of cloud services, social networks, and blogs. If it is a large public host (Apple Cloud, Microsoft Cloud, One Drive, Facebook, Twitter, etc.), the odds of it attracting the interest of the government or private hackers is far greater than if it is hosted on your own private network or even leased web service. The advantage to selecting one of the large public hosts is that they tend to act fairly responsibly in terms of performing backups, equipment maintenance, and intrusion prevention (except for court orders from the government agencies).
It seems to me that we already have law in place to protect us from these kinds of secret intrusions into our privacy; still, we have at least two recent events made public where it is clear US government agencies are acting outside the clear intent of privacy laws. This indicates that their exist other laws, on the books, that need to be challenged and changed or repealed. It is up to we, the people, to bring this topic to the attention of our law makers, or simply understand and live with the consequences.