Expecting privacy with email providers is extremely naive

Expecting privacy with email providers is extremely naive

Summary: The only email service that you can trust with completely protecting your privacy is one that you build yourself.


Saddle up, Google haters; there's a new posse forming that is going to go after the search giant for citing a past judgment to defend its email automated scanning systems.

"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS provider in the course of delivery," said a motion filed by Google.

"Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.' Smith v. Maryland, 442 U.S. 735, 743-44 (1979)."

Thankfully, the money quote is a citation from a previous ruling, which makes it even easier for the ill-informed posse to take it out of context and run with it. Nevertheless, the motion continues:

"For example, the court explained that in using the telephone, a person "voluntarily convey[s] numerical information to the telephone company and 'expose[s]' that information to its equipment in the ordinary course of business.' Id. at 744."

The motion continues to explain that on that basis, Google believes it can draw the same conclusion for automated email scanning for spam filtering and ad serving.

That was enough for the Consumer Watchdog organisation to declare that Google does not care about privacy, and that users who do care about privacy should not use the search giant's email system.

"Google has finally admitted they don't respect privacy," said John Simpson, Consumer Watchdog's privacy project director in a statement. "People should take them at their word; if you care about your email correspondents' privacy, don't use Gmail."

The problem with Simpson's statement is not that he is wrong, but that he is only half right.

In light of Snowden's revelations of the extent of NSA surveillance, I've witnessed more than one conversation where the participants discuss which email provider that they will move to. This is mostly a result of the assumed common knowledge that Google has moved from "Don't be evil" to "full evil" mode.

Invariably, email services from Microsoft and Apple are thrown out as alternatives to the evil advertising, NSA-compliant ways of Google.

There's only one problem with this: Both of those companies are involved in PRISM. Further to this, it was reported in July that Snowden's documentation to The Guardian revealed that Microsoft was helping the NSA circumvent its own encryption — and, in the case of Outlook.com, it was NSA and FBI compliant before it launched at the end of 2012.

While the Google-hate posse is riding across the internet and casting down great justice, it shouldn't stop there. The respected alternatives are just as bad.

And make no mistake; although a special kind of vitriol is reserved for Google because it is an "advertising" company, Yahoo, Microsoft, or Facebook would love to be able to take Google's advertising mantle — it's just that they aren't as good at it as the search and advertising behemoth.

A pox should be conjured up by the posse and cast upon every house and email service provided by Google, Yahoo, Microsoft, and Apple.

Watching people discussing whether to change email provider from Google to Microsoft is like watching two frogs being slow boiled and discussing whether they should turn the heat on the stove down from a Google-like 200 degrees to a more acceptable Apple-like 180 degrees.

Regardless of whichever action you take, the frogs will be cooked, and your privacy will be impinged.

If you care about privacy, rather than what identifying brand your email is hosted with, the solution to the problem is not to go out and find another provider; the solution is to host your own.

Because regardless of whatever provider you go with — paid or free, multi-national or startup, offshore or local — you are placing an amount of trust in that organisation to not read your email, even if it says it won't.

Despite the respect that Lavabit has gained from its shutdown rather than compliance with court orders, it proves that even a service that specialised in asymmetric encryption was still vulnerable. Otherwise, Lavabit would have been able to comply with the warrant it was presented with, and Silent Circle would not have pre-emptively shut down.

The issue is that at some point, the email needs to be decrypted in order to be read by the user — and if that can be done, then there is no reason that a programmer or system administrator could not orchestrate to gain the private key and do the same on any account under their control.

Despite the obvious illegality of such feats, many of us in IT circles have heard stories of sysadmins reading CEOs' emails, or even customers' emails.

When you trust an email provider, you are trusting that every employee in that organisation with knowledge and access is ethical.

Most of us rest at night under the assumption that our emails are not interesting enough to warrant snooping on by bored sysadmins working the graveyard shift — which is strangely the same reasoning I heard quite frequently when I attended a recent cybersnooping event that was open to the public with regards to the NSA.

That's why if you actually care about your privacy, the solution to this situation is to get out of the system, trust yourself, and build your own email server.

Whether it be an Exchange instance, a Postfix configuration, or a Sendmail setup, it's the only way to be sure that your information is not being read, sold onward, or crunched in some massively large big data project.

And sure, it may take up a little more tinfoil than you'd like to make the hat that goes along with this solution, but it actually is a solution. Rather than a fight for a small amount of supposed superiority because your email provider du jour makes money from devices, advertising, or services, the more correct thing to do is to read up and start up your own service.

But how can you know that the NSA has not put a backdoor into Exchange or Sendmail? That I cannot answer, but I suspect that it takes at least a couple more rolls of tinfoil to consider.

Topics: Privacy, Apple, Google, Microsoft, Security


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How about ...

    ... an open source lightnet?

    - open-source so that the backdoors cannot exist
    - lightnet to distinguish it from the evil uses of the darknet
    - with an idiot proof installer so that only a few people need the hats

    How about those cybersecurity people like Snowden - with a conscience- design it for us?

    I'd be happy to pay, switch ... and you can use a bit of my PC in the network.
    • Re: an idiot proof installer

      In software engineering circles there is a saying: if you design software so good that even idiots can use it, you will discover that only idiots are using it.
      • That is circulated among the minority luckily.

        There are those in software that truly believe software should be complex.
      • That explains ..

        Why people use apple products.
      • Re idiot proof

        A corollary is, "The problem with making something idiot-proof is they keep coming up with better idiots!"
  • Now that you have removed our naivety ...

    ... isn't it time we remove the evil corporations and their Government from power?
  • Now that you have removed ZDNET's naivety ...

    ... when can I expect a pervasive, incisive, unrelenting campaign against the evil corporations and their Government?

    Or do you have to remove complicity too?
  • Re: NSA has not put a backdoor into Exchange or Sendmail

    It is trivial to know if there is a backdoor in sendmail: just audit the code.

    It is harder to know if there is a backdoor in Exchange, for several reasons. First, there most certainly is. If not in the Exchange application itself, there are enough hooks in the underlying Windows "OS". Because, Exchange runs only on Windows... there is double safety net for the NSA here :)
    It is therefore safer to assume that Exchange/Windows does have many backdoors.
  • Your logic isn't making any sense . . .

    "Despite the respect that Lavabit has gained from its shutdown rather than compliance with court orders, it proves that even a service that specialised in asymmetric encryption was still vulnerable."

    Your logic isn't making any sense . . . no, it doesn't prove asymmetric encryption is vulnerable.

    "Otherwise, Lavabit would have been able to comply with the warrant it was presented with, and Silent Circle would not have pre-emptively shut down."

    Uh, no encryption does not have to let Lavabit comply with a warrant. This is a really, really bad assumption to make. Some implementations of encryption actually do NOT allow one to create backdoors for the government and such.

    "The issue is that at some point, the email needs to be decrypted in order to be read by the user "

    Hopefully on the user's own machine.

    "and if that can be done, then there is no reason that a programmer or system administrator could not orchestrate to gain the private key and do the same on any account under their control."

    . . . which would involve hacking the user's machine. Theoretically, if the implementation is end-to-end.

    Sadly, end-to-end encryption is not widely used for email.
  • Reasonable expectations of privacy

    I expect absolute privacy with every post card I write, every conversation I have in line at Starbucks, every Post-it note I put on the bulletin board at the supermarket -- yup, just like my email and cell phone conversations.
    John Ellingson
    • What about

      every bill you pay online?
      Every movie you stream? Every pizza you order?
  • How much is the NSA paying for this propaganda?

    How much is this PR campaign to get everyone to accept the NSA's warrant-less searches costing them?
  • Your privacy is as good as your recipient's server

    OK, imagine you did set up email server - sendmail, Exchange, Merak, etc. You still need to send your email to someone, right? How many people you know will install their own email servers, configure domain names, MX settings in DNS tables? You cannot limit your correspondence to a few people with their own servers. The rest will still have gmail, yahoo, hotmail, etc. What's the point?
    • you are right

      That's right!!!

      And that is why THEY must change, not US.
      Elp Tique
    • Re: How many people you know will install their own email servers

      The community I dwell in, all do this. I know when I send something to someone of my colleagues, that won't go Microsoft's, Google's, NSA's etc Bid Data pile.

      They still do spy on us, of course, as usual, but it costs them -- not getting our content for free.
      At the end, it only takes to make it more expensive for them to collect the data, than the data itself.

      I also never, ever send sensitive information to any "public e-mail" account. Nothing more sensitive than what I would post to Facebook.
  • Government

    WHY in the world should I be afraid of my government? Why in the world should I become an expert to keep private what must be private?

    I should not/must not defend myself from my gov and his evil partners. The gov must be afraid of the people NOT the other way around!
    Elp Tique
  • A few thoughts

    First, no matter what kind of encryption technique you use - it can be broken. The rule to remember is "You have to start somewhere". Where ever you start - that is where a hacker starts to break whatever it is you have done.

    All you can hope for is to slow down the hacker. Who the hacker is (a criminal or a government agency) does not matter.

    The above having been said - all a law is - is a rule by which we live. No law has any way to actually prevent someone from doing something. That is why all laws should be (and were) reactive instead of proactive. In other words we say "If you do X - then Y will happen to you." Some laws, stupidly, are proactive. They are stupid because they say "We think you might do X- so we are going to do Y to you now." Think making bartenderers responsible for people who drink too much. You are asking one person to keep track of hundreds of people. Something we do not even ask the government to do.

    One of the laws we live by is the right to privacy (which is not in the Constitution or any of the founding papers in the US). The right to privacy grew out of the right to prevent unwarranted search and seizure. There are no well defined limits to invasion of privacy. This is because of the way in which most laws get passed. That is to say that some kind of action is performed by someone (or something) and the knee-jerk reaction is to pass a law to stop that "something" from happening rather than to pass a law for the larger view. Further, the government and legal agencies, are constantly trying to expand upon what they can do. The United States has gone through several cycles where one or more legal agencies within the United States have tried to expand their powers through either overt or covert actions. Usually under the guise of the need for security or "To keep the populace safe". Extreme examples of this is McCarthyism where people were blacklisted, imprisoned, and even deported out of the United States.

    The overall problem is extremes and the lack of checks and balances. If everything is called a national security issue then, under the laws we have in effect during wartime actually does give the government the right to do whatever they think is best in order to keep the country safe. So the real problem here is the fact that the war powers act is always going to be in effect until we, the people of the United States, demand our government to shut down all wars. Presently we are in the "War on Terroism", the "War on Drugs", and the "War in Afghanistan". Not to mention other, smaller wars which we have become embroiled in while the war powers act have been in effect. Until we shut down all of these wars - we are getting what we deserve : a kingdom with a king who can do as he pleases. Including the rape of our rights.

    Our government was never meant to work under war time conditions. That is why the war powers act was written. To allow one person to control what is going on so they could keep the United States safe and free. Germany, before World War II, was a democracy too. The people of Germany voted Hitler in to power because of his charismatic voice and demeanor. Hitler became a dictator because a group bombed one of the major buildings in Germany, the war powers act in Germany came in to effect, Hitler attacked a country in the middle east that had nothing to do with the bombing, and then used his powers to take over the country and change it to a dictatorship with him as the dictator. The Nazi did the same things that our government is now doing to us.

    If you do not believe this is happening you only have to remember our government set up torture chambers outside of the United States to circumvent our own laws. The United States has never done this before in the history of the United States. We systematically invaded, attacked, killed, tortured, and basically tried to wipe out people we perceived as enemies. So why are you surprised when our government begins spying on everyone? It is just another one of the things the Nazi's did to their own people.

    With all of the above said, running your own e-mail server is easy to do. Look at http://www.capesoft.com. They have a cheap e-mail server. It does NOT do encryption but you can install PGP into almost any e-mail program and then your e-mail is encrypted automatically and incoming e-mails can be decrypted automatically. That is to say - you can now set it up to be transparent to the end user. You can then send/receive e-mails through your own e-mail server and have some peace of mind with what you send and recieve.

    To conclude: The struggle for freedom has to be fought by every generation. It is not a static thing - this freedom you enjoy. Every time people get tired or think they have finished the fight - they are mistaken and get abused by the next group who tries to twist the law to how they want it to be. Unknown by many of the people within the United States - there are many people working in our government who are actually working towards the day when all people are not free but are slaves to the whims of those in power. The only way to stop this is to pass laws that require a two-thirds majority of the people in the United States to vote for a change and to make the penalties a death sentence. This would stop the arbitrary way in which our laws change. It would once and for all make it impossible for government agencies to say they are doing something for the benefit of the country. Our only problem then would be the government labeling everything top secret so no one can know something is being done to them as well as the abuse of the war powers act.
  • They are all a part of PRISM...

    but Google goes one step further and profits from private email content. Read the EULA's carefully... the other big guys don't without some opt-in. I'm more concerned with a company profiting from my data (and not giving me a cut). Sign in to Google and browse the internet... it's like having some creepy guy in your backseat following you around and noting all the stuff you like so he can inform the various companies of tricky ways to advertise to you. I can appreciate targeted ads... but only if I've created a list of likes that I don't mind sharing.
  • adopt PGP - if you want an envelop, otherwise it is a post-card

    gmail , hotmail , yahoo are all free services, they will have to derive some value from their users to remain in business. If people haven't figured that out all I can say is that they are out of touch with the real world.

    Having said that , what is stopping one from exchanging encrypted documents or texts using PGP / GNU-PG?

    Grow up is all I can say.
  • Amen to this article, very well put

    All you apple assholes that think you are so high and mighty, well, ya, you are getting spied on too. If you are so concerned about your privacy, the fix is easy - stop using the internet! Maybe if you guys weren't looking up child porn you wouldn't be so worried about your privacy.