Expecting privacy with email providers is extremely naive

The only email service that you can trust with completely protecting your privacy is one that you build yourself.
Written by Chris Duckett, Contributor

Saddle up, Google haters; there's a new posse forming that is going to go after the search giant for citing a past judgment to defend its email automated scanning systems.

"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient's ECS provider in the course of delivery," said a motion filed by Google.

"Indeed, 'a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.' Smith v. Maryland, 442 U.S. 735, 743-44 (1979)."

Thankfully, the money quote is a citation from a previous ruling, which makes it even easier for the ill-informed posse to take it out of context and run with it. Nevertheless, the motion continues:

"For example, the court explained that in using the telephone, a person "voluntarily convey[s] numerical information to the telephone company and 'expose[s]' that information to its equipment in the ordinary course of business.' Id. at 744."

The motion continues to explain that on that basis, Google believes it can draw the same conclusion for automated email scanning for spam filtering and ad serving.

That was enough for the Consumer Watchdog organisation to declare that Google does not care about privacy, and that users who do care about privacy should not use the search giant's email system.

"Google has finally admitted they don't respect privacy," said John Simpson, Consumer Watchdog's privacy project director in a statement. "People should take them at their word; if you care about your email correspondents' privacy, don't use Gmail."

The problem with Simpson's statement is not that he is wrong, but that he is only half right.

In light of Snowden's revelations of the extent of NSA surveillance, I've witnessed more than one conversation where the participants discuss which email provider that they will move to. This is mostly a result of the assumed common knowledge that Google has moved from "Don't be evil" to "full evil" mode.

Invariably, email services from Microsoft and Apple are thrown out as alternatives to the evil advertising, NSA-compliant ways of Google.

There's only one problem with this: Both of those companies are involved in PRISM. Further to this, it was reported in July that Snowden's documentation to The Guardian revealed that Microsoft was helping the NSA circumvent its own encryption — and, in the case of Outlook.com, it was NSA and FBI compliant before it launched at the end of 2012.

While the Google-hate posse is riding across the internet and casting down great justice, it shouldn't stop there. The respected alternatives are just as bad.

And make no mistake; although a special kind of vitriol is reserved for Google because it is an "advertising" company, Yahoo, Microsoft, or Facebook would love to be able to take Google's advertising mantle — it's just that they aren't as good at it as the search and advertising behemoth.

A pox should be conjured up by the posse and cast upon every house and email service provided by Google, Yahoo, Microsoft, and Apple.

Watching people discussing whether to change email provider from Google to Microsoft is like watching two frogs being slow boiled and discussing whether they should turn the heat on the stove down from a Google-like 200 degrees to a more acceptable Apple-like 180 degrees.

Regardless of whichever action you take, the frogs will be cooked, and your privacy will be impinged.

If you care about privacy, rather than what identifying brand your email is hosted with, the solution to the problem is not to go out and find another provider; the solution is to host your own.

Because regardless of whatever provider you go with — paid or free, multi-national or startup, offshore or local — you are placing an amount of trust in that organisation to not read your email, even if it says it won't.

Despite the respect that Lavabit has gained from its shutdown rather than compliance with court orders, it proves that even a service that specialised in asymmetric encryption was still vulnerable. Otherwise, Lavabit would have been able to comply with the warrant it was presented with, and Silent Circle would not have pre-emptively shut down.

The issue is that at some point, the email needs to be decrypted in order to be read by the user — and if that can be done, then there is no reason that a programmer or system administrator could not orchestrate to gain the private key and do the same on any account under their control.

Despite the obvious illegality of such feats, many of us in IT circles have heard stories of sysadmins reading CEOs' emails, or even customers' emails.

When you trust an email provider, you are trusting that every employee in that organisation with knowledge and access is ethical.

Most of us rest at night under the assumption that our emails are not interesting enough to warrant snooping on by bored sysadmins working the graveyard shift — which is strangely the same reasoning I heard quite frequently when I attended a recent cybersnooping event that was open to the public with regards to the NSA.

That's why if you actually care about your privacy, the solution to this situation is to get out of the system, trust yourself, and build your own email server.

Whether it be an Exchange instance, a Postfix configuration, or a Sendmail setup, it's the only way to be sure that your information is not being read, sold onward, or crunched in some massively large big data project.

And sure, it may take up a little more tinfoil than you'd like to make the hat that goes along with this solution, but it actually is a solution. Rather than a fight for a small amount of supposed superiority because your email provider du jour makes money from devices, advertising, or services, the more correct thing to do is to read up and start up your own service.

But how can you know that the NSA has not put a backdoor into Exchange or Sendmail? That I cannot answer, but I suspect that it takes at least a couple more rolls of tinfoil to consider.

Editorial standards