Email may feel like a private, one-to-one conversation safe from prying eyes, but email is about as confidential as whispering at the White House. Your messages can be intercepted and read anywhere in transit, or reconstructed and read off of backup devices, for a potentially infinite period of time.
If you're sending email at work, your boss can legally monitor it, and if your company becomes involved in a lawsuit, your adversary has the legal right to review it. If you send email from home, anonymous hackers can intercept it, and if you are suspected of a crime, law enforcement officials with a warrant can seize your electronic correspondence. Even your Internet service provider may legally be able to scrutinize your email.
What all this amounts to is simple: Unless you take affirmative steps to encrypt your messages -- a process that uses sophisticated software to garble your words and then allow the recipient to unscramble and read them -- don't count on email as a confidential method of transmitting information.
On your first day of a new job, you may be asked to sign and acknowledge some form of employer email policy. This policy will probably inform you that email is to be used only for everyday business purposes, that the computer systems at work are the property of your employer, that email may be monitored, and that you have no reasonable expectation of privacy in your use of email.
A written statement like this, signed by an employee, creates a contract upon which an employer can rely if they want to snoop. Equally important, if a dispute arises over monitoring of email, the employer can point to the signed statement to show that it was unreasonable for the employee to think that email was private.
Even if there is no signed agreement or written policy, an employer can still peek into email (or your desk for that matter) -- assuming, as is usually the case, that you have no reasonable expectation of privacy as to the contents. (Learn more about privacy and your work email account with Nolo's article Email Monitoring: Can Your Employer Read Your Messages?)
While adopting a policy of sending personal email only from home is an obvious step towards protecting your privacy at work, it doesn't guarantee that your messages will be fully protected from prying eyes. After your email leaves your home it travels over multiple online services and open networks to reach its destination. Although interception of email transmission -- that is, snooping while an email is in "real-time" transmission between sender and receiver -- is a federal crime under the Electronic Communications Protection Act (ECPA) (18 U.S.C.A 2517(4)), it has been accomplished by hackers.
The ECPA also permits an ISP to look through all stored messages, including email awaiting you in your mailbox or recently sent and received mail. Some ISPs temporarily store all messages that pass through the system. The ECPA normally prevents the ISP from disclosing the messages to others, but even here there are exceptions. Law enforcement officials, when armed with proper warrants or administrative subpoenas, can gather basic information about users from ISPs, including their names, and also gain access to the content of stored messages. Also, once the email reaches its destination, the ECPA does not protect against snooping at the recipient's mailbox.
Some ISPs, worried about their own liability for the email content, require subscribers to conform to an End User Service Agreement that further reduces the user's expectation of privacy with ISP-favorable terms. For example, the service agreement for one popular ISP states: "Service Provider has no obligation to monitor the Service, but may do so and disclose the information regarding the use of the Service for any reason if Service Provider in its sole discretion believes that it is reasonable to do so, including to satisfy governmental or legal requests."
Ultimately, the only way to ensure a high degree of privacy for your messages on the Internet is to encrypt them. Encryption is a system in which sophisticated software using cryptographic algorithms garbles your message, sends it across the networks as gibberish and then -- assuming the recipient has the correct digital "key" -- reconstitutes it, or "decrypts" it.
Commonly used public key technology uses two keys: one that is unique and private and one that is public and freely distributed to all users of a particular system. These keys only work when matched -- what one scrambles, only the other can undo. These techniques can also verify the integrity of the data (that it wasn't altered along the way) and authenticate it (check to make sure the stated creator is the person who sent the message).
But successfully using encryption requires some foresight, because the person receiving the message has to be able to decode it. Two popular encryption standards are Secure Multipurpose Internet Mail Extension ("S/MIME") and Open Pretty Good Privacy ("OpenPGP"). Neither of these software products can decode the other's algorithms.
In the end, email's speed and convenience outweighs its non-private nature for most every day discussions. But you should think of it like a postcard, not a letter -- a message open to every eye along the way.
To learn more about email risks, and how to protect against them, read Stopping Identity Theft: 10 Easy Steps to Security, by Scott Mitic (Nolo).