Email might feel like a private, one-to-one conversation safe from prying eyes, but email generally isn't confidential. Your messages can be intercepted and read anywhere in transit or reconstructed and read off of backup devices for a potentially infinite period of time.
If you're sending email at work, your boss can legally monitor it, and if your company becomes involved in a lawsuit, your adversary has the legal right to review it. If you send email from home, anonymous hackers can intercept it, and if you are suspected of a crime, law enforcement officials with a warrant can seize your electronic correspondence. Even your internet service provider may legally be able to scrutinize your email.
What all this amounts to is simple: Unless you take affirmative steps to encrypt your messages—a process that uses sophisticated software to garble your words and then allow the recipient to unscramble and read them—don't count on email as a confidential method of transmitting information.
Email isn't a secure way of communicating. Emails are generally stored on your computer or mobile device, your internet service provider's (ISP) server, and the receiver's device—and various parties might be able to access them. Because emails often contain personal, professional, and financial information, having some measure of email privacy is crucial for safeguarding this sensitive information.
From a technical standpoint, email privacy relies on encryption (see below) and secure transmission methods to prevent unauthorized access. Tools like end-to-end encryption ensure that only the intended recipient can view the message content, even if the email is intercepted during transmission.
Also, federal and state laws can provide email privacy protections by regulating how emails can be accessed or shared, particularly by employers, ISPs, and law enforcement.
Even if you take steps to protect your email privacy, your messages are vulnerable to various threats, such as phishing, hacking, and unauthorized surveillance. For example, without strong passwords and encryption, cybercriminals can get access your emails and steal sensitive information, which they might use to impersonate you.
Additionally, companies providing free email services may scan messages for advertising purposes, raising concerns about data privacy. It's important to read privacy policies and understand how your information might be used.
Your emails might be vulnerable to (and read by) your employer, hackers, or even your ISP provider.
On your first day of a new job, you might be asked to sign and acknowledge some form of employer email policy. This policy will probably inform you that email is to be used only for everyday business purposes, that the computer systems at work are the property of your employer, that email may be monitored, and that you have no reasonable expectation of privacy in your use of email.
A written statement like this, signed by an employee, creates a contract upon which an employer can rely if they want to snoop. Equally important, if a dispute arises over monitoring of email, the employer can point to the signed statement to show that it was unreasonable for the employee to think that email was private.
Even if there is no signed agreement or written policy, an employer can still peek into your email (or your desk, for that matter)—assuming, as is usually the case, that you have no reasonable expectation of privacy as to the contents.
While adopting a policy of sending personal email only from a personal device is an obvious step towards protecting your privacy at work, it doesn't guarantee that your messages will be fully protected from prying eyes. After your email leaves your device, it travels over multiple online services and open networks to reach its destination. Although interception of email transmission—that is, snooping while an email is in "real-time" transmission between sender and receiver—is a federal crime under the Electronic Communications Protection Act (ECPA) (18 U.S.C. § 2517(4) (2024)), it has been accomplished by hackers. (The ECPA is the main federal law that governs email privacy.)
The ECPA also permits an ISP to look through all stored messages, including email awaiting you in your mailbox or recently sent and received mail. Some ISPs temporarily store all messages that pass through the system. The ECPA normally prevents the ISP from disclosing the messages to others, but even here there are exceptions. Law enforcement officials, when armed with proper warrants or administrative subpoenas, can gather basic information about users from ISPs, including their names, and also gain access to the content of stored messages. Also, once the email reaches its destination, the ECPA doesn't protect against snooping at the recipient's mailbox.
Some ISPs, worried about their own liability for the email content, require subscribers to conform to an End User Service Agreement that further reduces the user's expectation of privacy with ISP-favorable terms. For example, the service agreement for one popular ISP states: "Service Provider has no obligation to monitor the Service, but may do so and disclose the information regarding the use of the Service for any reason if Service Provider in its sole discretion believes that it is reasonable to do so, including to satisfy governmental or legal requests."
Also, most large email providers, like Gmail and Outlook, can read your messages. (But they claim they don't.)
Because personal emails often contain sensitive information, from casual conversations with friends and family to critical details about finances, health, and even legal matters, it's important to understand the connection between personal emails and privacy, as well as how to protect your information.
Despite legal protections, personal emails can be exposed in a breach or hack. Hackers often go after email accounts to get personal data, which can lead to identity theft, fraud, or even blackmail. Even if a hacker doesn't get into your email, your messages could be unintentionally shared or forwarded by the recipient, which can compromise your privacy. Or your email service providers might scan the content of your messages for marketing purposes, raising additional privacy concerns.
Various laws protect email privacy, and you can take steps to protect your private emails.
Again, the main federal law that protects your email privacy is the Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510-2523 (2024).) This law provides certain protections, such as a warrant requirement, to support email privacy. However, under the ECPA, emails lose their status as protected communication in 180 days. After that time, a warrant is no longer necessary. (This part of the law is a remnant from when web-based email, like Gmail, didn't exist, so data storage was limited and emails were regularly deleted. However, now, customers have access to nearly unlimited cloud storage.)
Title II of the ECPA, the Stored Communications Act (SCA), protects the privacy of the contents of files that service providers store and of records service providers hold on a subscriber, such as subscriber name, billing records, or IP addresses. (18 U.S.C. §§ 2701-12 (2024).)
Ultimately, the only way to ensure a high degree of privacy for your messages on the internet is to encrypt them. "Encryption" is a system in which sophisticated software using cryptographic algorithms garbles your message, sends it across the networks as gibberish, and then—assuming the recipient has the correct digital "key"—reconstitutes it, or "decrypts" it.
In the end, email's speed and convenience outweigh its nonprivate nature for most everyday discussions. But you should think of it like a postcard, not a letter—a message open to every eye along the way.
To best maintain the privacy of your emails, you can:
And, again, the best way to keep your emails private is to encrypt them.
If you become the victim of identity theft because of an email privacy violation, go to the Federal Trade Commission (FTC) website IdentityTheft.gov to get a personal recovery plan.
If you have questions about email privacy, how to protect your communications, or what to do if you've been victimized, consider talking to a consumer protection attorney.
Need a lawyer? Start here.