Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

Facebook.com email shuts down with a surprise

Facebook has decided to shut down its Facebook.com email service where you could receive emails into your Facebook inbox. Apparently not many users were actually using it.

You have the option of disabling the service in the meantime and, if you don’t, emails sent to your Facebook.com email address will be forwarded to your primary email address. As The Verge pointed out, there is, however, a problem with this:

Today’s update brings another odd and unfortunate side effect for Facebook: you can now reach someone’s primary email inbox by emailing their @facebook.com email address. These email addresses are by default only accessible to friends, but you can easily figure out somebody’s @facebook.com email address by finding their profile page’s URL and pasting it before the @ symbol. Fortunately, Facebook lets you turn off forwarding altogether, effectively destroying its email service once and for all.

Are email disclaimers enforceable?

Email with Mark Zuckerberg, CEO of Facebook

The Economist has a thought provoking article titled “Spare us the email yada-yada” with the subtitle “Automatic e-mail footers are not just annoying. They are legally useless”. The article highlights some of the challenges facing email disclaimers and there are just no clear answers that I have come across. The central challenge is the following:

Many disclaimers are, in effect, seeking to impose a contractual obligation unilaterally, and thus are probably unenforceable.

When you send an email to someone and you have a disclaimer or link to terms and conditions, the recipient of the email may not be expecting your email or be familiar with your terms. That person may not be inclined to agree to your terms and conditions which you are effectively seeking to impose unilaterally. An email disclaimer is a form of contract with email recipients and contract law usually hinges on a “meeting of the minds” between the contracting parties. Unilaterally imposing terms and conditions is not a meeting of the minds and it is certainly not the result of some sort of negotiation.

A local blogger recently had a bad experience with a global fast food chain and tweeted his experience. The chain got in touch with him about the experience and unilaterally sought to prevent him from mentioning anything about his communications with the chain through, as I understand it, an email disclaimer. Why should the blogger be restrained from exercising his right to freedom of expression simply because the chain has a confidentiality requirement in its email disclaimer. This doesn’t seem to be in line with the contractual principles which underpin these terms and conditions.

A counterargument which I have been thinking about is that the recipient is presented with a set of terms and conditions on the basis that her consumption of that email is subject to those terms and conditions. By reading the email and acting on it, the recipient is signifying, by her conduct, that she has read, understands and agrees to those terms and conditions. This is a similar principle that applies to website terms and conditions, parking terms and conditions and hotel checkins, to name a few parallel examples. The problem with this approach is that the recipient generally only becomes aware of these terms and conditions after having opened and read the email. References to email disclaimers are typically at the bottom of an email and where there are restrictions on confidential information disclosure, for example, the damage is probably already done by the time the recipient gets to the terms reference.

Another problem with email and a characteristic which distinguishes it from the examples I mentioned above is that emails are data messages sent from the originator to the recipient, often passing outside the originator’s messaging system in the process. Unlike website terms and conditions and similar terms, originators can easily lose control of the disclaimer notice and are not guaranteed that it will be displayed prominently each time the message is displayed, or at all. While a website user can be bound by website terms and conditions just by visiting the website, the legal principle behind this starts to break down a little when it comes to email terms and conditions, at least the principle’s application.

Absent clear authority on this (and I could have missed something), making use of email terms and conditions is a risk management exercise. If these terms and conditions are legally binding, despite their challenges, then companies would be irresponsible not to make sure that they not only make use of these terms and conditions but that these terms and conditions are complete and comprehensive. Can you afford to take the risk?


Image credit: Email with Mark Zuckerberg, CEO of Facebook by Robert Scoble, licensed CC BY 2.0

Law firm fudges mailing list privacy and its own reputation

I received an interesting email this morning referring me to an email which a local law firm distributed to subscribers of its property-related mailing list. Ordinarily that isn’t the sort of thing which would garner much interest from me – property law is somewhat outside my usual scope. What caught my eye is the way this law firm emailed this particular issue. It listed every email address in the mailing list in the “To” field and the result is something like this:

BBMLaw mailing list

If you are wondering what the blue fuzz is, it is a partial screen shot of the distribution list, zoomed out to obscure the individual email addresses. The recipient whose response to the law firm was forwarded to me along with the original email had the following to say in his reply to the firm (this is a direct quote):

I find it extra-ordinary that your firm has revealed the private contact details of 1378 of your clients.

I am not a lawyer but I am pretty sure as a law firm that this is a MASSIVE breach of ethics and I certainly NEVER wish to be affiliated with your firm again. I am horrified my personal email address has been revealed by your firm to every person on this mailing list. There are VERY VERY VERY strict rules as to the data protection of your clients’ information but it seems your firm has opted to ignore these basic rules.

If this is how you treat my private email address goodness knowshow else you are treating your clients information!!!

The massive conflicts this emailcould create is shocking and I ask your firm to kindly remove my email address with immediate effect and not to EVER contact me again!

This blunder raises a number of legal issues. The one issue raised in the quote is legal professional privilege (commonly known as attorney-client privilege) which vests in attorneys’ clients. This privilege places restrictions on what information attorneys can disclose about their clients and the work they are doing. What is a concern about this email is that it potentially discloses information about the firm’s clients through their email addresses. That said, names of clients may not fall under legal professional privilege although this depends on the nature of the work being done for the client and any contractual restrictions between the client and the attorney.

Disclosing email addresses and, indirectly, clients’ identities may be a breach of confidentiality which is an implied term of an attorney’s contract with his or her client; a breach of non-disclosure provisions where the client has required the attorney to sign a non-disclosure agreement protecting its identity from disclosure.

Another concern is the simple disclosure of the recipients’ email addresses to each other. The mailing list apparently contains roughly 1 378 recipients and some of those recipients may prefer that their email addresses not be disclosed to each other. I hope the firm’s privacy policy covers this sort of disclosure and can sympathise with recipients who, like the recipient I quoted, are dismayed that their personal information could so easily be disseminated.

Of course this doesn’t reflect well on the firm itself which could easily lose a number of clients outraged at this blunder. The firm could also suffer reputational harm should these recipients discuss the blunder with their colleagues, friends and other parties. This disclosure could also easily undermine what must have been a fair amount of work that went into the database’s compilation and any goodwill the firm garnered through its publication in the time it has been distributed.

Leaving aside questions of confidentiality (and they are potentially very serious), not taking care to protect an email database from this sort of public disclosure could have equally serious privacy and reputational consequences for an organisation. I certainly would not want to be the firm’s directors when clients start calling about this.