Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

Smarter sharing choices and your online reputation

Nokia Lumia launch-50

When people think about online reputation management they frequently think about expression on social services like Twitter and Facebook. Equally important is the link between online sharing and reputation. Microsoft published a report last month titled “Online Reputation Management Is a Two-Way Street” which considered the impact public sharing has on reputation. The report has some interesting findings –

  • While 91 percent of people have done something to manage their overall online profile at some point, 67 percent feel in control of their online reputation, and 44 percent of adults actively think about the long-term consequences of their online activities.
  • 14 percent of people believe they have been negatively impacted by the online activities of others, even unintentionally so. Of those, 21 percent believed it led to being fired from a job, 16 percent being refused health care, 16 percent being turned down for a job, and 15 percent being turned down for a mortgage.

Taking more effective steps to safeguard your reputation means being more circumspect about what you share and with whom. As Microsoft’s Chief Privacy Officer points out –

“Your online reputation is shaped by your interactions in the online world and spans the disparate and varied data about you, whether created and posted by you or others. This information can have a lasting presence online, and can affect your life in many ways – from maintaining friendships, to helping you keep or land a new job,” says Microsoft’s chief privacy officer Brendon Lynch.

Some practical steps you can take to better protect your reputation and your privacy include the following:

  • Familiarise yourself with your social service’s privacy controls and adjust them to suit your preferences (there is nothing wrong with only sharing your Facebook posts with your friends and family);
  • Read and take notice of your social service’s privacy policy (modern privacy policies are written in plain language and have important information about what personal information is collected and what is done with it);
  • Take the time to also read your social service’s terms and conditions (these documents look like long, rambling torture devices but some of the clauses are very important – these include the content licensing provisions which set out the permissions you grant in respect of your content);
  • Search for yourself using various search engines to see what comes up (this sounds vain but knowing what is associated with you online is a basic reputation management technique – companies use paid online reputation management services, you can use free services like Google Alerts and saved searches on Twitter to do some cost effective tracking of your own if the commercial services are out of your price range);
  • Think carefully about making public statements or expressing your opinion on a topic if doing so may cause offence; and
  • Perhaps one of the most understated and most effective privacy controls you have is not to share in the first place (simply put, don’t share anything you wouldn’t want to be made public and appear in search results when someone searches for your name).

Privacy, as is secrecy, is a rarity and we share more and more each day (roughly 50 million tweets per day and Facebook had 845 million users at the end of December 2011). Moreover, there is an increasing number of services that can create aggregated profiles based on information drawn from a variety of online sources. If your reputation is important to you, it is essential that you start paying attention to what you share and think carefully about the possible ramifications for your reputation in the months and years to come.