Business

Net gain for surfers

Wired: Just how private are your e-mails when they end up in a webmail site like Google's Gmail, or Hotmail - or even your ISP…

Fri Jun 22 2007 - 01:00

Wired:Just how private are your e-mails when they end up in a webmail site like Google's Gmail, or Hotmail - or even your ISP's mail server, waiting for you to download them? A little bit safer since the beginning of this week. A US federal appeals court in Ohio decided for the first time that e-mail is protected by the US constitution's prohibition against unreasonable searches and seizures, writes  Danny O'Brien.

It's a key decision in online privacy, with ramifications way beyond the midwest states of the US that the court governs. A relatively conservative circuit of the US legal system, the Sixth Circuit's decision may well encourage other parts of America to agree with its judgment. If the US government appeals, it could reach the Supreme Court, but either way courts and legislators over the world will be watching.

And I, for once, hope they listen to American judges, rather than some of the geek criticism that followed the decision.

The judgment came in Warshak vs. the United States. Warshak had asked the court to rule on the lawfulness of the government seizing the contents of his e-mail account without giving him a chance to object in court.

READ MORE

It wasn't a hypothetical issue: law enforcement investigators had twice obtained his private e-mails in the past, as part of an investigation into his company, Berkeley Premium Nutraceuticals.

The judges decided that Warshak had a reasonable expectation of privacy in his e-mail, and therefore they could not be obtained by the police without a warrant and probable cause.

Other countries don't make as big a deal of "reasonable expectation of privacy" in deciding their laws as the US - but that's because it's usually part of the original legislative structure. The cultural norms of what should and shouldn't be private dictate what the law says is private.

We're no longer shocked when CCTV footage is used in investigations (unlike the US), because many of us have accepted that sacrifice to privacy. But we'd be understandably shocked if it was known that the police had blanket rights to start rifling through recordings of all our telephone calls. For us, a telephone call is private and the law reflects that.

But it takes a while for the law to catch up with our latest technologies. And sometimes, our society runs ahead even of how our technology was expected to be used.

Should mobile phone text messages be private? They weren't intended to be private when they were first invented - but I think most of us who have sent a salacious piece of gossip or worse would prefer they be kept as secret as our mobile phone calls.

So it is, oddly, with e-mail. The truth is, e-mail isn't usually very private. It's sent in what computer experts call "plaintext", which is to say almost anyone between you and the final destination could sneak a look at it. The old saying was that e-mail was about as private as a postcard.

The tech solution to this was always to encrypt. An encrypted message is unbreakable by anyone, except its intended recipient. Even law enforcement or the dreaded United States code-crackers, the National Security Agency (NSA), don't have the resources to break a well-encrypted e-mail.

And sure enough, some of our online communications are encrypted, most notably our banking and other financial interactions (that's what the little lock symbol that appears in browsers signifies).

But due as much to historical accident as anything more sinister, encryption isn't widely used in internet software.

For a long time, the ideas behind secure encryption were forbidden from being exported from the United States, and were classed as a "munition" by that government. Rather than get caught up in paranoid government red tape, most American developers chose to leave encryption out of their software.

That means most of our internet communications, including e-mail, are vulnerable to snooping by our governments as much as our fellow citizens.

The Warshak judgment was followed by a surprising backlash among some geeks who said that given that everyone should know that e-mail was insecure, anyone who expected it to remain secret had only themselves to blame. In other words, the defendant should have expected the government to pore over his e-mail, simply because it was technically possible.

That's a very geeky frame of mind. Fortunately, US law and other legislators work to a different principle. It doesn't matter how easy it is to read e-mail; or snoop inside a home; or tap a phone; or track the movements of your mobile phone; or collect your text messages; or rifle through your luggage between airports; or watch your laptop keypresses remotely, if we expect privacy, we should damn well get it.

Certainly, businesses who are worried about interception should look into and implement encryption solutions. But for those of us who might not have the time, or are not yet worried about possibly being monitored, it's far better that the law protects us until technology reliably does so. And for now, the law looks like it's moving in the right direction.

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning