Email Privacy: Is it Even Possible?

Although studies show that young people are abandoning email in favor of text messaging and IM programs for social communications, businesses and many of us "oldies but goodies" continue to depend on email for exchanging messages with family, friends, co-workers, clients and others. Some of the information we put in email is personal, and some of it is even subject to laws such as HIPAA or the GLB Act that mandate we protect it from unauthorized disclosure. So the subject often comes up: just how private is email, and what can we do to make it more so?

In the past, we've discussed how the nature of email communications makes it easy for them to be intercepted. Sending an unencrypted email over the Internet is like sending a post card through the postal system - anyone who happens upon it along the way can read it. Of course, you can use encryption program such as Pretty Good Privacy (PGP) to make it more difficult for anyone but the intended recipient to open the mail.

But then another problem arises: how do you protect against the recipient him/herself divulging the contents of your mail to others, either intentionally or accidentally? Or what if the message goes awry; for example, you mistype one letter in the address and the mail is sent to the wrong address? It's obvious that people are worried about this, because more and more companies are adding disclaimers to some or all of the messages sent from their networks. These messages usually read something like this:

"If you are not the intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it."

Reader Kip M. recently wrote to ask what legal obligation this actually places on a person who receives such a message. I'm not an attorney, and this is by no means legal advice, but the attorneys I've talked to about this acknowledge that in most cases, companies do this primarily for the purpose of "covering their own behinds" in case a message ends up in the wrong hands. The appended disclaimer indicates that they took steps to make it clear that the message was confidential.

Of course, if an email containing national security secrets fell into your hands and you published it in a letter to the editor of the New York Times, you might face some serious legal repercussions. And of course, under the U.S. civil court system, anyone can pretty much sue anyone for anything (with some specific limitations), so it's possible that a company could bring a lawsuit against you if you forwarded a copy of their confidential mail to the wrong person. In a world where big record companies sue elderly grandfathers who don't own computers for music piracy, anything can happen.

From the point of view of those who want to keep information private, disclaimers are of dubious value in accomplishing that. I see forwarded messages all the time that contain the disclaimers. And of course, since the disclaimer is usually added to the end of the message, it's a bit unreasonable to demand that the recipient not read the message that he already read before getting to the disclaimer.

If you do elect to use disclaimers, it might make more sense to put them at the beginning of the message instead of at the end. And if you're really serious about it, put the disclaimer in the body of the email and put the confidential message itself in an attachment; at least then it's possible for the recipient to do what you're asking (not open the message). Better yet, password protect that attachment.

Yet none of this keeps the intended recipient from forwarding, copying or printing that message. There are ways to technologically control that to some extent, by using a software solution such as Microsoft's Rights Management Services (RMS). With RMS, which is supported by the Professional version of Office, you can set permissions on messages you send in Outlook that prevent the recipient from forwarding, copying or printing the message. Those options are simply grayed out. You can even set the message to "expire" after a particular time; even the user won't be able to open it once it's expired.

RMS sounds great, and it does prevent easy, casual, often mindless "clicking and forwarding." However, it requires an RMS server, and if the recipient is really determined to breach your privacy, RMS won't stop it. He can just open the message and hit PrtScn to capture a screenshot that can be saved, printed and sent to others - or even take a picture of it with a digital camera, for that that matter.

Bottom line: it's still wise to treat email as a non-private medium. There are a lot of things you can do to increase privacy, but as long as another person (the recipient) is able to open your messages - and what would be the point of email if they couldn't? - there will always be a weak link.

What do you think? Do you pay any attention to disclaimers? Do you use disclaimers on your own messages, or does your company add them automatically to outgoing mail? Do you think they do any good? Under what circumstances, if any, would you consider suing someone for disclosing an email message you sent to them? If a service like RMS were available to you, would you use it? Do you encrypt some or all of your email messages? Should a law be passed making it illegal to read someone else's email without permission (like the laws regarding opening postal mail) or would that create more problems than it would solve?