Skip to content

Email, then and now

January 21, 2014

email-logoEmail has long been hosted for people and businesses.  Your cable TV Internet connection comes with some hosted email, hosted by the ISP which can be the cable company or a third party.  You have access to Gmail, Hotmail,, Yahoo and a forest of other hosted email solutions.  So this saves you from having to host your own email for your business, right?

Well, in a word, no.

Before going any further here I need to state clearly that I am not a lawyer and this is not legal advice.  This article is focused on the security and sanctity of your email communications and nothing more, but I am going to delve into some legal concepts and terminology which could be misconstrued as legal advice.  It is not meant as such and I am not qualified to give such.

The Electronic Communications Privacy Act was signed into law in 1986 and it clearly states that electronic communications that are not removed from a third-party server for 180 days are considered to be abandoned and a search warrant is not required to access these items, just a subpoena.  Back in 1986 most email services were used with POP access and email was downloaded and stored on the user’s computer almost immediately.  Anything that was still on the server after 180 days probably was abandoned.  Today, with web mail services, hosted Exchange services and others email is often left on a third-party server for considerable lengths of time.  180 days is a drop in the bucket for most Gmail users.

If, however, your email is stored “locally” or on a server you control then it is protected for all time.  A search warrant is required to gain access to it.

So?  Well, there are two considerations here.  The first is law enforcement and the second is civil discovery.  For law enforcement a search warrant has a much higher requirement.  To get a search warrant a judge must find that the petitioner has probable cause – without that, no search warrant.  In many cases probable cause isn’t that hard to come by, but it is a standard that prevents fishing expeditions where a law enforcement agency believes you have committed a crime but has no proof of such a crime.  If there is sufficient motivation there, they can fish around for the necessary proof and anything that can be accessed by a subpoena is fair game for such fishing, but no judge is going to authorize a search warrant based on suspicion and guesswork.

The second consideration here is perhaps more important for businesses.  Anyone filing a lawsuit against you or your business is granted a limited subpoena power for discovery.  This would certainly include email more than 180 days old on a third party email service, such as Gmail or Hotmail.  This is not to say that email on your 0wn server is immune from civil discovery – far from it as many litigants have found out.  However, access to such email is going to be governed by more strict rules and the plaintiff is going to have to show proof that such email is needed for their case.  Mere suspicion is not going to be sufficient, and it may be negotiated that the email must be reviewed by a neutral party and only those items which are pertinent to the case will be turned over.

What does all of this mean?  Basically that your email stored on a third-party server is not considered very private and can be easily accessed almost by asking for it, but email stored on your own server is considered private and can only be accessed with the permission of a judge with the petitioner showing good reason why such email should be made available.

If you believe you have nothing to hide from law enforcement, please do not forget the second consideration: civil discovery.  Your third-party hosted email is far more available for civil discovery and in the USA getting sued is unfortunately common.  Are you sure the email you have sent and received is not going to reflect badly if it is disclosed during a lawsuit?

This came up recently when a computer service company was engaged to upgrade a server here at InfinaDyne.  They strongly advised moving to an externally hosted email solution and eliminate the Exchange server.  It would be easier to maintain and we wouldn’t have to tie up huge amounts of disk space for email.  However, it would also open us up to having any email 180 days old or older examined under the circumstances described above.  This would not only affect our internal operations but would also potentially affect our customers and any communications with them.  Clearly, any customer that had communicated with us in prior years could have email that is saved and this could be significant if they were sued or the subject of law enforcement actions.  By having our email hosted internally the 180 day rule is removed and a search warrant or very specific civil discovery subpoena would be required to access anything we are holding.

I elected to go for the greater effort and expense of hosting our own email.  It also made some things easier to do in the future that wasn’t a consideration originally but has turned out to be a nice side benefit.

At this point you might want to be thinking about a data retention policy and going to send me off a comment about how we should not be keeping customer communications indefinitely but deleting them after some point in time.  After all, we are not subject to requirements for keeping such email forever.  This is true – and we probably should have clear guidelines for all employees about saving such email.  It is also true that people do not always follow such guidelines, even if you make them print them out and sign them saying they read them.  And often the worst offenders of such guidelines are the executives of a company.  If you don’t have a policy about how long to keep email, you might want to be thinking about creating such a policy but also dealing with ways to either enforce it or to handle it not being followed.

Another consideration here for Gmail users is that Gmail has made it somewhat difficult to really eradicate email.  Typically, email on Gmail isn’t deleted but it is archived, so even if you do have a data retention policy Gmail isn’t doing you any favors about sticking with that.  If you are using Gmail or Gmail services for your email you may want to make sure you are indeed going the extra mile to delete the email that should be deleted both the “Inbox” sort and the “Sent Items” sort.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: