Emails are digital communications sent from an account on an internet-connected device via service provider servers, transmitted across networks, and accessed by the receiver through an account on an internet-connected device. At each of these points, there is the potential for personal communications to be compromised.
This includes unauthorised access to email accounts or devices, or the scanning or interception of emails while in transit or when stored.
So, who's doing it? Edward Snowden has revealed how the United States government and its Five-Eyes partners, including Australia, have been involved in the widespread surveillance of online communications, including emails.
This occurred by gaining access to systems and servers maintained by the world's largest technology companies and the interception of undersea fibre-optic cables to monitor global internet traffic.
Law enforcement and security companies have also attempted to deputise email service providers to gain access to, or scan, emails. There has been an ongoing challenge between the Federal Bureau of Investigations and Microsoft regarding access to email content being stored in Irish data centres.
Last year, it was reported that Yahoo scanned hundreds of millions of emails at the behest of US security agencies.
Email providers may also be scanning emails for online behavioural profiling to develop targeted advertising.
This is known as “surveillance capitalism”, where the aim is to understand behaviour and preferences with the view to selling something.
Indeed, the largest email service providers do engage in email scanning, as is evident by Google's terms of service, which state: “Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”
Given the above, it is often said that sending an email is rather like sending a postcard.
The best way to protect email privacy is via end-to-end encryption and strong account passwords.
Encryption converts information into a code that secures email content at the point of the sender and receiver, meaning it cannot be intercepted in transit.
There are numerous email providers that offer free end-to-end encryption, such as ProtonMail and Tutanota.
Another way that email accounts can be accessed is via compromised credentials.
Unauthorised access to email accounts is possible particularly when weak or reused passwords are used.
A password manager can assist with the organisation of passwords. Multi-factor authentication should also be considered.
Ultimately, email privacy depends on who has access to the devices used to send and receive emails, the strength of passwords used to secure email accounts and whether emails are encrypted.
Without encryption and strong password protections, email is not very private, and should not be used to send sensitive material.
Dr Monique Mann is a member of the Australian Privacy Foundation board of directors, and lecturer at Queensland University of Technology’s School of Justice.