The press has been piling on to Google in the past couple of days using the quote that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”. However, this is somewhat misleading without further explanation.

In a lawsuit, Google’s attorneys were quoting a court case from 1979, Smith v. Maryland, where the court noted that “persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems”.

So, Google isn’t saying that its staff are free to read your emails, but that all your emails will pass through its systems, and be scanned by its computers as part of the normal process of delivering them. All, or almost all, email providers do this anyway: it’s one of the ways they identify spam emails and put them in a junk folder. In Google’s case, and some others, your emails are also scanned for keywords that trigger the advertisements shown against them. I assume most Gmail users already know this, and they may agree with Google that it’s better to have relevant ads than irrelevant ones.

The wider problem

Unfortunately, the privacy problem is much more serious than reading emails. First, email generates a lot of metadata about which people you email — and which people they email — that goes far beyond the contents of email messages, which are mostly harmless. See What your metadata says about you, a Boston Globe interview with MIT Media Lab professor César Hidalgo.

Second, last year, Google changed its privacy policy so now it can cross-reference data across all of its services. This prompted some class-action lawsuits. If Google can tie together what it knows about you from your email and calendar, the directions you get from Google Maps, and so on, then you might as well just use Google Now and forget you ever had any privacy at all

The alternatives, Outlook?

Microsoft is just like Google in using a single ID for multiple services, and its privacy policy says: “information collected through one Microsoft service may be combined with information obtained through other Microsoft services”. Same problems.

Since both Google and Microsoft are based in the US, then as a non-US citizen, your data is vulnerable to American snooping, and I wouldn’t expect Microsoft to put up more of a fight than Google. Just the reverse, in fact. However, it’s a moot point. Following the Snowden revelations, no data held online by any American company can now be considered private, and this could include any site running in the .com domain. Given the apparent complicity of the British secret services, I’d assume it also applies to data held online by any UK service providers as well.

Encryption – PGP / GPG

You could, of course, encrypt all your emails, or use a secure mail service provider. One of the simplest ways to encrypt emails is to use the PGP-based

Finding a secure service may be even harder. Last week, Lavabit’s owner shut down his email service, saying: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.” Silent Circle promptly followed suit, saying: “We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now.”