Everyone (or almost everyone) knows that the e-mail you send and receive at work, using your employer's computers and network, isn't really private: The company and your boss have the right to both monitor and read what you're sending and receiving. But if you're like me, you probably thought that the ISP you use at home--and by extension those who work there--doesn't have the same right. We're wrong: they do.

At least that's what a recent court ruling says. Apparently, a strict reading of the laws that supposedly protect our private communications--principally 1968's Wiretap Act (Chapter 119 of Title 18) and one of the subsequent amendments to it, 1986's Electronic Communications Privacy Act--in effect denies e-mail the kind of privacy protection from law enforcement agents that other forms of personal communication have.

What's more, the laws give ISPs pretty much the same right to read and monitor your e-mail that you have.

In Transit vs. Stored

About a month ago, in U.S. vs. Bradford C. Councilman, the U.S. First Circuit Court of Appeals ruled that an ISP wasn't covered by the Wiretap Act if it chose to snoop into its users' e-mail because the e-mail messages are stored on its servers.

Councilman worked for a company called Interloc, a rare book listing service that also provided Internet access (the company was subsequently bought by Alibris). He ordered a modification to their e-mail handling program so that his company could identify and copy itself on e-mail sent to its users from certain domains, such as Amazon.com, in order to get a competitive advantage.

However, according to the Wiretap Act, an ISP is not allowed to intercept your e-mail and read it or otherwise use its contents. So the federal government prosecuted. Councilman argued that he didn't intercept anything, as the e-mail messages were no longer in transit: They were stored in the RAM or the hard drive of the company's computers. Both the district and appellate courts in Massachusetts agreed.

Why should the location matter? Well, it matters because the law treats stored e-mail messages differently from ones in transit. I kid you not.

Stored e-mail messages fall under the guidelines set out in 1968's Stored Communications Act (Title 18, Chapter 121). Its restrictions on both ISPs and law enforcement agents are less stringent than the rules governing communications under the Wiretap Act. And while wiretap laws don't allow ISPs to read your e-mail, the Stored Communications Act's rules do.

Like so many other things in law, it all comes down to language and definitions--in this case the definitions of transit, transmission, and interception. For the wiretap rules to apply, your e-mail has to be intercepted, which means it has to be in transit.

If I were asked, I'd say an e-mail is in transit as long as it hasn't actually been downloaded to my in-box: It hasn't reached me, so it's still traveling. It's like a package: Those new CDs I've ordered from Amazon.com are still in transit until they're in my hands, although technically they may be stored at the local UPS depot awaiting rescheduled delivery because I wasn't home the first time.

However, the way the laws are worded--and the way they've been interpreted by the courts--defines transit as a very limited state for electronic communications: It's only that tiny portion of time it takes an e-mail message to pulse through telecom pipes between periods when it's stored on the servers that route e-mail traffic from sender to receiver. Storage is quite broadly defined in these laws. It includes all kinds of momentary storage: for example, on a server or in a PC's RAM, or even its cache. So e-mail is considered to be "in storage" nearly all of the time.

Welcome to the wacky world of law.

Consistent Protection in the Works

Although the decision in U.S. vs. Councilman does give ISPs the right to snoop into users' e-mail practically anytime they want to--and significantly eases access to private e-mail for law enforcement agents--it's really something of a red herring, says Kevin Bankston, an attorney for the Electronic Frontier Foundation. The real problem, he says, is that the Stored Communications Act and the Wiretap Act treat and regulate access to e-mail so differently, when they should protect e-mail in the same way.

The problem is quite specifically limited to e-mail. Voice mail, for example, is explicitly protected under wiretap laws even when it's stored. E-mail isn't.

At least some Congressional representatives think this not-so-little discrepancy should be resolved, and a new bill (H.R. 4956) proposed in late July should help do just that. The E-Mail Privacy Act of 2004 would place e-mail, even while it's stored, basically under the interception rules for wiretaps, and would also help prevent ISPs from accessing users' e-mail messages beyond what's needed for the service to function. And, yes, there are times when it is necessary--desirable even--for ISPs to have such access.

Not All Monitoring Is Bad

There are certain kinds of e-mail scanning and filtering that I want my ISP to perform. It can--and should--go to town on spam, and I'm grateful for any virus or worm scanning that goes on before my local protection kicks in. In my mind, that's part of the service I'm paying for. And what do you know? The laws actually agree with me. ISPs are allowed to perform functions like this because such actions are considered part of their normal course of business, or serve to protect their business or equipment.

H.R. 4956 would have no effect on that. In case you're wondering, Google's controversial GMail wouldn't be affected under the new bill either. Users know exactly what they're getting into when they sign up, so they have given consent to GMail's computerized snooping.

That informed opt-in for GMail makes it okay in my book, too. But Councilman acted without the knowledge or consent of users. ISPs already enjoy a certain privileged position in the eyes of the law: They're exempt from responsibility and liability for what their users say in the e-mail the service handles. That privilege exists for good reason: They need that freedom to operate the service and consequently allow you and me to exercise our free speech via this medium. But the unrestricted right to scan, read, or copy the e-mail they process--without user knowledge or consent--serves no comparable good. It's time to close that loophole.

Got a question or comment? Write to Anush Yegyazarian.