Email, the Cloud and Privacy

When you send an email, as when you send a letter through the postal system, you are relying on the operator of the system to deliver your email or letter to the recipient you specify and not to anyone else. The operator of a postal system must have a licence and is subject to regulation. With email the situation is more complex because a number of different Internet Service Providers (ISPs) will be involved.

Access provider ISPs provide Internet access, connecting users to their network by telephone wires, fibre-optic cable, or using 4G mobile data.

Hosting ISPs may provide services such as web-hosting (e.g. Google Sites), and cloud storage services (e.g. Google Drive) as well as email servers to send, receive, accept, and store email (e.g. Gmail). Many hosting ISPs are also access providers (e.g. BT) while others are not (e.g. Google). Some large organisations such as universities and large businesses provide their own hosting ISP.

Transit ISPs provide large amounts of bandwidth for connecting hosting ISPs and access ISPs. Just as their customers pay them for Internet access, ISPs themselves pay upstream ISPs for Internet access. An upstream ISP usually has a larger network than the contracting ISP or is able to provide the contracting ISP with access to parts of the Internet the contracting ISP by itself has no access to. In the simplest case, a single connection is established to an upstream ISP and is used to transmit data to or from areas of the Internet beyond the home network; this mode of interconnection is often cascaded multiple times until reaching a tier 1 carrier. In reality, the situation is often more complex. ISPs may have separate connections to an upstream ISP at multiple points or they may be customers of multiple upstream ISPs and may have one or more connections to each of them. 

Letters sent via a UK postal provider from one UK address to another UK address will never leave the UK. A letter from York to Canterbury might be routed via London but would never be routed via Paris. It is different with Email: if both you and the person you are sending an email to are both using computers or other devices in the UK and you both use mailboxes provided by hosting ISPs in the UK then the route taken by your email will probably be wholly within the UK, but even this is not guaranteed. The internet is a network of connections and the routing of traffic can vary. If there is a fault on one connection, traffic will automatically be diverted. Traffic can also be rerouted over under-utilised connections as part of load balancing. This can result in UK to UK traffic being "tromboned" so that an email from a Birmingham mailbox provider to a London mailbox provider might be routed via Paris. Of course if either mailbox provider is actually in another country - e.g. Gmail in the U.S.A. - then the email's route will, of course always include that, and possibly other, countries in addition to the UK.

The fact that multiple ISPs are involved in virtually every email transmission increases the risk of there being one ISP, out of all the ISPs involved, which might not respect your privacy. And the matter is further complicated if the ISPs are in different countries because the data protection laws may vary from country to country providing more or less or, at least, different legal protection. 

Similar issues apply to cloud storage providers such as Google Drive particularly if the data is stored outside the UK but, that said, most people with ordinary legal cases (cases not involving matters of State or trade secrets, for example) consider the risk of using email and cloud storage to be an acceptable risk and, unless you tell me otherwise, I will assume that If you send me emails then you are content for me to send you emails and to store data on Google Drive.   

This page was lasted updated in January 2019          Disclaimer