Email, the Cloud and Privacy


When you send an email, as when you send a letter through the postal system, you are relying on the operator of the system to deliver your email or letter to the recipient you specify and not to anyone else. The operator of a postal system must have a licence and is subject to regulation. With email the situation is more complex because a number of different Internet Service Providers (ISPs) will be involved.

Access provider ISPs provide Internet access, connecting users to their network by telephone wires, fibre-optic cable, or using 4G or 5G mobile data.

Hosting ISPs may provide services such as web-hosting (e.g. Google Sites), and cloud storage services (e.g. MEGA and pCloud) as well as email servers to send, receive, accept, and store email (e.g. Gmail). Many hosting ISPs are also access providers (e.g. BT) while others are not (e.g. Google and Microsoft). Some large organisations such as universities and large businesses provide their own hosting ISP.

Transit ISPs provide large amounts of bandwidth for connecting hosting ISPs and access ISPs. Just as their customers pay them for Internet access, ISPs themselves pay upstream ISPs for Internet access. An upstream ISP usually has a larger network than the contracting ISP or is able to provide the contracting ISP with access to parts of the Internet the contracting ISP by itself has no access to. In the simplest case, a single connection is established to an upstream ISP and is used to transmit data to or from areas of the Internet beyond the home network; this mode of interconnection is often cascaded multiple times until reaching a tier 1 carrier. In reality, the situation is often more complex. ISPs may have separate connections to an upstream ISP at multiple points or they may be customers of multiple upstream ISPs and may have one or more connections to each of them. 

Letters sent via a UK postal provider from one UK address to another UK address will never leave the UK. A letter from York to Canterbury might be routed via London but would never be routed via Paris. It is different with Email: if both you and the person you are sending an email to are both using computers or other devices in the UK and you both use mailboxes provided by hosting ISPs in the UK then the route taken by your email will probably be wholly within the UK, but even this is not guaranteed. The internet is a network of connections and the routing of traffic can vary. If there is a fault on one connection, traffic will automatically be diverted. Traffic can also be rerouted over under-utilised connections as part of load balancing. This can result in UK to UK traffic being "tromboned" so that an email from a Birmingham mailbox provider to a London mailbox provider might be routed via Paris. Of course if either mailbox provider is actually in another country - e.g. Gmail in the U.S.A. - then the email's route will, of course always include that, and possibly other, countries in addition to the UK.

The fact that multiple ISPs are involved in virtually every email transmission increases the risk of there being one ISP, out of all the ISPs involved, which might not respect your privacy. And the matter is further complicated if the ISPs are in different countries because the data protection laws may vary from country to country providing more or less or, at least, different legal protection. Nevertheless most people with ordinary legal cases (cases not involving trade secrets, for example) consider the risk of using email to be an acceptable risk particularly if the mailbox provider itself (where copies of emails sent and received are permanently stored) is not outside the UK jurisdiction.

Cloud Storage

The question of differing legal protection in different countries also applies, of course, to data stored with cloud storage providers such as MEGA and pCloud which store data outside the UK. Some cloud storage providers provide zero knowledge encryption either as standard or as an optional extra. The idea of zero knowledge encryption is that data is encrypted before it is loaded to the cloud storage provider. Providing the encryption is good enough to be unbreakable - or as near to unbreakable as is possible - and the private encryption key itself is not stored on the cloud storage - it does not matter if some unauthorised person is able to see the data in cloud storage because all they will see is a meaningless collection of characters.    

As well as the advantages there may be some practical disadvantages with using zero knowledge encryption. "Zero knowledge" necessarily means that you have security information which the cloud provider does not have and raises the possibility that if you forget your password, it cannot be recovered and your encrypted data is effectively lost. Also you are taking it on trust that a cloud storage provider which says it provides "zero knowledge" encryption really does (how do you know that what they claim is correct?) but most people with ordinary legal cases (cases not involving trade secrets, for example) consider the risk of using cloud storage systems as a convenient way of providing evidential documents - such as past letters and contracts - to a barrister for initial legal advice, to be an acceptable risk especially as, if litigation subsequently ensures, most of those documents (but not, of course, the written advice from the barrister itself) will probably be disclosable anyway at some point in the litigation. 

Web-based PDF services

There are a number of websites such as Sejda which provide services in relation to PDFs, such as creating PDF copies of documents originally in another format, rotating PDF pages, and changing PDF page sizes. If you use such services then, of course, your data will be transmitted to the servers of those service providers in whatever country they are located. Some of these service providers also offer a desktop alternative so that you can instead download a program and use that program on your own computer to carry out the functions without having to transmit your data to the service provider.

File Transfer services

The size (in MB) of files which can easily be sent as email attachments is limited so, for large files, file transfer services are often used. When using a file transfer service you upload the files to the service and then an email is sent to the intended recipient. The email does not contain the files as attachments but simply contains a download link which, when the recipient clicks on it, will download the files from the servers, in whatever country they are located, where the file transfer service has temporarily stored them. Most file transfer services allow you to load files using their website or using an app which you can install on your computer but even if you use an app the data is, of course, still stored temporarily on the servers in whatever country they are located, and the data, when being uploaded/downloaded may be routed through ISPs in other countries. 

This page was lasted updated in July 2019          Disclaimer