Email, the Cloud and Privacy


When you send an email, as when you send a letter through the postal system, you are relying on the operator of the system to deliver your email or letter to the recipient you specify and not to anyone else. The operator of a postal system must have a licence and is subject to regulation. With email the situation is more complex because a number of different Internet Service Providers (ISPs) will be involved.

Access provider ISPs provide Internet access, connecting users to their network by telephone wires, fibre-optic cable, or using mobile data (e.g. 5G).

Hosting ISPs may provide services such as web-hosting (e.g. Google Sites), and cloud storage services (e.g. pCloud) as well as email servers to send, receive, accept, and store email (e.g. Gmail). Many hosting ISPs are also access providers (e.g. BT) while others are not (e.g. Google and Microsoft). Some large organisations such as universities and large businesses provide their own hosting ISP.

Transit ISPs provide large amounts of bandwidth for connecting hosting ISPs and access ISPs. Just as their customers pay them for Internet access, ISPs themselves pay upstream ISPs for Internet access. An upstream ISP usually has a larger network than the contracting ISP or is able to provide the contracting ISP with access to parts of the Internet the contracting ISP by itself has no access to. In the simplest case, a single connection is established to an upstream ISP and is used to transmit data to or from areas of the Internet beyond the home network; this mode of interconnection is often cascaded multiple times until reaching a tier 1 carrier. In reality, the situation is often more complex. ISPs may have separate connections to an upstream ISP at multiple points or they may be customers of multiple upstream ISPs and may have one or more connections to each of them. 

Letters sent via a British postal provider from one address in Great Britain to another will never leave the UK. A letter from York to Dover might be routed via London but would never be routed via Calais. It is different with Email: if both you and the person you are sending an email to are both using computers or other devices in Great Britain and you both use mailboxes provided by hosting ISPs in Great Britain then the route taken by your email will probably be wholly within the UK, but even this is not guaranteed. The internet is a network of connections and the routing of traffic can vary. If there is a fault on one connection, traffic will automatically be diverted. Traffic can also be rerouted over under-utilised connections as part of load balancing. This can result in UK to UK traffic being "tromboned" so that an email from a Birmingham mailbox provider to a London mailbox provider might be routed via Paris. Of course if either mailbox provider is actually in another country - e.g. Gmail in the U.S.A. - then the email's route will, of course, always include that, and possibly other, countries in addition to the UK.

The fact that multiple ISPs are involved in virtually every email transmission increases the risk of there being one ISP, out of all the ISPs involved, which might not respect your privacy. And the matter is further complicated if the ISPs are in different countries because the data protection laws may vary from country to country providing more or less or, at least, different legal protection. Nevertheless most people with ordinary legal cases (cases not involving trade secrets, for example) consider the risk of using email to be an acceptable risk particularly if the mailbox provider itself (where copies of emails sent and received are permanently stored) is within the UK jurisdiction or, at least, is within the Common Travel Area or European Economic Area.

Cloud Storage

You may come across cloud storage providers if you use them directly or you may be using them indirectly by using specialist services, such as legal document management/bundle production services (e.g. Bundledocs and Caselines) or PDF services (such as Sejda) which will also store your data on cloud storage. 

The question of differing legal protection in different countries, as mentioned above in the context of email, also applies, of course, to data stored with cloud storage providers which store data outside the UK.  

File Transfer services

The size (in MB) of files which can easily be sent as email attachments is limited so, for large files, file transfer services are often used. When using a file transfer service you upload the files to the service and then an email is sent to the intended recipient. The email does not contain the files as attachments but simply contains a download link which, when the recipient clicks on it, will download the files from the servers, in whatever country they are located where the file transfer service has temporarily stored them. Most file transfer services allow you to load files using their website or using an app which you can install on your computer but even if you use an app the data is, of course, still stored temporarily on the servers in whatever country they are located, and the data, when being uploaded/downloaded may be routed through ISPs in other countries. 

This page was lasted updated in June 2020          Disclaimer