When we sign up for an email service, we naturally assume a certain level of privacy. Forget that it's a free service to begin with, or the fact that we breezed through that whole privacy policy business. But what about paid email providers? Those are encrypted and completely out of the hands of wanna-be hackers and NSA-esque government officials. Surely those are secure, right? Yeah, not so much.
MIT Technology Review points out the fundamental weaknesses of email providers when it comes to privacy:
When Lavabit—an e-mail service used by National Security Agency leaker Edward Snowden—suspended service last week amid hints that it had received a government demand for information, a competing service called Silent Circle made a draconian decision: to obliterate all of its customers’ stored e-mail.
First, even if an e-mail service encrypts messages for secrecy, as Lavabit and Silent Circle did, the e-mail headers and routing protocols reveal who the senders and receivers are, and that information can be valuable in its own right. And second, the passcodes used as keys to decrypt messages can be requested by the government (if held by the e-mail company) or simply stolen by sophisticated malware.
Lavabit’s founder, Ladar Levinson, says he suspended operations rather than be “complicit in crimes against the American people.”
Still, services like Lavabit and Silent Circle are far more secure than free services like Gmail. Not only because the founders of these services are on a personal mission to protect their customers' privacy at all costs, but because they also keep your e-mail encrypted 24/7 except when you are reading and writing it at your computer. Gmail only encrypts messages while they're being transmitted over the network. After that, they're openly stored on Google servers in order to target you with user-specific ads.
Just today, Google's legal team made it crystal clear that Gmail users should have “no legitimate expectation of privacy in information [they] voluntarily turn over to third parties”. So maybe the demand for online privacy just isn't there. Or maybe people aren't sure how, at this point, to best protect themselves. Either way, Google didn't really tell us anything we shouldn't already know: If you're not paying for it, you're not the consumer. You're the product being sold. Email services that are offering you a free account WILL end up making their money somewhere along the way. Usually that means selling your information.
So while no email provider is 100% protected against prying eyes, it's up to you to decide which steps are important enough to take in order to increase your online security.