Can a government submit a subpoena to Gmail asking for your emails? Unlikely, they would just answer that you are not a client of theirs and as such they don't have your emails.
Can they submit a subpoena asking Google to hand over all of the emails that your clients sent or received from your address? Sure they can. It's going to be a way harder sell to the judge and the reason and burden of proof will be that much higher, as it would essentially be closer to fishing or mass surveillance. But it's something that I can see passing for cases of national security or child abuse. Nothing I would personally worry about, but I understand if you want to wear a tinfoil hat.
Semantics and nuance matter.
https://en.m.wikipedia.org/wiki/PRISM
In 2023, Google received requests for user information for about 900,000 accounts, and complied with ~80% of them, and both numbers are on the rise.
Also, I'm not sure what seems to be contradicting here. The exception that you are brining up proves the rule. If I say that humans have five fingers in each hand, will bringing up the famous case of the sixed fingered lady be relevant at all to the discussion? Especially if I worded it specifically saying that "most" humans have 5 fingers? Check my wording, I said unlikely.
The fact is, most government agencies do not have access to your emails, let's say that the NSA does, which is debatable, great, that is 0.01% of the government, and probably 0% of companies (that are not Google), unless they submitted a subpoena as part of some litigation.
Feel free to obsess about the one or two agencies that have access to emails for national security reasons, and feel free to lump it into "THE government". But I don't think you'll ever make any important nuanced cybersecurity trade offs with that attitude, you'll just want to encrypt everything until none of your users can do shit (if you have users at all, you may not even be able to get a job because you are doubtful of sending your resume to anyone, and you might be too busy configuring your own email server instead of just using gmail and doing other productive stuff.)
I played around with it the other day. Installed actalis/digicert s/mime cert on client. Sent emails between the 2 addresses. Emails decrypted locally on clients but same message sent on webmail client is encrypted/unreadable (besides subject line)
The folks that read your e-mail and monitor your online presence do not want you to use these tools.
Google would like you to think they're a God's-eye master of reality of course... but they're not. Just another corporate flop, like IBM etc.
Seems like a pretty nice gig, being a corporate flop.
If you want secure messaging that nobody else will snoop on use an application dedicated to.. secure messaging. It's never what email was for and it's not how it's being used.
Email is auth now. People do not use email the way you are describing.
Even assuming all encryption is configured correctly at the endpoints so we can discount the risk of mid-transit interception and comprehension (do I assume CVS has encryption set up correctly on their outbound receipt emails? I do not...) People think it's like the postal network but it's more like the mail lands at the post office and they hand you a copy of it, while they retain the originals.
The idea of unsubscribing from emails from corporations and agencies is again just an act of pretense. 95% of the cases, it's not done in one click and involves a series of a few confusing steps. Even from a technology perspective, email is fucked and a legacy artifact as of today.
I would love to see a more secure protocol to replace it, where the recipient always has full control over all the messages that he can ever receive.
Every so often one sees a cri de coeur from someone who has learned this lesson the hard way when Google locks them out of their account, the key to their digital life evaporates, there's nothing they can do about it.
Alternative identifiers exist, eg handles on sites like HN, but they are second-order artifacts of the email as ID.
Given the stakes, then, you have to decide whether to try and control your identity by bulding your own infra for email (domain, mail server, dkim etc and a fair bit of hell), paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail, or letting Google or Microsoft control it and hoping you dont fall foul of them. All these options have drawbacks.
Side musing follows: I dont know what the solution to identity is on the Internet. A very long time ago, X.509 certs issued by quasi government authorities was mooted as part of a international directory system. I can see a future authoritarian state falling in love with this idea again, esp with the resulting lack of anonymity,..but also the ability to "kill" people on the Internet simply by revoking their cert.
All these things have become so essential that it's shocking that it's not regulated like a utility (or even as a right given their systemic imposition).
I was fond of how Keybase brought to life [1] identity proofs (linking and validating your different online identities) in a very easy to use platform. Pity it went away; feels like a loss for the internet.
Most communications throughout history have not been secure. Despite this, it hasn't been abused nearly as much as it could be. I'm not sure if it's because the scale is difficult, or the technical side, or nobody thinks to suggest it to the despots. It's probably a combination of things. Ironically we tend to fear the abuse of power when it doesn't happen, and then ignore or accept it when it does happen. So the fear/hang-wringing/jumping-through-hoops seems pointless.
I still believe that if you really are concerned about what you're saying, you should say it in a clandestine way. E2E encryption is like a giant red flag saying "I might be doing something shady". Asking grandma about her special cakes [when she doesn't bake] will fly under the radar unless someone is looking really hard.
Your analogy is moot.
How would you classify submarines parked next to fiber optic cables slurping up data?
And as far as I know, emails are not E2E encrypted, but they are almost always encrypted in transit. Why go through all the trouble just to get encrypted data?
Now I concede that all those things (OFC, TLS) may have vulnerabilities that can theoretically be exploited. But do you send such valuable information over the internet that it's worth their cost and effort to retrieve it? And if your answer is yes by some chance, would you transmit it without taking adequate security measures?
In comparison, Google and the others have billions of emails simply sitting unencrypted in their storage, ready for access at zero cost. I can't see your argument contradicting the information security risk posed by these companies.
renewiltord•2h ago