Nonprofit, nonpartisan journalism. Supported by readers.


Community Voices features opinion pieces from a wide variety of authors and perspectives. (Submission Guidelines)

Email and web histories belong to their authors

How much can you learn about a person by glancing at his or her open email box? No fair reading the mail — just the in and out boxes. You would find subject lines, dates and times and the person’s contacts. A Privacy Impact Assessment (PDF) published recently in the United States asserts that this information is not private. Speaking for every email and Web user, the authors say:

“Electronic mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by service providers for the specific purpose of directing the routing of information.”

That idea was published by the U.S. Department of Homeland Security and its Computer Emergency Readiness Team (US-CERT) in May. It was written for a narrow purpose, to satisfy a law that requires a privacy assessment be prepared when the government plans to collect “identifiable information.” It accompanies an upgrade to Einstein, which is an intrusion detection system and is one of the programs that protect federal networks.

But the reach of this assessment is wide, not narrow, if only because it asks everyone to read it. Unlike its predecessor four years ago, it “serves as a general notice to individuals” that network traffic at participating agencies may be collected for computer security purposes. Certainly collection is necessary for the purpose at hand. Federal networks of course need protection because they transport the most sensitive types of data, including the financial and medical records for millions of people.

Data ‘voluntarily turned over’
One page later comes the idea, however, that a person’s traffic and history is not private. The assessment likens email headers and IP addresses to telephone numbers, first explaining in simple terms that it takes information to route information. Then email subject lines, the names and addresses of senders and recipients, people’s Web visits, and the dates of their activity are equated with the series of numbers that are needed to route telephone calls. The authors go on to say that all of these details “are voluntarily turned over” to third parties.

The assessment may reach too far in an attempt to define what data is personal. It is one thing to meet regulations by stating the reasons and conditions of data permissions needed to carry out emergency response. It is an altogether different thing to originate a definition in a general sense that email headers and Web histories are not personal data, and to assert that Internet users knowingly give away data.

That personal profiles of Internet users are collected has been reported for years by researchers and in the press. Profiles are assets, bought and sold in corporate mergers and acquisitions. Profiles of persons have so much value in business that it will suffice to only state a reminder here that the sum of collections of email headers and Web histories is not in the public domain.

Users unaware of tracking, selling
Leslie Harris of the Center for Democracy and Technology testified in July to the U.S. Senate Commerce, Science & Transportation Committee that “most Internet users today do not know that their browsing information may be tracked, aggregated and sold.” Further, her testimony (PDF) describes an advertising model that may pay for Web free content in exchange for detailed access records from our Internet service providers (see Aug. 12 MinnPost article “Internet privacy gets Congress’ attention”), and concludes in part:

“The practice that has been described to us, whereby an ISP may enter into an agreement with an advertising network to copy and analyze the traffic content of the ISP’s customers, poses serious questions under the federal Wiretap Act.”

Ideally, profiles and histories ought to be the property of the people who create them. In the meantime, tendencies to believe otherwise and assumptions to the contrary by the U.S. government or by advertising providers need to be corrected.

Susan Lesch owns Textet and is not a lawyer. She lives in San Diego, Calif.; and Minneapolis.

Want to add your voice?

If you’re interested in joining the discussion by writing a Community Voices article, email Susan Albright at salbright [at] minnpost [dot] com.

Comments (2)

  1. Submitted by Susan Lesch on 08/18/2008 - 11:12 am.

    [Not for publication]

    Just a note, this article, “,” was indexed at Google News [1] as, “Affiliates publish the MinnPost news widget. For information …”. So for the duration of the news index there, and while it is in Google’s “Web” index at, few readers will find it in news. Thought you might want to know in case it happens again–more significant problem in the case of real news vs. opinion maybe. (I submitted it manually at Google for re-indexing but it didn’t change. No matter, and thanks for publishing it.)

    On the other hand, congratulations to MinnPost and to Ms. Albright. Her story, “Internet privacy gets Congress’ attention” led the Google News index search for “Internet privacy” [2] all weekend, and is still the top hit at this writing. Well done.


  2. Submitted by Aaron Landry on 08/15/2008 - 08:05 am.

    When it comes to servers and networks routing email, the body of an email is just as much in the open as the email addresses and subject lines. In fact, EINSTEIN 2, like many corporate firewalls or spam filtering services, scans the body and attachments of emails to identify malware. For them to make the argument that part of an email transaction is “voluntarily turned over” but another part isn’t, is fundamentally incorrect.

    To compare to the USPS, it isn’t like an email is inside a sealed envelope, emails are like post cards. If you can look at one side, you can look at the other.

    This piece does raise a great concern that people overlook: unless you are using encryption (which 99.9% of users are not, including myself), your email is technically not private. We put a lot of trust in our service providers… and every service provider between us and the recipient of every email we send.

Leave a Reply