Or it could be the FBI looking for terrorist activity. Under the USA Patriot Act, the FBI can use a national security letter to get telecommunications records, including e-mail records. A recent report from the Justice Department's Office of the Inspector General titled "A Review of the FBI's Use of National Security Letters" (PDF) found that the FBI has, in some cases, misused these surveillance powers. It also found that some e-mail providers were handing over full message bodies and subject lines of e-mails when they were really only supposed to hand over billing records.
"If you read the fine print in end-user license agreements, there's always the possibility for the government to intervene," says Larry Ponemon, founder and chairman of the Ponemon Institute LLC, a privacy and information management research firm.
Google's policy, for example, is to notify an e-mail user when the government orders it to turn over records, "except in cases where we're not legally able to do so because notification threatens to impede a law enforcement investigation," says a Google spokesperson.
This isn't a theoretical problem. Back in 2006, Google was served with a subpoena from the DOJ: The DOJ wanted two months' worth of search queries from users, together with as many as 1 million Web addresses, to bolster its arguments in a Pennsylvania pornography case. After some legal back and forth, it was finally decided in March 2007 that Google did have to supply the DOJ with 50,000 Web addresses, but not any of the user search queries.
Google isn't the only Webmail supplier that has found itself in the courts. For example, in April of 2006, an ex-employee's Yahoo e-mail account was successfully subpoenaed by his former employer. And Yahoo made headlines when news organizations reported that the company had handed over the contents of personal e-mail accounts to the Chinese government, resulting in the arrest and imprisonment of several Chinese dissidents.
A corporate security tangle
The increasing popularity of third-party Webmail also presents new and sometimes poorly understood security problems for corporate IT departments.
Most corporate e-mail travels through an SMTP server, which typically scans incoming e-mail and attachments for malware and inspects outgoing mail for any violations of corporate policy. Not so with Webmail, which goes through the corporate HTTP server and is usually not inspected on its way into the network, notes Chenxi Wang, an analyst at Forrester Research Inc. That means Webmail can bring in security threats and send out sensitive corporate data.
"Unless you've got scanning in place there, it's a huge hole for corporations," says John Maddison, general manager of Trend Micro Inc.'s network security services group.
Some corporations sabotage themselves through ignorance or misguided policies. A company might forbid the use of corporate e-mail for personal business, leaving employees little choice but to use their Webmail accounts. Even without a formal policy, "people might think it's the right thing to use their Gmail account for personal business rather than to use their corporate e-mail," says Ponemon.
In other cases, a company might make employees jump through so many security hoops to access their e-mail remotely that they use Webmail instead, says David Cowings, senior manager of operations in security response at Symantec Corp. For example, employees might forward copies of inbound corporate e-mail to their Webmail account rather than go through a complicated process such as using a rotating access key to dial in through a VPN from home or while traveling. Or perhaps corporate IT limits the size of attachments, so if employees needs to send a 2M file, they turn to Webmail, says Frank Cabri, vice president of marketing and product management at FaceTime Communications Inc., a security vendor that specializes in securing noncorporate-sanctioned applications like Webmail.
Indeed, when companies start to look at what's traveling through their HTTP channel, "usually IT people are very surprised at the extent of this unsanctioned traffic," Cabri notes.
On the other hand, the dynamic nature of Webmail can be a security plus, says Jen Grant, a group product marketing manager at Google. "The advantage of Webmail and the cloud is that we can adapt and adjust almost instantaneously, so the second a new type of malware is there, we can adapt, adjust and update our system and protect our users," says Grant. Contrast that with a static system on a corporate desktop, she says. "In order for them to adapt, they have to download something, they have to install something. It's just not as fast."
Webmail isn't necessarily any more vulnerable than corporate mail, says Petko D. Petkov, founder and senior security consultant at Gnucitizen, which does penetration testing for companies. Although directly attacking corporate e-mail systems is harder, there are other ways to break into the system, through social engineering or sniffing unprotected wireless connections of corporate laptops at Starbucks, for example. "There are so many variations," he says. "It's just a matter of creativity and innovation."