Why Email Providers Scan Your Emails
Even if your messages aren't scanned for ads, companies may scan, read, and even share them with third parties
If you receive emails flagged as spam or see a warning that a message might be a phishing attempt, it’s a sign that your email provider is scanning your emails. The company may do that just to protect you from danger, but in some situations it can delve into your communications for other purposes, as well.
Google announced that it would stop scanning Gmail users’ email messages for ad targeting in 2017—but that doesn’t mean it stopped scanning them altogether. Verizon didn’t respond to requests for comments about Yahoo and AOL’s current practices, but in 2018 the Wall Street Journal reported that both email providers were scanning emails for advertising. And Microsoft scans its Outlook users’ emails for malicious content.
Here’s what major email providers say about why they currently scan users’ messages.
Scanning for Spam and Malware
Email providers can scan for spam and malicious links and attachments, often looking for patterns. You may get a warning if an email you receive is similar to some that were sent in previous phishing attacks, in which attackers trick users into revealing personal information, such as passwords and credit card numbers. You may also receive an alert if an email contains a link that has been blacklisted by the provider for this type of behavior. In Gmail, this may show up as a yellow banner with black text, with a warning such as “this message could be a scam” along with some additional information and a link to report the message.
Providers also compare incoming files to known dangerous files. It would be difficult to compare every incoming file in its entirety to every known dangerous file—the amounts of data involved would be far too big—so instead, the providers run known harmful content, such as abusive images, through certain mathematical functions to create short, unique identifying values, called hashes. Then the company performs the same function on incoming files and compares the hash that results to its big list of hashes from harmful files.
The end result of all that computing work is to protect email users from a lot of dangerous or illegal content.
Where Email Ads Come From
You may see lots of ads in your email inbox, but that doesn’t necessarily mean your email provider is using the content of your messages to target you with marketing messages.
For instance, like Google, Microsoft says that it refrains from using your email content for ad targeting. But it does target ads to consumers in Outlook, along with MSN, and other websites and apps. The data to do that come from partnering with third-party providers, plus your browsing activity and search history on Bing and Microsoft Edge, as well as information you’ve given the company, such as your gender, country, and date of birth.
If you’re using an email account provided by your employer, an administrator with qualifying credentials can typically access all your incoming and outgoing emails on that account, as well as any documents you create using your work account or that you receive in your work account. This allows companies to review emails as part of internal investigations and access their materials after an employee leaves the company.
A company may also search through and read employee emails after receiving a subpoena, if the company itself is under investigation, or if it’s reviewing information to prepare for litigation.
Email providers often have controls in place that help companies deter email administrators from accessing other employees’ emails unnecessarily. For example, Microsoft provides employers with access-logging and auditing tools for certain administrative roles.
Other Third Parties
Law enforcement can request access to emails, though warrants, court orders, or subpoenas may be required. Email providers may reject requests that don’t satisfy applicable laws, and may narrow requests that ask for too much information. They may also object to producing information altogether.
Some companies publish transparency reports that give details on how often this has taken place. Microsoft, for instance, requires a warrant or court order for government requests for content data, or the actual communications, and a subpoena for noncontent data, such as who sent a message to whom, the duration or size of the communication, the time it was sent, usernames, email addresses, IP addresses, and other metadata.
Its latest transparency report says it received 5,682 law enforcement requests from the U.S. for data affecting 16,348 accounts or users in the second half of 2020. It rejected around 16 percent of these requests, could not find data for around 22 percent, provided noncontent data for about 49 percent, and provided content for 13.06 percent, or 742 accounts. Google and Verizon Media (which owns Yahoo and AOL but is transferring ownership to Apollo Management Group in the second half of 2021) also issue transparency reports.
“In a technical sense, there’s no barrier” to companies that want to read consumer emails, says Gustaf Björksten, chief technologist at digital rights nonprofit Access Now.
Companies’ privacy policies might spell out the details of when and why email providers would do so, and some have conduct codes in places as well, such as Microsoft’s Standards of Business Conduct and Google’s Code of Conduct. Still, Björksten says privacy policies aren’t foolproof. “There’s all the potential for misuse by humans. Humans are deeply, fundamentally flawed, and we know that when humans have access to private information, they will at least sometimes look at it when they shouldn’t look at it.”
For example, a widely reported legal settlement by Apple in 2021 stemmed from a 2016 incident in which a woman sent her iPhone in for repair and technicians at an Apple-approved contracting facility posted her explicit photos and video online.
"When we learned of this egregious violation of our policies at one of our vendors in 2016, we took immediate action and have since continued to strengthen our vendor protocols,” Apple told Consumer Reports.
And in 2019, two former Twitter employees were charged with accessing private direct messages and other information as foreign agents for Saudi Arabia, according to court documents.
So if you want to avoid companies even being able to read your messages, scan them, or share them with third parties, the best way to do so is by using a tool that’s specifically described as “end-to-end encrypted,” such as Signal, so that even the provider can’t access it.