Emails are not private. A message may have one sender and one recipient but it can, with little effort, be read by a third party. In fact, despite the Fourth Amendment’s protections against unlawful searches, federal agencies do not necessarily need a warrant to read emails older than six months.

Concerns over such government snooping were raised by the American Civil Liberties Union, which last week noted a “troubling picture” of email surveillance practices by the Federal Bureau of Investigation and the Department of Justice. The agencies may be taking advantage of a component of the Electronic Communications Privacy Act, which requires warrants only for emails that have been stored on a third-party server for less than 180 days.

Documents reviewed by the ACLU showed that the FBI may be reading emails and other electronic messages without a warrant, and that different U.S. attorney’s offices may be applying “conflicting standards,” the group says. “It is time for Congress to step in and standardize the requirements and require warrants across the board,” says Nathan Wessler, a staff attorney with the ACLU. The report follows a similar review of IRS documents.

Facing pressure from the ACLU and lawmakers, the IRS said it would require warrants before reading all emails in both criminal and civil investigations, but did not offer any clarity on its policy for social media sites. The FBI issued a separate statement saying it “obtains emails in accordance with the laws and Constitution of the United States.” The Department of Justice did not respond to requests for comment.

Legal showdown on cybersecurity

But such statements aren’t enough, some lawmakers say. A bipartisan bill introduced by Senators Patrick Leahy (D, Vt.) and Mike Lee (R, Utah) would require the government to obtain a search warrant before going through all Americans’ emails and electronic communications, with some exceptions for emergencies and national security threats.

But even if the bill is passed, privacy experts say, it won’t take long for such a measure to become outdated, or for authorities to find a loophole. “The problem is the law is always, in my opinion, five years to 10 years behind the technology,” says Eduard Goodman, chief privacy officer for ID Theft 911, an identity-management solutions firm.

In the meantime, what can Americans do to protect themselves from warrantless email searches? Authorities will probably always be able to access messages if they have reason to believe someone is breaking the law, says Chester Wisniewski, senior security adviser for Sophos, an information technology security and data protection company. But those hoping to avoid unnecessary snooping through emails sent to a spouse (or regrettable messages sent during one’s college years) can take a few steps to protect themselves.

Shutterstock.com

One option is to encrypt messages before sending them, which can make them indecipherable as they are transmitted across servers. Such messages can only be read after the recipient unlocks the message with an encryption key. The process may be too cumbersome for most emails, says Wisniewski, since it requires people to exchange keys. And the option isn’t offered by all email providers, he says.

Given that authorities can only access emails that have been stored on a server for more than six months, privacy experts say another option is to delete older emails or store them directly on a hard drive (which is protected by the Fourth Amendment). Common email platforms like Microsoft Outlook will typically offer an option for archiving emails on a hard drive, says Wisniewski but such messages could no longer be accessed remotely. And if the hard drive fails, the data could be lost entirely.

One final option is an “offshore email account.” Servers operated in other countries would not be subjected to the same rules as those based in the U.S., says Wisniewski. The tradeoff: Connections might be slower than with American email providers, he adds. And people who decide to store their emails abroad also need to be conscious of the privacy rules of the country hosting their server.