Travel Technology - Email privacy

How private are web based email?

Can a governmental organization (in China, Middle East) read incoming and outgoing email on a gmail or hotmail account?

Better question, where do they look at the email. On the server or only when it is in transit?

Would this existing thread with 52 posts help?

if i read gmail at work, can "they" read it and other questions (http://www.flyertalk.com/forum/showthread.php?t=767950)

Is it the same question?

I understood the OP to be asking if email can be intercepted at some unidentified location or in some unidentified way as it goes from point of origin--which is, say, a home computer--to another computer hundreds of miles away. The answer is yes. Not only yes, but there are sniffers out there that can pull out, say, digits that indicate a credit card number is being transmitted. That's assuming it is being sent without encryption, i.e., going through a secure site.

I've always wondered myself how it is done. The explanations are vague, at least to someone like those of us who barely understand what a server is. So, to reiterate the OP's question, how do the evil geniuses out there do it? Specifically? Are they at their own homes? Do they have to be near servers that route the emails?

And if this question is so elementary that everyone snickers, then--in that case ;) -- oh puh-lease, I am asking ONLY in order to assist OP with formulating the question.

Yes. :p

Simple explanations, please. ;)

How private are web based email?

Can a governmental organization (in China, Middle East) read incoming and outgoing email on a gmail or hotmail account?

Better question, where do they look at the email. On the server or only when it is in transit?

Generally the emails are only accessed while in transit. Reading them on the server would generally involve them accessing the account using your password. A more significant breech of a server is unlikely from a foreign group, though you have no real guarantee of privacy from the US government who can subpoena just about anything and even squash the ability of the service provider to tell you that they've been forced to share access to your account.

As for the email in transit, odds are that any surreptitious access will happen as the mail moves from the server of your service provider to the service of the other party's service provider. From your computer to the service provider might be secure (if your web browser says https at the beginning of the address it is secure enough to cover most opportune access) and the same may be true for the person at the other end reading the mail. But in between the emails are almost certainly not encrypted. There are protocols that allow for the encryption of such traffic but they are rarely implemented.

It is not easy to read the mail as it is passing by, particularly if you don't have a tap into the service providers' network like the NSA does, but at this point it seems that many, many federal governments do have such taps in place and can scan, block and otherwise access the traffic crossing their borders.

From http://www.pcworld.com/businesscenter/article/147400/nearly_half_of_it_workers_snoop_in_confidential_fi les.html

Nearly half of IT workers have admitted to snooping around networks to look at confidential information, according to research from software firm Cyber-Ark.

"When it comes down to it, IT has essentially enabled snooping to happen. It's easy -- all you need is access to the right passwords or privileged accounts and you're privy to everything that's going on within your company,"

If I saw, on television, a foreign agent being forwarded info from an insider at a webmail firm -- I'd suspend disbelief. I suspect dozens of employees at the large web services can browse email without questions. In a spy scenario there could be a sudden need to swap a disk out for maintenance. I think, however, regular snooping by employees [if any] might happen for the entertainment value of the email -- not for larceny or criminal mischief.

Back in the day there were rumors of FBI carnivore boxes http://en.wikipedia.org/wiki/Carnivore_%28software%29 installed at California ISPs. But personally I can't believe a foreign organization doing such a thing. I speculate that they'd just focus on gaining access to the NSA infrastructure to monitor the backbones.

Considering how many people have backdoors illicitly installed on their PCs, anything they do is pretty much an open book.

That's really the main concern -- lack of security at either end. I've seen SSL described as using an armored car to deliver a message between two guys living in cardboard boxes. :)