E-mail has been a major presence in both the consumer market and the business world for several decades now. The e-mail protocol has become the de facto method of communication for millions of people and yet the legality of intercepting or outright snooping through someone's personal or business e-mail is unknown by most people. With our increasing reliance on digital communications fostering a larger store of private and confidential data online, it's more important than ever to understand your e-mail rights.
E-mail has existed in some form since 1961 and laws governing the nature of e-mail communications were first enacted in 1986. Unfortunately, legislators of the '80s could not possibly foresee the explosion of e-mail adoption that occurred at the turn of the century. As a consequence, according to Orin Kerr, digital privacy laws are outdated at best and terribly inapplicable at worst. The nature of these laws makes it difficult to know for certain if it is illegal to access someone else's e-mail in certain situations and if not, what punishments might incur.
The primary laws governing e-mail privacy are the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA). These laws were originally designed to limit government intrusion in various forms of electronic communications. The bulk of the language in these pieces of legislation relate specifically to government. Despite this narrow scope, both laws have broadened to encompass invasions of privacy undertaken by private citizens and have stood the test of the courts in their application.
Enforcing the ECPA and SCA is notoriously difficulty due to the nature of the privacy violation. However, technological advancements are making it easier and easier to track down beyond a reason of doubt people responsible for abusing the privacy of someone else's e-mail. Moreover, absent proof of violating the EPCA or SCA, there are a number of other laws that are violated when one accesses someone else's e-mail.
One of the most high profile cases involved the hacking of 2008 Vice Presidential candidate Sarah Palin's e-mail address. According to Wired Magazine's Kim Zetter, the hacker was likely to avoid charges of violating the ECPA and SCA but was still in violation of the Computer Fraud and Abuse Act (CFAA) for accessing protected information without authorisation.
The most common confusion when it comes to the laws governing e-mail privacy is the specificity with which the legal language in most privacy laws refers to government intrusions. While it is true that in many acts, including the ECPA, SCA and CFAA, the government is the primary actor that the law pertains to, numerous cases throughout the years since the enactment of these laws have shown that the statutes can be applied to private citizens.
Another confusion is around the definition of stored communications. It is not completely clear if it means unread e-mails or simply undeleted e-mails. Both definitions have been held as true in court cases so it is safe to assume that the less limiting definition, i.e. undeleted e-mails, is true.
No matter the circumstances of an e-mail hacking, accessing someone else's e-mail is illegal. Even if you simply guess the password of a third-party's e-mail address, that still constitutes a violation of the law. Hacking does not necessarily entail a highly technical invasion of privacy. As such, it is best to assume that any access of someone's e-mail is a violation of the law and is prohibited.