In response to a question to the Digital Security for Activists program:

How secure is it to delete email and other internet documents? Who owns the deletions– the email provider, the ISP, the owner of the server/hardware? The person/entity who wrote it? The person/entity who received it?

After deleting an email, you may be surprised (or relieved) to be able to retrieve it. What happens to an email depends not only on how you are accessing your emails, but also on how your email provider treats emails. If you are accessing your email from a web browser, deleting an email will likely “move” the email to a “Trash” folder, only to be discarded some time later. Accessing Gmail through a browser gives you two options: “Archive” will move the message out of the Inbox, but will remain in the “All Mail” folder, whereas “Delete” will move the email to the “Trash” folder for deletion 30 days later. Accessing your email via an email client (like Thunderbird) will have similar behavior: deleting an email will usually just mark the email for deletion and it won’t truly be deleted (or expunged) from the your storage on the server until some set amount of time later (such as two weeks, set in your preferences). Using an email client will give you another set of choices, depending on the protocol by which the email client accesses your emails. The IMAP protocol will give the most user-friendly experience, allowing you to accesss your email from multiple places (email client, web browser, cell phone) with your email folders sync’d in all places. To do so, your emails remain on your email provider’s servers. The POP protocol removes emails from the server as you receive them. While this precludes sync’ing across multiple devices, it also provides behavior more akin to a mail box: an email is at the server only until you are ready to pick it up.

As to who owns emails, deleted or otherwise, is a question that may be addressed in the fine print of the service agreement between you and your email provider.  To us, the more interesting question is who has access to your emails.  Under current law, any email on your email provider’s servers that has been read or has not been read but is 180 days or older can be accessed by law enforcement by subpoena (which does not require probable cause, as with a warrant).  This law may change, if the Email Privacy Act (or similar) can make it through the Senate.

Under any scenario, you are trusting your email provider to respect the choices you are making, that if you delete an email, and even remove it from the trash folder or all-mail folder, that a copy of it no longer exists on some back-up server that your email provider maintains. Beyond that, in the likely case that your email traveled across an international boundary in the highly indirect routing that the Internet often results in, your email was probably swept up by the STORMBREW, TEMPORA, or other global surveillance program. So if you didn’t go to the trouble of encrypting that email, there is probably a copy of it somewhere.

Published August 7, 2017