Email Privacy Threat Model: Who Is Actually Reading Your Email?

Most email privacy advice skips the most important step: figuring out what you’re actually protecting against. The answer changes what you should do.

Here’s who can realistically read your email and when.

Your Email Provider

If you use Gmail, Microsoft Outlook, or Yahoo Mail, the company can read the content of your email. Their terms of service permit this for various purposes: spam filtering, product improvement, advertising. Google has scaled back automated scanning of email content for ad targeting, but the capability exists and the terms permit various uses.

More concretely: if a legal order (subpoena, court order, NSL) arrives, these companies comply. US law enforcement can compel disclosure of email older than 180 days with a subpoena rather than a warrant — though this distinction has been challenged and varies.

What encrypted email providers change: ProtonMail, Tuta, and similar providers use E2EE so they genuinely cannot read your message content — their servers see encrypted data. They can still be compelled to produce metadata (sender, recipient, timing) and may produce what metadata they do retain.

Realistic risk for most people: Email providers reading your content for ad targeting is a passive, diffuse risk. It contributes to data broker profiles and targeted advertising. It’s not someone specifically reading your email — it’s automated analysis feeding algorithmic targeting. The harm is subtle and cumulative rather than acute.

Third-Party Senders

When someone sends you email, their email provider has access to the content they sent. If you email a Gmail user from your ProtonMail account, Google’s servers receive that email and Google can read it. Your side is protected; theirs isn’t.

This is unavoidable with standard email. The protocol requires sending cleartext to the recipient’s server for delivery.

Realistic risk: Any sensitive information you send to someone on an unencrypted provider is accessible to that provider and any legal process directed at them.

Network Eavesdropping

Someone between you and your email provider’s server could intercept your email in transit. This was a significant concern before TLS became universal.

Current state: All major email providers require TLS for HTTPS web access and for SMTP connections between servers. Passive interception on most modern connections requires an active attack (SSL stripping, certificate forgery) that’s detectable. Mass passive surveillance by ISPs is harder than it used to be.

Realistic risk for most people: Low. TLS isn’t perfect but it substantially raises the bar. Someone specifically targeting you at the network level is a sophisticated adversary, not a typical threat.

Government and Legal Process

In the US, the Electronic Communications Privacy Act governs law enforcement access to email. Email older than 180 days can be obtained with a subpoena rather than a warrant — though providers often contest this and policies have evolved.

Foreign governments may have different (sometimes broader) authorities, which is why jurisdiction matters when choosing an encrypted email provider. Swiss law (ProtonMail) and German law (Tuta, Mailbox.org) are generally considered more protective than US law for privacy purposes.

Note: even ProtonMail complies with Swiss court orders. In one notable 2021 case, Proton provided the IP address and recovery email of an account under a Swiss court order, after exhausting legal challenges. E2EE didn’t help there because the request was for account metadata, not message content.

Realistic risk: If you’re not a subject of investigation, government access to your email is unlikely. If you are a subject of investigation, your email metadata will likely be available regardless of which provider you use — though content may be protected with E2EE providers.

Phishing and Account Compromise

An attacker getting access to your email account — by stealing your password, bypassing 2FA, or compromising your device — has full access to all your email. This is the most common, practical threat for individual email privacy.

This applies regardless of which provider you use. If your ProtonMail account is compromised, the attacker can read everything in your inbox just as you can.

Realistic risk: High. Credential stuffing (trying known username/password combinations from data breaches), phishing, and malware are the most common ways email accounts are compromised. This is where most people should spend their security attention.

Mitigations: Strong unique password, TOTP-based 2FA (not SMS), phishing awareness, checking haveibeenpwned.com ↗ for data breach exposure.

Employer and IT

If you use a corporate email account, your employer generally has the right to read it. Corporate email systems are the company’s property and are typically monitored. IT administrators can access email on corporate systems.

Obvious implication: Don’t use your work email for personal communications you want to keep private from your employer.

What This Means for Your Choices

If your main concern is your email provider reading your content:
Switch to ProtonMail or Tuta. The improvement is real and the effort is manageable.

If your main concern is account compromise:
Enable 2FA everywhere, use a password manager with unique passwords, and practice phishing skepticism. This matters with any provider.

If your main concern is surveillance of your communications with specific people:
Email is probably the wrong tool. Signal, Wire, or other purpose-built E2EE messengers offer better protection and simpler UX for this use case.

If your main concern is government access:
Choose a provider with strong encryption (ProtonMail, Tuta) and a favorable jurisdiction. Understand that metadata is harder to protect than content. For high-stakes communications, consider whether email is the right channel at all.

The baseline recommendation for most people is this: move your email to a provider that doesn’t read your content, enable 2FA, use a password manager. That addresses the realistic risks most people face without requiring a complete lifestyle overhaul.