The weak privacy protection for metadata and draft e-mails are two examples of a broader problem: the rules governing law enforcement access to e-mail are extremely murky, and do not adequately safeguard online users’ privacy rights. Law enforcement access to e-mail is governed by the 1986 Electronic Communications Privacy Act, which has long since started to show its age. The ECPA requires a warrant to obtain freshly sent e-mail before it’s been opened by the recipient. But once an e-mail has been opened, or once it has been sitting in the recipient’s e-mail box for 180 days, a lower standard applies. These rules simply don’t line up with the way modern e-mail systems work.
Meanwhile, current legal precedents cast doubt on whether the Fourth Amendment’s guarantee against unreasonable searches applies to cloud-based e-mail services at all. A legal principle called the Third Party Doctrine suggests that users give up their Fourth Amendment rights when they entrust their information to third parties such as Google. Justice Sonia Sotomayor has expressed skepticism about the Third Party Doctrine, suggesting that the Supreme Court might overrule it at some point in the future. But in the meantime, the government appears to have significant powers to rifle through information we entrust to cloud service providers like Google.