In the early days of emailing, people used to download their messages from the server of their Internet service provider, using fetching protocols such as POP3; they would delete the messages from the server and keep them on their computer. However, nowadays things are different: almost all Internet users keep their email remotely, in a digital mailbox on the server of their email provider, because this allows easy access to their messages from a number of different devices, and even from the browser of a random PC in an Internet cafĂ©, or from a friend’s tablet computer. The ubiquitous IMAP protocol is the technical device behind this mode of use; and webmail interfaces display your messages directly on your provider’s website, without ever downloading them to your computer.
This ease of use comes at a risk: as your messages are stored on a server which is accessible through the Internet, anyone gaining access to that server can read all your email, and search it for confidential and valuable information.
There are three ways for this to happen. First, someone can learn, guess or steal your password in several ways: if you use an easy password, or if you write it somewhere, or if you use the same password you used for another service that has been cracked, or if you installed malware on your computer. Second, someone can crack your provider’s server and, if the server was not properly secured, gain access to the email and/or the passwords of thousands, maybe millions of users. Third, your email provider may not deserve your trust, and may spy its users’ email for commercial reasons, selling information about them to advertisers, or may give access to your mailbox to other parties, such as government agencies, without proper legal guarantees and without giving you notice.
In the end, no one can really defend you against a negligent or untrustworthy email provider, and you should be really careful about where and how your digital mailbox is stored. However, there are some best practices, included in the TES specifications, that counter at least some of these dangers; also, countries with a higher level of privacy protection, such as those in the European Union, impose stronger security and data protection requirements to email providers.