Based on my server logs, Google will offer STARTTLS and also use STARTTLS when offered. So there can be MTA<->MTA encryption. Unfortunately, many MTAs don't do one or both, and that includes those run by some of the largest ISPs.
Presumably you can pick a lock or attach a lineman's handset to the POTS phone lines outside of someone's house too, but aren't we talking about the expectation of privacy?
You should never expect privacy over an unencrypted connection.
However where I do disagree with rayiner is that you should be able to expect that third parties which you willingly entrust your communication to, should not be compelled to turn over that message without a warrant.
If they turn it over willingly that's caveat emptor, but email to me feels more like a hand-to-hand transfer of a postcard than dropping a postcard on a public desk (as used in a different example), and therefore you should be able expect that it's not treated as essentially public domain.
>You should never expect privacy over an unencrypted connection.
What does "should" have to do with it? A landline telephone isn't encrypted, people still expect their conversations to be private. And I don't see why email should be different -- if it came out that human Google employees have been reading your emails it would be a huge scandal.
> If they turn it over willingly that's caveat emptor
I don't know about that. Do you think it would also be reasonable without a court order for them to provide your private emails to a party other than the government, like a reporter or your company's customers or suppliers?
Phone connections used to be an actual end-to-end circuit that you had to have very specialized knowledge to be able to tap into, which is where that expectation comes from. Email is very much like handing a postcard to your secretary to pass to the mail room to walk up and leave in a bin labeled with the destination address. There are multiple stops en route, and the data just sits there instead of existing transiently. So yes, people shouldn't expect that it magically stays private.
But I'll take it further, to the extent that a secure channel isn't possible by phone today, people shouldn't expect privacy there any more either.
Being able to keep the government from using your information is different from privacy, and that's my big point. These conversations always go the route that Big Brother knowing about something is the worst thing that can happen to you, but really it's not. How many people get fired from their jobs without one bit of government intervention based solely on their employer becoming aware of a message they sent? That's what I'm talking about, you should not expect privacy from unencrypted email. Even if your provider is awesome, the recipient and the recipient's provider might not be, and that's beyond your control in most cases.
> > If they turn it over willingly that's caveat emptor
> I don't know about that. Do you think it would also be reasonable without a court order for them to provide your private emails to a party other than the government, like a reporter or your company's customers or suppliers?
Do I think it would be reasonable? Not at all. But it's certainly not illegal, which is why I say caveat emptor. Pick your contractors carefully and vote with your wallet for the one that will guard your data.
I just grepped my personal email server log to double check, here's an obfuscated entry from this morning:
> localhost postfix/smtpd[14440]: TLS connection established from mail-xxxxxxxx.google.com[xxx.xx.xxx.xxx]: TLS v1 with cipher RC4-SHA (128/128 bits)
Doesn't look like clear text to me.