Not if you let someone else administer it.
In short: absolutely. If someone else sets up or has access of any sort to your email account, they can cause all sorts of mayhem.
And it’s almost impossible for you to tell.
So what can you do? And what can you count on?
Become a Patron of Ask Leo! and go ad-free!
Is email private?
To ensure email privacy:
- Set up your email account yourself.
- Configure it securely with a strong password and consider two-factor authentication.
- Make sure to configure account recovery information properly.
- Consider using email encryption or a security-focused email provider if you feel you’re at additional risk.
Set it up yourself
To be clear, if your boyfriend set up your account, he could indeed see all email coming into or going out of the account. And there’s no 100% reliable way for you to tell if that’s happening.
The good news is that it’s easy to solve: get another email account that only you have access to.
Head out to Gmail, Outlook.com, or any of the other free or paid email services. Take the time to learn how to set up a new email address. Give it a strong password, and make sure that you also set up all the security and recovery information you can.
For extra security, consider setting up two-factor authentication as well.
But the most important thing is this: set it up and administer it yourself. Don’t rely on someone else you don’t trust completely or may not trust completely in the future (you never know).
The email service
There’s more to email privacy than just who set up the account.
The administrators involved in maintaining whatever system you use for email can, if they desire, access your email. For example, your ISP and the administrators on the server of whomever you exchange email with can see the messages you send there. More realistically, your workplace or school administrators almost certainly have the ability to monitor your email.
It is highly unlikely that the folks in the datacenters at Outlook.com, Gmail, or other email services care about your email at all. They’re not looking.
But they could. And that raises a somewhat scary scenario: they could be compelled to look. With an appropriate warrant in hand, law enforcement could force your email service to turn over your email or potentially monitor your email comings and goings.
Most of us need never care; we’re just not that interesting. But if you are, it’s important to understand the exposure.
Privacy ensured: encryption
The only real way to ensure email privacy is to use encryption.
I’ve discussed it before, but email encryption is hard. If this is a concern, and you’re switching email providers anyway, this would be a great time to consider privacy-focused services such as Proton Mail and Tutanota. Those providers store email securely encrypted, it remains encrypted between users of the same service, and there are mechanisms to send encrypted mail to users of other services.1
Email might still be intercepted, and the source and/or destination identified, but the message itself remains securely encrypted to all but the intended recipient.
Do this
At the most basic level, take control of your email privacy by setting up your email account yourself and giving no one else access. Make sure to configure it securely.
If you feel you’re at higher risk, consider using a different email service, encrypted email, or a privacy-and-security focused service that uses encryption by default.
Here’s some email you might find helpful at your new account: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Technically, it’s no longer email. The “message” is sent as a link to a webpage at the email service, which can, when the correct password is provided, decrypt and display the actual message.
Have an comcast email address. Getting divorced. Bill in wifes name. She changed my password, broke into my email and read confidential traffic. Isn’t this against the law? –
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
I don’t know. I’m not a lawyer. Sounds like you need to talk
to law enforcement or your divorce attorney.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHpMOGCMEe9B/8oqERApncAJ4+53F61/VqCoMoqI7aT5CF5pOX1gCfUr+Q
ckukU4eu8ccEDi5ntWvkGj0=
=ciE4
—–END PGP SIGNATURE—–
In the original documentation of the PGP (Pretty Good Privacy) encryption, Phil Zimmerman compared unencrypted email to sending a post card that anyone handling that email can read. He compared encryption to an envelope to keep it from prying eyes. The difference is that encryption provides much more than an envelope. It’s more like an armored vault if strong enough passwords are used.
One way to protect your original account from the person who set up your account is to change your password and check that that person hasn’t added any recovery email accounts or phone numbers. If you find that they have, you can change the recovery information to an email address and phone number only you have access to.
These articles are about how to recover hacked email accounts, and the situation in this question is identical to a hacked account.
My Email Is Hacked, How Do I Fix It?
Do I Need a New Email Address if Mine’s Involved in a Breach?