Or it could be the FBI looking for terrorist activity. Under the USA Patriot Act, the FBI can use a national security letter to get telecommunications records, including e-mail records. A recent report from the Justice Department's Office of the Inspector General titled "A Review of the FBI's Use of National Security Letters" (PDF) found that the FBI has, in some cases, misused these surveillance powers. It also found that some e-mail providers were handing over full message bodies and subject lines of e-mails when they were really only supposed to hand over billing records.

"If you read the fine print in end-user license agreements, there's always the possibility for the government to intervene," says Larry Ponemon, founder and chairman of the Ponemon Institute, a privacy and information management research firm. Google's policy, for example, is to notify an e-mail user when the government orders it to turn over records, "except in cases where we're not legally able to do so because notification threatens to impede a law enforcement investigation," says a Google spokesperson.

This isn't a theoretical problem. Back in 2006, Google was served with a subpoena from the DOJ: The DOJ wanted two months' worth of search queries from users, together with as many as 1 million Web addresses, to bolster its arguments in a Pennsylvania pornography case. After some legal back and forth, it was finally decided in March 2007 that Google did have to supply the DOJ with 50,000 Web addresses, but not any of the user search queries.

Google isn't the only Webmail supplier that has found itself in the courts. For example, in April of 2006, an ex-employee's Yahoo e-mail account was successfully subpoenaed by his former employer. And Yahoo made headlines when news organizations reported that the company had handed over the contents of personal e-mail accounts to the Chinese government, resulting in the arrest and imprisonment of several Chinese dissidents.

A corporate security tangle

The increasing popularity of third-party Webmail also presents new and sometimes poorly understood security problems for corporate IT departments.

Most corporate e-mail travels through an SMTP server, which typically scans incoming e-mail and attachments for malware and inspects outgoing mail for any violations of corporate policy. Not so with Webmail, which goes through the corporate HTTP server and is usually not inspected on its way into the network, notes Chenxi Wang, an analyst at Forrester Research. That means Webmail can bring in security threats and send out sensitive corporate data.

"Unless you've got scanning in place there, it's a huge hole for corporations," says John Maddison, general manager of Trend Micro's network security services group.

Some corporations sabotage themselves through ignorance or misguided policies. A company might forbid the use of corporate e-mail for personal business, leaving employees little choice but to use their Webmail accounts. Even without a formal policy, "people might think it's the right thing to use their Gmail account for personal business rather than to use their corporate e-mail," says Ponemon.

In other cases, a company might make employees jump through so many security hoops to access their e-mail remotely that they use Webmail instead, says David Cowings, senior manager of operations in security response at Symantec. For example, employees might forward copies of inbound corporate e-mail to their Webmail account rather than go through a complicated process such as using a rotating access key to dial in through a VPN from home or while traveling. Or perhaps corporate IT limits the size of attachments, so if employees needs to send a 2M file, they turn to Webmail, says Frank Cabri, vice president of marketing and product management at FaceTime Communications, a security vendor that specializes in securing noncorporate-sanctioned applications like Webmail.