Every time you send or receive an email through Gmail, Outlook, or Yahoo Mail, the contents of that message pass through servers controlled by some of the largest advertising companies in the world. What happens to your email once it arrives on those servers is something most people have never read about — and the companies involved prefer to keep it that way.
This article explains exactly what commercial email providers do with your email data, why it matters, and what your practical options are if you want it to stop.
Google's core business is advertising. Gmail is free to use because the data your email generates — the products you buy, the newsletters you subscribe to, the flights you search for, the health conditions you ask about — feeds Google's advertising targeting engine.
Google has stated publicly that it does not scan Gmail content to serve personalised ads anymore. That change came in 2017. What they did not stop is using email data to train machine learning models, to build interest-based advertising profiles via Google's broader data ecosystem, and to process email content for features like Smart Reply, Smart Compose, and automatic categorisation.
The critical point is this: Google's systems read every email you send and receive. Whether or not that data is used to show you ads in the traditional sense, it is processed by automated systems controlled by an advertising company. Your confidential correspondence, your medical appointment confirmations, your legal documents — all of it passes through Google's infrastructure and contributes to systems that benefit Google's business.
Microsoft's approach is somewhat different but no less concerning. Outlook's privacy documentation reveals that Microsoft uses email data for "personalising the Microsoft experience" and for improving their AI models, including the large language models that power Copilot. Microsoft calls this "diagnostic data" collection and frames it as a feature improvement programme.
You can opt out of some of this in Microsoft's privacy settings, but the default is opt-in. Most users never change the default. This means the content of millions of private email conversations is being used to train commercial AI systems without most users realising it.
Key distinction: "We don't sell your data" and "we don't use your data" are not the same statement. Microsoft and Google are careful to say the former. Neither says the latter.
When you create a Gmail or Outlook account, you agree to a terms of service document that grants the provider a broad licence to process your content. These terms are written by lawyers to be as permissive as possible while still complying with minimum legal requirements.
In the United States, email content stored on a third-party server is governed by the Electronic Communications Privacy Act (ECPA), a law passed in 1986 that predates the commercial internet. Under ECPA, emails older than 180 days can be accessed by law enforcement without a warrant. In Australia, the Telecommunications (Interception and Access) Act gives similar powers to Australian agencies.
The legal protections for your email content are weaker than most people assume. Your email provider can be compelled to hand over your messages. A privacy-first provider may still resist such requests — but a company whose business model depends on government contracts (as both Google and Microsoft have) has significant incentives not to.
End-to-end encryption (E2EE) means that your email is encrypted on your device before it leaves, and can only be decrypted by the intended recipient's device. The email server in the middle — including the email provider's servers — only ever sees encrypted ciphertext that it cannot read.
Most commercial email providers do not offer E2EE by default. Gmail encrypts emails in transit (between your browser and Google's servers, and between Google and recipient mail servers using TLS) but Google itself can read the plaintext. That is not end-to-end encryption — it is transport encryption, which protects against third-party eavesdroppers but not against Google itself.
True end-to-end encrypted email requires that:
Services like ProtonMail, Tutanota, and Tobava Mail implement this model. The trade-off is that you lose some server-side features like full-text search across all historical email (since the server cannot search what it cannot read), but you gain meaningful privacy.
You do not have to abandon your Gmail account today to improve your email privacy. Here are steps in order of effort and impact:
Email is infrastructure. It underpins how we communicate with governments, healthcare providers, financial institutions, and each other. The idea that all of this communication flows through the servers of advertising companies — by default, at no cost, with terms most users never read — is one of the defining privacy issues of our time.
The solution is not to stop using email. It is to be deliberate about which provider handles which kinds of communication, and to understand that "free" email has always had a price. The question is whether you are paying with your data or with money.
Tobava Mail is an encrypted email service with no advertising and no content scanning. Your messages are encrypted before they reach our servers. Learn more about Tobava Mail →