Factors to consider:
Carnivore might trigger on all three criteria being satisfied. Raise "might" to "would" if the email address was already under suspicion.
Remember, the information is still traveling over a network to get to and from the webmail server.
If you really want to beat Carnivore, send email--but never forward it from the same account. For example, an email is sent to Account A, with encryption. Reader A downloads email at a Starbucks or a Schlotsky's Deli via Wi-Fi, then disconnects. Email is decrypted and read.
Most of the email is padding--i.e., bulk intended to disguise the true length of the message. The actual message is cut-and-pasted into a new email, with different padding, encrypted with a different algorithm, and sent from a Account B.
The guy with the laptop then walks around with a Wi-Fi-equipped PDA, looking for an unsecured Wi-Fi network (which are legion--and usually unauthorized by the company hosting them).
He then boots up his computer, logs into the network, and sends the email from Account B.
Carnivore will have a very hard time connecting the two events, because they don't share a common IP address, email account, or message content.
Exactly. And connecting dots, we have brilliant engineering student Nick, traveling from Oklahoma to Mosul, helping Iraqis to spiff up their email skills.