The question "does it work" really depends on what threat you are trying to mitigate. For example, in the United Kingdom we are about to introduce legislation to mandate that ISPs keep logs of various types of internet activity.
How and where you might perform this interception is up for debate. For example, if an ISP attempts to intercept mail server communication, many email connections use TLS or the like, so this is (without an SSL proxy and the associated certificate issues) moderately difficult without CA complicity. However, they certainly can log anything sent by their mail server to satisfy the compliance needs. I suspect that the ISPs remit does not extend to logging mail sent by other providers, but might reasonably extend to IP addresses communicated with.
So, in sending an email via your GMail SMTP server, Whitehall would know that you accessed that IP address and they would then know who your email provider was. Depending on the implementation of the snooping, Whitehall can either ask Google, who would legally be required to comply, or they can ask the ISP that passed the packets, as they would have the technical means to provide it. I make this ambiguous because I'm not privy to how it would be done, and do not wish to speculate on an already hot enough topic.
If you do not actually send anything, that record is never created.
Now, that does not mean the message cannot be read. Mail servers store drafts in some format (Maildir, mbox, whatever exchange uses, SQL?) Assuming the government believe that information may or may not be valuable, they can via their legal mechanisms now gain access to the access records of that email inbox and, one assumes, deduce which IP addresses accessed that information.
This is where the problems arise for the government, and the reason for using this technique comes in. The assumption being made, I believe, is that each individual corresponds to an individual email address. As such, when you see that Jeff has sent Joel an email, you can add that to your picture of information about their social interactions. Formally, this field is known as Social Network Analysis. Facebook have been playing in this area with the social graph and there is much research done on the topic.
At a more fundamental level, the existence of evidence records linking A to B can (be attempted to be, I am not a lawyer) used as proof for any criminal act should it arise from the communication.
Anyway, back to the caveat. Logging in as the same user essentially breaks the email account to identity mapping, making it hard to work out who has communicated. This is essentially the same reasoning behind using a dead drop in traditional espionage, with the added difficulty that if both parties are changing their ip addresses regularly, your chances of working out who is communicating with whom reduces to very narrow. Depending on VPN providers used, you may be able to track down individuals; however, I suspect if your VPN provider is based abroad with no incentive to log any information, they would not help. Similarly, assuming no exploitable flaws in Tor, this system would also work nicely.
Interestingly, we had a similar debate on civil liberties and monitoring with the Digital Economy Act, or what was then just a Bill (proposed Act). At the time, the Security Service worried that being too strict on file sharers would essentially accelerate the adoption of encryption, making content snooping impossible. Specifically, effective traffic analysis requires non-encrypted tunnels.
This remains relevant here. I've mentioned VPN providers and using them to mask your IP address. Using a VPN provider from a nation with no interest in law enforcement co-operation, while turning on encryption means your ISP can deduce two things:
- That you are using VPN;
- Who your VPN provider is.
Unless the VPN provider co-operates in identifying you and the websites you access via their service, this gives the ISP very little of use to report to the government. Moreover, VPN configurations such as OpenSSL or SSTP can be configured to use explicit keys, rather than the CA certificate chain, and as such provided proper key verification occurs (i.e. you know the certificate of the remote end and reject any other certificate), you cannot be fooled into accepting a proxy key. You do have to get this right, and getting it wrong will leave you vulnerable to MITM, but it is possible.
All in all, this is an excellent communication mechanism should you wish to avoid any analysis that relies on your identity being tied to your email address and you use an appropriate technique properly to mask other properties that might uniquely identify you, e.g. IP address. In the interests of brevity, I have not discussed browser fingerprinting either, but that's relevant too.
You do not, of course, mitigate the threat that somebody could actually read that message, or the threat of it not arriving. And of course, if you give away who you are in such a message, the game is up again!