"Hey Sue! Wanna do lunch Thursday?" ... "Mom, we will be home this weekend, please give me a call." ... "Bob, did you hear that stupid joke Mr. Boss told at the meeting today?" ... "Can we reschedule that top-secret information meeting on our new product, XYZ?"
Would you leave these notes laying around on your desk, or taped to your office door for just anyone to read? Probably not, but you would almost certainly e-mail them without a second thought about privacy.
Electronically transmitted messages, commonly known as e-mail, have become widely used both in personal and professional contexts. It is a convenient, inexpensive, and easy-to-use method of communication. But with this growing form of simple communication comes a new set of privacy problems.
What privacy problems could there be? After all, you use a password, right? But passwords provide only local protection. This means that when you are at the computer where you access your e-mail, others cannot read e-mails or access your e-mail program without your user-specific password. Once you write your e-mail and hit the send button, where does it go? Well, the e-mail then goes to the "server" for your e-mail/internet provider. From there it goes out into cyberspace to another "server," only this one is for the recipient. It is at this point that security issues arise.
Copies of old e-mails are kept on servers for a set time. The administrator, or person in charge of running the e-mail program and the server, has access to any data stored on these servers, including your e-mail messages. They keep these e-mail messages for a variety of reasons: to retrieve an accidentally deleted message or to provide technical assistance to the users of an account. Surely these unseen administrators cannot just pull up my e-mail and read them; there must be a law against it? Nope! Well, not specifically a law against reading other people's e-mail. Congress has afforded some protection to e-mail users though the Electronic Communications Privacy Act (ECPA) of 1986, which provides "any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5)."1 The ECPA goes on to further prohibit the use of such illegally gained information as evidence. The terms of the ECPA would tend to lead a reader to believe that such interception is absolutely forbidden. This is not so.
The ECPA leaves room for employers to confiscate e-mail messages when they have the consent of at least one party:
"It shall not be unlawful for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." (Emphasis added)2
Consent to e-mail monitoring can be established by the employer initiating a policy granting permission to monitor all e-mail and having all employees sign the policy as a condition for employment or by making such consent a prerequisite for granting an employee e-mail access. Both employees who use company e-mail and employers who provide such e-mail should be aware of the policies that control the use of company provided e-mail services.
There also may be a narrow exception allowing employers access to private e-mail messages in order to protect their business rights. The ECPA provides:
"It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is." (Emphasis added)3
While this portion of the ECPA appears to be aimed more toward the actual e-mail provider, it could conceivably be extended to employers who provide e-mail service to their employees. The fact that employers often provide and operate their own e-mail servers furthers this argument.
Another claim against employers monitoring workplace e-mail is the 4th Amendment. The 4th Amendment to the U.S. Constitution states:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
At the time the 4th Amendment was authored, e-mail communication was unforeseeable. But so was telephonic communications, for which the coverage of the 4th Amendment has been extended. In Katz v. United States4, the Supreme Court cemented the now commonly accepted doctrine that a subjective expectation of privacy triggers the protection of the 4th Amendment from unreasonable searches and seizures.
Do users of employment-based and other e-mail systems have a subjective expectation of privacy? This can only be determined on an individual basis. However, it can certainly be argued that when a person purports to protect an e-mail message with the use of a password, they simply assume their message will be kept private.
With the ECPA and the 4th Amendment in mind, where does that leave employees seeking to protect their private communications and employers who want to keep tabs on their employees? Courts have been reluctant to extend widespread protection to employer-provided e-mail services. The District Court for the Eastern District of Pennsylvania held in Smyth v. Pillsbury Company5 that "the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments." The view expressed by this court would seem to extend the exemption that the ECPA grants to include any activity that might be harmful to the company's interests. This is a very broad exception and employees should keep this in mind whenever using employer-provided e-mail. The California Court of Appeals in Bourke v. Nissan6, an unpublished decision, found that employees did not have a reasonable expectation of privacy. In that case, the employer had the employees sign a form giving them notice of the policy.
So what can employees and employers do to protect themselves? Employers can provide an informed consent form for employees to sign before allowing them the use of company e-mail. This form will give the employer the requisite consent of at least one part that the ECPA requires to prevent violation and provide notice to circumvent the reasonable expectation of privacy that triggers 4th Amendment protection. Employees can limit their use of company provided e-mail to company business. Employees should not send e-mails that they expect to be private, send harassing or obscene messages, send e-mails with disparaging or insulting remarks about co-workers or supervisors and finally, employees should not send sensitive or confidential information via e-mail.
By remembering that e-mail messages can be lawfully intercepted under certain circumstances and by using common sense in writing and sending e-mails on employer provided e-mail systems, many problems arising from the use of such e-mail can be avoided.
* Tambra Cain is a 2nd year student at the Southern Illinois University School of Law.
1. Electronic Communications Privacy Act of 1986, 18 USC 2510 et seq.
2. Electronic Communications Privacy Act of 1986, 18 USC 2511(2)(d).
3. Electronic Communications Privacy Act of 1986, 18 USC 2511(2)(a)(i).
4. Katz v. United States, 389 U.S. 347 (1967).
5. Smyth v. Pillsbury Co., 914 F. Supp. 97, 101 (ED Penn. 1996).
6. Bourke v. Nissan, unpublished opinion (No. B068705)