EMAIL AND
THE LAW OF PRIVACY
October 14, 2001
Copyright ã 2001 Alex Modelski
TABLE OF
CONTENTS
Introduction
Common
Law Rights of Privacy
Constitutional Law
State Constitutional Issues and Statutory
Law
Electronic Communication Privacy Act
Carnivore
System Administrators and
Sniffer Software
Doubleclick
Litigation Computer Fraud and Abuse Act
WebBugs
Rights of ISP’s to Inspect and Disclose; Anonymous Posters
May An Employer Read
Employee Email?
Public
Employers
Email and Internet
Use Policies
Appendix A, Computer Fraud and Abuse Act
Appendix B, Amendments to Computer Fraud and Abuse Act in
Patriot Act of 2001
Appendix C, Chapter 119 - Wire And Electronic Communications
Interception And Interception Of Oral Communications
Appendix D, Chapter 121 - Stored Wire And Electronic
Communications And Transactional Records Access
Introduction
In his September 4, 2001 open letter to federal judges,
published in the Wall Street Journal, Ninth U.S. Circuit Court of Appeals Judge
Alex Kozinski wrote regarding the Judicial Conference C00ommittee on Automation
and Technology recommendation that federal courts monitor employee email and
Web usage:
The U.S. Bureau of Prisons maintains the following
sign next to all telephones used by inmates:
"The Bureau of Prisons reserves the authority to monitor conversations on
the telephone. Your use of institutional telephones constitutes consent to this
monitoring. . . ."
I'm planning to put signs like these next to the
telephones, computers, fax machines and other equipment used in my chambers
because, according to a policy that is up for a vote by the U.S. Judicial
Conference, we may soon start treating the 30,000 employees of the judiciary
pretty much the way we treat prison inmates.
Exaggeration? Not in the least. According to the
proposed policy, all judiciary employees--including
judges and their personal staff--must waive all privacy
in communications made using "office equipment," broadly
defined to include "personal computers . . . library
resources, telephones, facsimile machines, photocopiers,
[office supplies." There is a vague promise that the
policy may be narrowed in the future, but it is the
quoted language the Judicial Conference is being asked
to approve on Sept. 11.
Not surprisingly, the
proposed policy has raised a public furor…. I asked that
my response…be distributed to federal judges…but my
request was rejected. I must therefore take this avenue
for addressing my judicial colleagues on a matter of
vital importance to the judiciary and the public at
large. Like prisoners, judicial employees must
acknowledge that, by using this equipment, their
"consent to monitoring and recording is implied with or
without cause." Judicial opinions, memoranda to
colleagues, phone calls to your proctologist, faxes to
your bank, e-mails to your law clerks, prescriptions you
fill online--you must agree that bureaucrats are
entitled to monitor and record them all.
This is not how the federal judiciary conducts its business. For us,
confidentiality is inviolable. No one else--not even a higher court--has access
to internal case communications, drafts or votes. Like most judges, I had
assumed that keeping case deliberations confidential was a bedrock principle of
our judicial system. But under the proposed policy,
every federal judge will have to agree that court
communications can be monitored and recorded, if some
court administrator thinks he has a good enough reason
for doing so.
Another one of our bedrock principles has been trust
in our employees. I take pride in saying that we have
the finest work force of any organization in the
country; our employees show loyalty and dedication
seldom seen in private enterprise, much less in a
government agency. It is with their help--and only
because of their help--that we are able to keep abreast
of crushing caseloads that at times threaten to
overwhelm us. But loyalty and dedication wilt in the
face of mistrust. The proposed policy tells our 30,000
dedicated employees that we trust them so little that we
must monitor all their communications just to make sure
they are not wasting their work day cruising the
Internet.
How did we get to the point of even
considering such a draconian policy? Is there evidence
that judicial employees massively abuse Internet access?
Judge Nelson's memo suggests there is, but if you read
the fine print you will see that this is not the case.
Even accepting the dubious worst-case
statistics, only about three percent to seven percent of
Internet traffic is non-work related. However, the
proposed policy acknowledges that employees are entitled
to use their telephone and computer for personal errands
during lunchtime and on breaks. Because lunches and
breaks take up considerably more than three percent to
seven percent of the workday, we're already coming out
ahead. Moreover, after employees were alerted last March
that downloading of certain files put too much strain on
the system, bandwidth use dropped dramatically. Our
employees have shown they can be trusted to follow
directions.
Unbeknownst to the vast majority of judges and judicial employees, Mr.
Mecham secretly started gathering data on employee Internet use. When the Web
sites accessed from a particular computer affronted his sensibilities, Mr.
Mecham had his deputy send a letter suggesting that the employee using that
computer be sanctioned, and offering help in accomplishing this. Dozens of such
letters went out, and one can only guess how many judicial employees lost their
jobs or were otherwise sanctioned or humiliated as a consequence.
When judges of our circuit discovered this
surreptitious monitoring, we were shocked and dismayed.
We were worried that the practice was of dubious
morality and probably illegal.
In their hurry to
vindicate Mr. Mecham's unauthorized snooping, the
committee short-circuited the normal collegial process
of deliberation and consultation.
I therefore suggest that all federal judges
reading these words--indeed all concerned
citizens--write or call their Judicial Conference
representatives and urge them to vote against the
proposed policy. In addition, we must undo the harm we
have done to judicial employees who were victims of Mr.
Mecham's secret, and probably illegal, snooping. The
Judicial Conference must pass a resolution that offers
these employees an apology and expungement of their
records.
Moreover, we should appoint an independent investigator to determine whether
any civil or criminal violations of the Electronic Communications Privacy Act
were committed during the months when 30,000 judicial employees were subjected
to surreptitious monitoring. If we in the judiciary are not vigilant in
acknowledging and correcting mistakes made by those acting on our behalf, we
will surely lose the moral authority to pass judgment on the misconduct of
others. –quoted from "Help Stop Monitoring of the Internet at the Federal Judiciary", By Manny Klausner, FrontPageMagazine.com,
September 7, 2001, http://www.frontpagemag.com/guestcolumnists/klausner09-07-01.htm.
Agreeing
with Judge Kozinski, the Federal Judges Association, which represents 85
percent of the nation's 1,800 judges, adopted a resolution opposing the
proposed policy. In a letter to Judge Edwin Nelson, Chief Judge Edith H. Jones
of the Fifth Circuit criticized unrestricted monitoring as "the equivalent
of sanctioning wiretapping of telephones or searches of office files to prevent
unauthorized use of government property." Ultimately, the Judicial Conference
approved a revised version, which does not specifically permit monitoring of
e-mail and permits limited tracking of Web-surfing. [Judicial Conference Approves Recommendations on
Electronic Case File Availability and Internet Use -September 19, 2001, http://www.uscourts.gov/news.html.]On the other hand, the approved "model appropriate use
policy" banned court employees from using their office computers to access
file-sharing services, such as Napster and Gnutella, and from creating,
downloading, viewing, storing, copying or transmitting sexually explicit
materials or those related to gambling or illegal weapons. The dispute among federal judges and the
issues raised in Judge Kozinski’s open letter raise all of the essential
elements basic to an understanding of the law of privacy as it applies to
email.
Top
Common Law Rights of
Privacy
The word "privacy" does not appear in the U.S.
Constitution.Yet, it is now construed
to be a broad and inalienable right. The origin of this right is grounded
in tort law and a famous 1890 Harvard Law Review article by future Supreme
Court justice Louie Brandeis called "The Right to
Privacy". In it, Brandeis asserted that a person ought to be able to
sue someone who violates one's right to "privacy." In a most
famous passage Brandeis said:
That the individual shall have full
protection in person and in property is a principle
as old as the common law; but it has been found necessary from time to time to
define a new the exact nature and extent of such protection. Political, social, and
economic changes entail the recognition of new rights, and the common law, in its
eternal youth, grows to meet the demands of society. Thus, in very early times, the law gave a
remedy only for physical interference with life and property, for trespasses vi et
armis. Then the "right to life" served only to protect the subject from battery in
its various forms; liberty meant freedom from actual restraint; and the right to property secured to the
individual, his lands and his cattle. Later, there came a recognition of man's spiritual nature, of his
feelings and his intellect. Gradually, the scope of these legal rights broadened, and now
the right to life has come to mean the right to enjoy life -- the right to be
let alone; the right to liberty secures the exercise of extensive civil privileges; and the
term "property" has grown to compromise every form of possession -- intangible as well as
tangible.
The courts ultimately agreed and
began recognizing common law rights to privacy.Today, employees’ rights to e-mail privacy
are largely governed by state tort law. The Restatement (Second) of Torts summarizes these causes of action as
follows:
652A. General Principle
- One who invades the right
of privacy of another is subject to liability for
the resulting harm to the interests of the other.
- The right of privacy is
invaded by:
- unreasonable intrusion
upon the seclusion of another, as stated in 652B; or
- appropriation of the
other's name or likeness, as stated in 652C; or
- unreasonable publicity given
to the other's private life, as stated in 652D; or
- publicity that
unreasonably places the other in a false light
before the public,as stated in 652E.
652B. Intrusion upon Seclusion
One who intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another or his private affairs or concerns, is subject to
liability to the other for invasion of his privacy, if the intrusion would be
highly offensive to a reasonable person.
652C. Appropriation of Name or Likeness
One who appropriates to his own use or benefit the name or likeness of another is
subject to liability to the other for invasion of his privacy.
652D. Publicity Given to Private Life
One who gives publicity to a matter concerning the private life of another is
subject to liability to the other for invasion of his privacy, if the matter
publicized is of a kind that
- would be highly offensive to
a reasonable person, and
- is not of legitimate
concern to the public.
652E. Publicity Placing
Person in False Light
One
who gives publicity to a matter concerning another that places the other before
the public in a false light is subject to liability to the other for invasion
of his privacy, if
- the false light in which the
other was placed would be highly offensive to a
reasonable person, and
- the actor had knowledge of
or acted in reckless disregard as to the falsity of
the publicized matter and the false light in which
the other would be placed
The tort most relevant to e-mail interception by employers
is unreasonable intrusion upon the seclusion of another.
Top
Constitutional
Law
The Supreme Court
has found privacy rights implicit in the "penumbra" surrounding the First,
Third, Fourth, Fifth and Ninth Amendments.
Griswold v. Connecticut, 381 U.S. 479, 483-5 (1965). More specifically, however, the Fourth
Amendment of the U.S. Constitution prohibits unreasonable searches and seizures
by the United States government, and through the Fourteenth Amendment,
that prohibition has been extended to the States, counties and any other entity
that may act "under color of law".
As applied to
electronic communications, the landmark case of Katz v. U.S.,
389 U.S. 347 (1967) considered a wiretap on a public telephone booth. The Court
held that the police violated the defendant's constitutional right of privacy
and made an unreasonable seizure under the Fourth Amendment. In Justice Harlan's concurring opinion in Katz,
389 U.S. at 361, a two-part test was proposed: (1) Did the person have an
actual expectation of privacy in the communication? and (2) Does society
recognize this expectation as reasonable?
The U.S. Supreme Court accepted this two-part test in Smith
v. Maryland, 442 U.S. 735, 740 (1979) and restated their acceptance again
in California v. Ciraolo, 476 U.S. 207, 211 (1986). Further, the Supreme Court has held that a
warrantless search that violates a person’s reasonable expectation of privacy
will nonetheless be "reasonable" (and therefore constitutional) if it falls
within an established exception to the warrant requirement. See Illinois
v. Rodriguez, 497 U.S. 177, 183 (1990).
Accordingly, investigators must consider two issues when asking whether a
government search of a computer requires a warrant. First, does the search
violate a reasonable expectation of privacy? If so, the search may
nonetheless by reasonable because it falls within an exception to the warrant
requirement, such as consent (user, co-users, co-owner, parent, system
administrator), implied consent (individuals, such as prison guards, often enter
into agreements with the government in which they waive some of their Fourth
Amendment rights, and users of computer systems often must view a banner
conditioning use of the system upon a waiver of privacy rights), exigent
circumstances (in United States v. David, 756 F.
Supp. 1385 (D. Nev. 1991), agents saw the defendant deleting files on his
computer memo book, and seized the computer immediately), plain view (for
example, if an agent conducts a valid search of a hard drive and comes across
evidence of an unrelated crime while conducting the search, the agent may seize
the evidence under the plain view doctrine, United States
v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999)), search incident to lawful
arrest (See United States v. Reyes,
922 F. Supp. 818, 833 (S.D.N.Y. 1996) holding that accessing numbers in a pager
found in bag attached to defendant’s wheelchair within twenty minutes of arrest
falls within search-incident-to-arrest exception), inventory searches and
border searches ("routine searches" at the border or its functional equivalent
do not require a warrant, probable cause, or even reasonable suspicion that the
search may uncover contraband or evidence)
In the case of a communication that contains evidence of
criminal activity, there is no protection for the confidentiality of the
communication when the recipient discloses the contents to law enforcement
agents or at a criminal trial. U.S. v. White, 401
U.S. 745 (1971)(no violation of Fourth Amendment when defendant spoke to
informant who had concealed microphone and transmitter); Hoffa v. U.S., 385 U.S. 293
(1966)(statements made by Hoffa to undercover informant not protected by Fourth Amendment). Furthermore, there
is no protection under the Fifth Amendment to the U.S. Constitution for
production of documents at a criminal trial, U.S. v.
Doe, 465 U.S. 605 (1984). Thus, the author of an e-mail message generally
has no constitutional right to prevent disclosure of the message by the
recipient.
Top
State Constitutional Issues
And Statutory Law
Many state constitutions guarantee a right of privacy
that parallels the protections of the Fourth Amendment. See Alaska Constitution,
Article I, § 22; California Constitution, Article I, § 1; Florida Constitution,
Article I, § 23; Hawaii Constitution, Article I, § 6; Illinois Constitution,
Article I, § 6; Louisiana Constitution, Article 1, § 5; Montana Constitution,
Article II, § 10; South Carolina Constitution, Article I, § 10. Washington
Constitution Article No. 1, § 7. Generally, these constitutional provisions
apply only to governmental actors or those acting under "color of law", but
California's Constitution has been successfully used to challenge private
employer actions. See, e.g., Ryan v. Sara Lee Corp.,
No. S031479, 1993 Cal. LEXIS 2464 (Cal. Dist. Ct. App. April 29, 1993); Semore v. Pool, 266 Cal. Rptr. 280 (Cal. Dist. Ct. App.
1990) See also Luck v. Southern Pac. Transp. Co., 267 Cal. Rptr. 618 (privacy provision of California constitution may apply to private employers),
cert. denied, 498 U.S. 939 (1990). On the other hand, California's highest court has upheld a private
employer's drug testing program where the employer's legitimate regulatory objectives in conducting the
testing outweighed any expectation of privacy. Hill v. National Collegiate Athletic
Ass'n, 865 P.2d 633 (Cal. 1994) (upheld NCAA's use of
drug testing program for its student athletes).
Several states have statutes
protecting against the interception of electronic
communications. In 1998, Connecticut enacted legislation
requiring employers to give prior written notice of
electronic monitoring to all employees who may be
affected. Pub. Law 98-142. See also, New Jersey
Wiretapping and Electronic Surveillance Control Act,
N.J.S.A. 2A:156A-1 et seq.; Pennsylvania Wiretapping and
Electronic Surveillance Act, 18 Pa. Cons. Stat. Ann. §
5702 et seq. See also Cal. Penal Code § 629; Colo. Rev.
Stat. Ann. § 16-15-102; Md. Code Ann. §§10-4A-01-08; and
N.Y. Crim. Proc. Art. 700. These statutes are largely
patterned after the federal Electronic Communications
Privacy Act, discussed below.
Top
Electronic
Communications Privacy Act
The Electronic Communications
Privacy Act of 1986 ("ECPA") is the only federal statute
that specifically addresses the interception of email.
It expanded preexisting prohibitions on the unauthorized
interception of wire and oral communications to include
other forms of electronic communications. This is a
voluminous and complex statute. Subject to various
exceptions, the ECPA makes it illegal to intercept an
email at the point of transmission, while in transit,
when stored by an email router or server, or after
receipt by the intended recipient. Chapter 119, §§
2510-2522 (See Appendix C), deals with unlawful
interception, use and disclosure of wire, oral or
electronic communications, as well as lawful
governmental interception and use. Chapter 121, §§ 2701
through 2711 (See Appendix D), deals with unlawful
access and disclosure of stored communications, as well
as governmental access and use of such stored
communications. The sections dealing with governmental
access and use are very detailed and complex and provide
the legal basis for national security agency monitoring
of email through the Carnivore system.
The ECPA provides for both
criminal and civil liability. A civil plaintiff who
proves a violation of Chapter 119 may recover the
greater of either:
(1) actual damages suffered and
any profits made by the violator; or
(2) statutory damages
(the greater of $100 a day for each day of violation or
$10,000). 18 U.S.C. § 2520(c)(2). Further, attorneys'
fees, litigation costs, and other equitable relief may
be available. Id. § 2520(a)(3). The criminal penalty
includes up to five years imprisonment and fines up to
$5000. Id. § 2511(4)(a)-(b). Chapter 121 provides for
more severe remedies, including minimum damages of
$1,000, punitive damages in the event of willful
violation, and disciplinary action in the event of
governmental agency violation.
Neither chapter, however,
establishes a general right to e-mail privacy in the
workplace because of various exceptions it contains. For
example, the prohibition against intercepting
communications does not apply where one of the parties
to the communication consents to the interception 18
U.S.C. §2511(2)(d). An e-mail system provider and/or its
employees have the right to intercept and use electronic
communications in the normal course of employment while
engaged in an activity which is incident to the
rendition of the service or for the protection of the
rights or property of the provider. 18 U.S.C. §
2511(2)(a)(i). Furthermore, the definition of
"electronic communication" is limited to those affecting
interstate commerce. Therefore, e-mail messages
transmitted on an employer's completely internal e-mail
system may not be subject to the ECPA. In the case of Andersen Consulting LLP v. UOP and
Bickel & Brewer, 991 F. Supp. 1041 (N.D.Ill.
1998), the Court interpreted § 2702(a) of ECPA, which
provides that "a person or entity providing any
electronic communication service to the public shall not
knowingly divulge to any person or entity the contents
of a communication while in electronic storage by that
service." The court held that to be subject to this
statute, a defendant must provide electronic
communication service to the community at large. As UOP
only utilized its e-mail system for internal
communication, it did not supply service to the public
or community at large, even if the system permitted
communications over the Internet with third parties. As
a result, it was not subject to the statute, and the
claim thereunder was dismissed.
18 U.S.C. § 2701(a) prohibits
anyone from obtaining, altering, or preventing
authorized access to an electronic communication by
intentionally accessing, without authorization, a
facility through which electronic communications
services are provided, or by exceeding authorization to
access such a facility.
In the wake of the atrocities of
Sept. 11, pursuant to the request of President George W.
Bush, Congress amended much U.S. law as part of its
response to terrorism. (See "Congress Makes it Easier to
Snoop,"
http://www.csmonitor.com/2001/1011/p16s1-stct.html.) In
addition to the establishment of a counter-terrorism
fund, condemnation of discrimination against Arab and
Muslim Americans, authorization of the expansion of a
National Electronic Crime Task Force, authorization of
confiscation of property of foreign entities involved in
hostilities against the United States, provision for
increased border guard staffing, extension of access to
criminal record to the INS and State Departments,
changes in Habeas Corpus and Immigration Law,
establishment of humanitarian relief for victims of
terrorism, liberalization of proof standards regarding
death and disability of victims of terrorism,
authorization of payment of rewards to informants
against terrorists, extension of Secret Service
jurisdiction, expansion of access to educational
records, funding of increased crime victim assistance,
criminalization of attacks against transportation
systems, criminalization of harboring terrorists,
definition and criminalization of terrorism and
terrorist conspiracies, temporary deferral of the
obligation of reporting intelligence-related matters to
Congress, establishment of a foreign asset tracking
center and a virtual translation center, provision for
dam security and investigation of money laundering, the
Patriot Act of 2001 also amends sections of the ECPA,
the Wiretap Act, the Foreign Intelligence Surveillance
Act, and the pen register and trap and trap devices for
foreign intelligence purposes provisions. (See http://thomas.loc.gov/cgi-bin/query/D?c107:3:./temp/~c107WEcEDs::).These
changes generally ease or lift restrictions on the
ability of government agencies to access communications
and records of those communications and expand the
authority of law enforcement agencies to share the
communications obtained through surveillance. Pursuant
to a Sunset provision, the amendments terminate as of
Dec. 31, 2003, 2004 and 2006.
Generally speaking, three
exceptions are provided to Chapter 2701’s prohibitions
on access to stored communications. The Act does not
prohibit conduct which is authorized: (1) by the party
or entity providing the electronic communications
service; (2) by users of electronic communications sent,
or intended for, such users; and (3) for certain
activities of governmental or law enforcement entities.
The Patriot Act of 2001 has added another exception
allowing disclosure by the electronic communications
service to a governmental entity, if the provider
reasonably believes that an emergency involving
immediate danger of death or serious physical injury to
any person justifies disclosure of the information
(Patriot Act of 2001, § 212). It amends 18 U.S.C. § 2702
to prohibit disclosure of records or other information
regarding subscribers or users of electronic
communications services and remote computing services
"not including the contents [of such communications] to
any government agency" (§ 210). Though difficult to
interpret, this amendment may always authorize
disclosure of such contents to government agencies or
merely enable the disclosure in case of emergency.
The Patriot Act of 2001 also
makes clear that a "computer trespasser" has no
reasonable expectation of privacy, thereby permitting
disclosure with regard to his electronic communications
(Patriot Act of 2001, § 217). It also exempts the
Federal Government from civil liability under 18 U.S.C.
§ 2707 and adds an entirely new § 2712 dealing with
civil liability of the Federal Government ((Patriot Act
of 2001, § 223). The Act also allows the federal
government to learn ISP subscriber numbers, identities,
temporarily assigned network addresses and means and
source of payment (including any credit card or bank
account number) of subscribers (Patriot Act of 2001, §
210).
18 U.S.C. § 2703 provides that a
governmental entity may require the disclosure by a
provider of electronic communication service of the
contents of an electronic communication that is in
electronic storage in an electronic communications
system for one-hundred and eighty days or less only
pursuant to a warrant issued under the Federal Rules of
Criminal Procedure or equivalent State warrant. However,
the Section does not protect users against disclosure of
information to non-governmental entities.
Top
Carnivore
Carnivore is a system used to
implement court-ordered surveillance of electronic
communication. It has received a great deal of online
press in the last year, and has been a focus of
anti-terrorist investigation since the attacks of Sept.
11, 2001. Groups such as the American Civil Liberties
Union and the Center for Democracy and Technology view
Carnivore as an unwarranted invasion of privacy (See
"CDT Statement Preserving Democratic Freedoms In Times
Of Peril," September 14, 2001, http://www.cdt.org/security/010914cdtstatement.shtml ).
Carnivore is used when other methods (e.g. having an ISP
provide the requested data) do not meet the needs of the
investigators or the restrictions placed by the court.
Carnivore can be used to collect full content of
communications under 18 U.S.C §§ 2510-2522 (ECPA) and 50
U.S.C §§ 1801-1846 (Foreign Intelligence Surveillance
Act) or only address information (i.e., pen register)
under 18 U.S.C §§ 3121-3127 and 50 U.S.C §§ 1841-1846
(pen registers and trap and trap devices for foreign
intelligence purposes). Law enforcement agents follow a
rigorous, detailed procedure to obtain court orders and
surveillance is performed under the supervision of the
court issuing the order. The Carnivore architecture
comprises: (1) a one way tap into an Ethernet data
stream; (2) a general purpose computer to filter and
collect data; (3) additional general purpose computers
to control the collection and examine the data; and (4)
a telephone link to the collection computer. The
collection computer is typically installed without a
keyboard or monitor. Symantec’s PcAnywhere, allows the
additional computers to control the collection computer
via the telephone link. The link is protected by an
electronic key such that only a computer with a matching
key can connect. Carnivore software is typically loaded
on the collection computer while Packeteer and Coolminer
are installed on the control computers. When placed at
an ISP, the collection computer receives all packets on
the Ethernet segment to which it is connected and
records packets or packet segments that match Carnivore
filter settings. The one-way tap ensures that Carnivore
cannot transmit data on the network, and the absence of
an installed Internet protocol (IP) stack ensures that
Carnivore cannot process any packets other than to
filter and optionally record them. Carnivore can neither
alter packets destined for other systems on the network
nor initiate packets. In pen mode, the operator can see
the TO and FROM email addresses and the IP addresses of
computers involved in File Transfer Protocol (FTP) and
Hypertext Transfer Protocol (HTTP) sessions. In
full-collection mode, the operator can view the content
of email messages, HTTP pages, FTP sessions, etc.
Top
System
Administrators and Sniffer Software
The legality of employing Sniffer
software to protect ones’ email network has yet to be
tested in Court. Crackers (evil hackers) utilize sniffer
software to locate passwords, entry points into
networks, etc. Network administrators utilize sniffer
software, (commonly available brand names include
EtherPeek, NAI Sniffer Portable, Win Sniffer 1.2,
Analyzer v.2.02) to "sniff out" unusual or problematic
activity on a network, including entry by crackers. Such
software can be set to intercept any packet visible to
the network interface card on which the software is
installed and it can be set to capture only those
packets transmitted to a particular IP or Ethernet
address or all packets which utilize a particular
protocol, such as IP, TCP/IP or IP/HTTP. After packets
are captured, the user can cause the software to
reconstruct the session and then examine the contents in
a graphical display or display plain text in readable
ASCII format.
The first legal issue arises from
the fact that 18 U.S.C. 2512 prohibits manufacture,
assembly, possession or sale
of "any electronic, mechanical, or other device, knowing
or having reason to know that the design of such device
renders it primarily useful for the purpose of
surreptitious interception of wire or oral or electronic
communications." The computer onto which the sniffer
software is loaded may or may not qualify as such a
"device". Also, both cracker and system administrator
could argue that the software is primarily useful for
analyzing the nature of packet traffic, such as size,
type, and patterns of traffic, rather than inspecting
the contents of the packets. It appears that this issue
has yet to be litigated.
The second legal issue arises
from the fact that 18 U.S.C. 2511 prohibits the
interception of wire or oral or electronic
communications.Andersen
Consulting might lead one to believe that use of
sniffer software to view contents of email on a
completely internal email system would be acceptable.
However, Andersen Consulting
interpreted 18 U.S.C. 2702, not 2511. § 2511(a) does not
mention electronic communication service.Therefore, a
complaining party would not need to prove that the
system is open to the public. Further, 18 U.S.C.
2511(2)(a)(i) provides that:
It shall not be unlawful under
this chapter for an operator of a switchboard, or an
officer, employee, or agent of a provider of wire or electronic communication
service, whose facilities are used in the
transmission of a wire or electronic communication, to
intercept, disclose, or use that communication in the
normal course of his employment while engaged in any
activity which is a necessary incident to the rendition
of his service or to the protection of the rights or
property of the provider of that service, except that a
provider of wire communication service to the public
shall not utilize service observing or random monitoring
except for mechanical or service quality control
checks.
If Andersen Consulting controls,
the system administrator does not qualify for the
protection of § 2511(2)(a)(i) inasmuch as his system is
not open to the public.Therefore, § 2511(a) would seem
to prohibit his interception of email, whether by
sniffer software or otherwise, at least to the extent
that such email qualifies as an "electronic
communication", that is so long as it affects interstate
commerce.
18 U.S.C. § 2511(2)(d) permits
interception of an "electronic communication" when the
person intercepting same:
(d) is a party to the
communication or where one of the parties to the
communication has given prior consent to such
interception unless such communication is intercepted
for the purpose of committing any criminal or tortious
act in violation of the Constitution or laws of the
United States or of any State.
To take advantage of this
exception, computer networks frequently make use of
computer banners that appear whenever a person logs onto
the network. A banner is text which appears whenever a
user attempts to enter a network from a designated point
of entry known as a "port." Banners vary substantially
in wording, but they usually inform the user that: (1)
the user is on a private network; and (2) by proceeding,
the user is consenting to all forms of monitoring. The
following is an example:
This computer network
belongs to the Widget Corporation and may be used only
by Widget Corporation employees and only for
work-related purposes and subject to Widget Corporation
policies and procedures. Any other use (including use
in violation of Widget Corporation policies and
procedures) of this network is unauthorized. The Widget
Corporation reserves the right to monitor use of this network
to ensure network security and to respond to
specific allegations of employee and non-employee
misuse. Use of this network shall constitute consent to
monitoring for such purposes. In addition, the
Widget Corporation reserves the right to consent to a
valid law enforcement request to search the network for
evidence of a crime stored within the network.
Top
Doubleclick Litigation
The recent case of In Re Doubleclick, Inc. Privacy
Litigation, 00 Civ. 0641 (S.D.N.Y., March 28, 2001),
presented a creative attempt by Plaintiffs to extend the
ECPA and Wiretap Act to use of "cookies". This
consolidated multi-district class action litigation grew
out of Doubleclick’s use of "cookies" on client
websites. "Cookies" are programs which the site
downloads to users’ computers to: 1. gather information
regarding a user’s search engine query string; 2. gather
user provided information; and 3. track user movement on
a website. Whenever a user visits a site which has
consented to Doubleclick’s presence, software loaded on
the host server downloads the information collected by
the "cookies" loaded onto the user’s computer. The Court
dismissed the Plaintiffs’ action because:
1. for purposes of § 2701(a), the
conduct was authorized by the user of the electronic
communications system (the website owners) for whom
Plaintiff’s communication (the transmitted contents of
the "cookies") was "intended";
2.
for purposes of § 2701(a), the cookies are not stored
in "electronic storage" as it is defined (temporary
intermediate storage or storage at an electronic
communication service);
3. for purposes of § 2511(a), Doubleclick and
its client websites consented to the "interception" of
Plaintiff’s "communications"; 4. for purposes of
§ 2511(a), the consensual purpose of Doubleclick’s actions
was not "primarily criminal or tortious" -
rather it was to assist the client sites and
Doubleclick to make money.
Computer
Fraud and Abuse Act
The Computer Fraud and Abuse
Act (CFAA), 18 U.S.C. § 1030, et. seq., (See Appendix
A) prohibits trafficking in passwords and prohibits
unauthorized access, by someone without authority or
in excess of authority, to a computer (used in
interstate commerce or to a government computer) for
purposes of obtaining information, committing fraud or
extortion, interfering with operation of the accessed
computer, and prohibits knowingly causing a
transmission which damages such a computer. This
statute has been widely utilized by law enforcement
agencies to punish crackers and purveyors of "worms"
and "viruses". In addition to criminal penalties, the
CFAA provides for compensatory damages, injunctive
relief and other equitable relief. A growing list of
cases provides an idea of the scope of prohibited
actions.America Online, Inc.
v. Christian Brothers (SDNY, December 9, 2000)
(finding that sending spam caused violations of both
(a)(5) and (a)(5)(C)); America
Online, Inc. v. LCGM, 1998 US Dist. LEXIS 20144
(finding a spammer violated the CFAA); America Online, Inc. v. National
Health Care Discount, Inc. 2000 WL 1724884 (N.D.
Iowa Sept. 25, 2000) (sending unwanted email is
"access" for purposes of CFAA and large volume of
email impairs the availability of a computer system;
also finding that scraping email addresses could
violate (a)(2)(C)); Hotmail
Corporation v. Van$ Money Pie Inc., 1998 WL 388389
(N.D. Cal., April 20, 1998) (a default judgment
finding, among other things, that spamming with
falsified return email addresses with the intention of
causing bounced back emails and complaints to damage
Hotmail Corporation was a violation of the Computer
Fraud and Abuse Act); In re
Intuit Privacy Litigation, 2001 WL 370081 (C.D.
Cal. April 10, 2001) (dismissing a claim that placing
cookies violates the CFAA); Register.com v. Verio (SDNY
Dec. 8, 2000) (access by search robots could give rise
to (a)(5)(C) and (a)(2) violation; Shurgard Storage Centers, Inc. v.
Safeguard Self Storage, Inc. (W.D. Wash.
10/26/2000), 119 F. Supp. 2d 1121 (culprit acted
"without authority" when, while still employed by the
plaintiff, but acting as an agent for the defendant,
he sent e-mails to the defendant containing various
trade secrets and proprietary information belonging to
the plaintiff. In the cited case of In Re Doubleclick, Inc. Privacy
Litigation, 00 Civ. 0641 (S.D.N.Y., March 28,
2001), the Court noted that the CFAA’s prohibitions
against obtaining information without authorization
apply only to interstate or foreign communications,
damages are limited to economic damages, such economic
damage must exceed $5,000, and they must result from a
single wrongful act. Further, the Court pointed out
that there is no cost to disabling cookies inasmuch as
most browser software allows cookies to be "turned
off" and inasmuch as Doubleclick offers an "opt out"
cookie for free download from its site.
The Patriot Act of 2001
contains substantial amendments to the CFAA (§ 814)(
See Appendix B). It reverses Doubleclick with regard to the
requirement that the $5,000 damage threshold must be
met by a single act; it increases criminal penalties;
it clarifies that the term "loss" includes any
reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage
assessment, and restoring the data, program, system,
or information to its condition prior to the offense,
and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption
of service; it clarifies that "person" includes
corporations and other entities; it permits recovery
of damages in some situations without proof of
economic damages; it includes among the actionable
damages the modification or impairment, or potential
modification or impairment, of the medical
examination, diagnosis, treatment, or care of 1 or
more individuals; it provides that no action may be
brought for the negligent design or manufacture of
computer hardware, computer software, or firmware.
Top
Web Bugs
Those who utilize "opt-in"
email enjoy receiving relevant HTML content pushed to
their computer on a regular basis. What they don’t
know is that that content sometimes includes a "Web
bug". Web bugs typically use Java Script, a
programming language embedded in the HTML text, to
collect certain information that allows a user’s
movements online to be tracked. Such bugs are also
contained in Web page HTML and software downloads.
Among the information collected is the IP address of
the computer in which the bug is installed, the URL of
the page from which the bug is downloaded, and the
time the page was viewed. The bug enables the
collected information to be sent to its originator,
such as at the time it is forwarded to other
recipients.
Unlike cookies, Web bugs are
invisible. This gives rise to a host of privacy
concerns, because the Web bug’s use is often not
adequately disclosed. The undisclosed use of tracking
technology to monitor or collect consumer information,
or to share such information with third parties, can
result in civil and criminal penalties. Recently, the US
District Court for the Southern District of New York
issued an important order in Specht v. Netscape Communications
Corp., 00 Civ. 4871, 2001 U.S. Dist. LEXIS 9073
(S.D.N.Y. 7/3/01). The case involves Netscape’s
"SmartDownload" software, which is intended to make it
easier for its users to download files from the
Internet without losing their interim progress if they
lose their Internet connection. At the time of free
download from the Netscape site, Plaintiffs were
invited to "please review…the license agreement" which
contained an arbitration clause (one Plaintiff
downloaded the software from another site where the
invitation to review the license agreement was not
even present). The Court denied Netscape’s Motion to
Compel arbitration, holding that there was no proof
that the Plaintiffs had assented to the license
agreement. More importantly, for purposes of this
discussion, the Plaintiffs allege that the software
transmits to Netscape private information about the
user’s file transfer activity on the Internet, thereby
effecting an electronic surveillance of the user’s
activity in violation of ECPA and CFAA. It is hard to
imagine that the placement of such bugs could result
in $5,000 in economic damages required by the CFAA
(though this may become easier to prove given the
above-noted amendments contained in the Patriot Act of
2001). For purposes of 18 U.S.C. 2701(a) it may be
that the transmission of the user information is
authorized by the user of the electronic
communications system (Netscape) for whom Plaintiff’s
communication (the user information) was "intended".
For purposes of § 2701(a), the bugs don’t seem to be
stored in "electronic storage" as it is defined
(temporary intermediate storage or storage at an
electronic communication service). For purposes of §
2511(a), it would seem that one of the parties to the
communication, Netscape, consented to the
"interception" of Plaintiff’s "communications".
Finally, for purposes of § 2511(a), the placement of
the bugs does not seem to be "primarily criminal or
tortious"—rather it was for some business purpose.
Perhaps criminal or civil trespass or conversion would
be more appropriate causes of action.
Top
Rights of ISP’s to Inspect and
Disclose; Anonymous Posters
At the time that users contract
with their Internet Service Provider (ISP), they
contractually agree that the ISP shall have the right to
review and take certain actions with regard to the
user’s data and transmissions. For example, AOL provides
in its Screen Name Service Terms of Use:
You acknowledge that AOL
reserves the right at all times to disclose any
information concerning your use of the Screen Name
Service or Participating Sites and Services to comply
with valid legal process such as a search warrant,
subpoena or court order, or in special cases such as a
physical threat to you or others. AOL also reserves
the right to edit, refuse to post, or to remove any
information, posting or material, in whole or in part,
without any prior notification to you. AOL is not
responsible for any failure or delay in removing such
material.
....use of the content or
materials available on the Screen Name Service for any
purpose not expressly permitted in these Terms of Use
is prohibited.
Mindspring’sInternet Service
Agreement provides:
Monitoring the Services
EarthLink has no obligation to
monitor the Services, but may do so and disclose
information regarding use of the Services for any
reason if EarthLink, in its sole discretion, believes
that it is reasonable to do so, including to: satisfy
laws, regulations, or governmental or legal requests;
operate the Services properly; or protect itself and
its Members. Please see our Privacy Policy .
EarthLink may immediately remove your material or
information from EarthLink’s servers, in whole or in
part, which EarthLink, in its sole and absolute
discretion, determines to infringe another’s property
rights or to violate our Acceptable use
policy
Mindspring’s Privacy Policy goes
on to provide:
Special Cases
....EarthLink may disclose
personal information about Visitors or Members, or
information regarding your use of the Services or Web
sites accessible through our Services, for any reason
if, in our sole discretion, we believe that it is
reasonable to do so, including: to satisfy laws, such
as the Electronic Communications Privacy Act,
regulations, or governmental or legal requests for
such information; to disclose information that is
necessary to identify, contact, or bring legal action
against someone who may be violating our Acceptable Use
Policy or other user policies; to operate the
Services properly; or to protect EarthLink and our
Members.
In 1998, AOL drew criticism when
it admitted that it violated its own privacy policy by
releasing information showing that a customer being
investigated by the U.S. Navy was a homosexual.(See "AOL
sides with anonymous posters" by Aaron Elstein, ZDNet News, WSJ Interactive
Edition, March 5, 2001,
http://www.zdnet.com/zdnn/stories/news/0,4586,2692564,00.html.)
Recently, despite the fact that
ISP’s have great latitude to make disclosure pursuant to
the clauses quoted above, they have in fact taken on the
role of privacy shield with regard to anonymous posters
on ISP sponsored message boards. AOL, Yahoo! and other
ISP’s are being deluged with subpoena’s issued in John
Doe defamation actions being used by publicly traded
corporations seeking to uncover the identities of those
posters whose comments are particularly offensive,
damaging or suspicious. In fact, representatives of AOL
have stated that in Year 2000 they received over 475
subpoenas, a 40% increase over 1999. Id. AOL has argued that such
suits can constitute an illegitimate use of the courts
to silence and retaliate against speakers whose
statements, while unpleasant from the standpoint of the
Plaintiff, are not unlawful. Id. Yahoo! has told a
California Superior Court that it receives thousands
such subpoenas. (See "A Victory, of Sorts, for Spouting
Off" by Jane Black, BusinessWeek
online, July 20, 2001,
http://www.businessweek.com/bwdaily/dnflash/jul2001/nf20010720_543.htm.)
On July 11, 2001, the New Jersey
Superior Court issued two opinions in cases in which
Yahoo! challenged subpoenas for private information
regarding posters. Dendrite
International, Inc. v. John Doe No. 3, (Superior,
N.J., July 11, 2001); Immunomedics, Inc. v. John Does
1-10, John Foe, A/K/A "bioledger," and John Foes
2-10 (Superior, N.J., July 11, 2001).In Dendrite, the Court quashed the
subpoena and in Immunomedics,
the Court denied the Motion to Quash Subpoena Duces
Tecum. In analyzing the cases, the Court gave the
following guidance:
We offer the following
guidelines to trial courts when faced with an
application by a plaintiff for expedited discovery
seeking an order compelling an ISP to honor a subpoena
and disclose the identity of anonymous Internet
posters who are sued for allegedly violating the
rights of individuals, corporations or businesses. The
trial court must consider and decide those
applications by striking a balance between the
well-established First Amendment
right to speak anonymously,
and the right of the plaintiff to protect
its proprietary interests and reputation through the assertion of
recognizable claims based on the actionable conduct of the
anonymous, fictitiously-named defendants.
We hold that when such an application is
made, the trial court should first require the
plaintiff to undertake efforts to notify the anonymous
posters that they are the subject of a subpoena or
application for an order of disclosure, and withhold
action to afford the fictitiously-named defendants a
reasonable opportunity to file and serve opposition to
the application. These notification efforts should
include posting a message of notification of the
identity discovery request to the anonymous user on
the ISP's pertinent message board.
The court shall also require the plaintiff to
identify and set forth the exact statements
purportedly made by each anonymous poster that
plaintiff alleges constitutes actionable
speech.
The complaint and all information
provided to the court should be carefully reviewed to
determine whether plaintiff has set forth a prima
facie cause of action against the fictitiously-named
anonymous defendants. In addition to establishing that
its action can withstand a motion to dismiss for
failure to state a claim upon which relief can be
granted pursuant to R. 4:6-2(f),
the plaintiff must produce sufficient evidence
supporting each element of its cause of action, on a
prima facie basis, prior to a court ordering the
disclosure of the identity of the unnamed
defendant.
Finally, assuming the court concludes
that the plaintiff has presented a prima facie cause
of action, the court must balance the defendant's First Amendment
right of anonymous free speech against the strength of
the prima facie case presented and the necessity for
the disclosure of the anonymous defendant's identity
to allow the plaintiff to properly proceed.
The application of these procedures and standards
must be undertaken and analyzed on a case-by-case
basis. The guiding principle is a result based on a
meaningful analysis and a proper balancing of the
equities and rights at issue.
Applying this methodology to
both cases, the Court quashed the subpoena requested by
Dendrite due to its failure to offer evidence
establishing that the poster’s statements sufficiently
harmed Dendrite. The Court refused to quash the subpoena
requested by Immunomedics because the poster identified
herself as an employee, and the suit alleged harm
resulting from disclosures of confidential information
contained in the postings.
Similar analysis was utilized by
the Virginia Supreme Court in America Online, Inc. V. Anonymous
Publicly Traded Company, (March 2, 2001) 2001 Va.
LEXIS 38; 29 Media L. Rep. 1442. In that case, the
Virginia Supreme Court held that AOL would not have to
respond to a subpoena issued by an Indiana Court in a
defamation suit on behalf of Plaintiff anonymous
publicly traded corporation against an anonymous
defendant, "John Doe." The court stated that a court
might allow a party to proceed anonymously only upon
showing of special circumstances when a party's need for
anonymity outweighs the public's interest in knowing the
party's identity and outweighs the prejudice to the
opposing party. The Court found the Plaintiff’s
allegations of potential economic harm to be conclusory.
Some litigants who have sought
to prevent disclosure of their private information have
alleged that disclosures would violate the Electronic
Communications Privacy Act (ECPA)(which is further
discussed below. In Jessup-Morgan v. America Online,
Inc., 20 F.Supp.2d 1105 (E.D. Mich 1998) the
Plaintiff alleged that AOL violated the ECPA when her
identity was divulged to her husband’s ex-wife, pursuant
to subpoena, when the ex-wife attempted to learn who had
been posting sexual solicitations under her name on an
AOL message board. The Court analyzed these allegations
as follows:
The prohibitions of the
Electronic Communication Privacy Act (ECPA), 18 U.S.C.
§§ 2701 et seq., are
inapplicable. The ECPA prohibits disclosure of the
contents of an electronic communication to any person
or entity (18 U.S.C. § 2702) or to the government (18
U.S.C. § 2703) without first meeting certain
restrictions. 18 U.S.C. § 2711 states that the
definitions in 18 U.S.C. § 2510 apply to the ECPA’s
provisions. 18 U.S.C. § 2510 states that "‘contents’,
when used with respect to any wire, oral, or
electronic communication, includes any information
concerning the substance, purport, or meaning of that
communication," [not information concerning the
identity of the author of the communication]. 18
U.S.C. § 25 10(8). The "content" of a communication is
not at issue in this case. Disclosure of information
identifying an AOL electronic communication account
customer is at issue. In 18 U.S.C. § 2703(c)(1)(C)
this identifying information is specifically
acknowledged as separate from the "content" of
electronic communications. The ECPA actually
authorizes AOL’s disclosure:
Except as provided in
subparagraph (B), a provider of electronic
communication service or remote computing service may disclose a record or
other information pertaining to a subscriber to or
customer of such service (not including the contents
of communications covered by subsection (a) or (b) of
this section) to any person other than a governmental
entity.
18 U.S.C. 2703(c)(1)(A)
(emphasis added) (subsections (a) and (b) do not apply
to the AOL disclosure). AOL made the disclosure, not
to the public, but to a private individual, Barbara
Smith’s attorney, pursuant to a properly executed
subpoena. Because the prohibitions of the ECPA do not
apply to the AOL disclosure in this case, Jessup’s
claim that AOL violated the Electronic Communication
Privacy Act fails, and AOL is entitled to dismissal of
this claim because of her failure to state a claim
upon which relief can be granted. FED. R. Civ. P.1 2(b)(6).
AOL has posts the following
language on its site:
AOL’s Terms of Service
provide that AOL will release account information or
information sufficient to identify a member "only to
comply with valid legal process such as a search
warrant, subpoena or court order . . ." Thus, if you
seek such identity or account information in
connection with a civil legal matter, you must serve
AOL with a valid subpoena.
AOL is headquartered in
Loudoun County, Virginia and subject to the
jurisdiction of Loudoun County Circuit
Court and the United States District Court for the
Eastern District of Virginia. For applicable
requirements governing the issuance of subpoenas in
these jurisdictions, please consult Va. Code Ann. §
8.01-411and Virginia Supreme Court
Rules 4:9(c) and/or Rule 45 of the Federal
Rules of Civil Procedure.
Upon receipt of a valid
subpoena, it is AOL’s policy to promptly notify the
Member(s) whose information is sought. In
non-emergency circumstances, AOL will not produce the
subpoenaed Member identity information until
approximately two weeks after receipt of the subpoena,
so that the Member whose information is sought will
have adequate opportunity to move to quash the
subpoena in court. AOL invoices for costs
associated with subpoena compliance. We charge $75.00
per hour for research, $14.00 per Federal Express and
25 cents per copy. Subpoenas should be directed
to:
AOL Custodian of Records
22000 AOL Way
Dulles, VA, 20166
Please be advised that the Electronic
Communications Privacy Act; 18 U.S.C. §2701 et
seq., prohibits an electronic communications
service provider from producing the contents of
electronic communications, even pursuant to subpoena
or court order, except in limited circumstances.
Further, AOL’s e-mail system retains e-mail for a
period of only approximately two days after the e-mail
has been read. After that time, the e-mail is
automatically deleted. Unread and sent e-mail is
preserved on our system for approximately 28 days. If
a member deletes any e-mail, that e-mail is
automatically deleted after 24 hours from the AOL
systems. Finally, AOL does not retain the
contents of chat room or instant message
communications, nor does it store information about
member Internet usage or websites visited.
Finally, it is AOL’s policy to
release information sufficient to identify an AOL
member only where the party seeking the information
has filed a legal action that implicates the AOL
member in some legally cognizable impropriety or
wrongdoing. AOL requests a copy of the complaint and
any supporting documentation to indicate how the AOL
e-mail address is related to the pending litigation.
The policy statement raises the
question, "when does the ECPA prohibit disclosure
pursuant to subpoena? That issue was addressed in Federal Trade Commission v.
Netscape Communications Corp., No. CV-00-00026
(N.D.Cal. 04/24/2000). In that case, the FTC filed a
civil action in the United States District Court for the
Eastern District of Virginia against various defendants,
alleging violations of 15 U.S.C. § 45(a), the FTC unfair
competition statute. Netscape was not a defendant in
that action. The FTC issued a discovery subpoena as part
of pre-trial discovery to uncover documents indicating
personal information relating to the identity of certain
individuals. The Court held that the FTC’s subpoena was
barred by 18 U.S.C. § 2703(c)(1)(C), part of the ECPA,
which allows an "electronic communication provider" to
honor only trial subpoenas and not pre-trial discovery
subpoenas.
In light of the amendments
contained in the Patriot Act of 2001, AOL’s policy may
soon be amended to provide that disclosure may be
voluntarily made to a governmental entity, especially if
AOL reasonably believes that an emergency involving
immediate danger of death or serious physical injury to
any person justifies disclosure of the information.
Finally, in criminal cases,
Courts have generally ruled against criminal defendant
ISP customers who have attempted to block government
access to their account information and against those
who attempt to exclude evidence gathered from ISP’s
pursuant to warrants. Courts generally find that the
defendants have "no reasonable expectation of privacy."
See United States v.
Kennedy, No.
99-10105-01 (D. Kan. Jan. 3, 2000)(ISP customer with
child pornography on his web site hosted by Road Runner
did not have a reasonable expectation of privacy in the
information he gave when subscribing to the ISP, Road
Runner). United States v.
Hambrick 55 F.
Supp. 2d 504 (W.D. Va.1999). (Government investigator in
sting operation obtained personal information about
defendant from ISP based on warrant that was later
admitted to be defective. The court held that a valid
warrant was not required due to the lack of expectation
of privacy, and that the ISP was not subject to civil
liability under the Electronic Communications Privacy
Act because it acted pursuant to a warrant it believed
to be valid at the time).But, see Steve Jackson Games v. U.S. Secret
Service, 816 F.Supp. 432 (W.D.Tex. 1993), aff'd, 36 F.3d 457 (5thCir.
1994) (where four plaintiffs claimed that the Secret
Service had read and deleted their private e-mail,
without their consent, Court found the Secret Service
intentionally seized and read communications and
thereafter deleted or destroyed some of them either
intentionally or accidentally, finding Secret Service
liable under the ECPA, 18 U.S.C. 2701, awarding
statutory damages of $ 1000 per plaintiff plus $195,000
in attorneys' fees and approximately $ 57,000 in costs
to plaintiffs).
Top
May An Employer Read Employee
Email?
Employers are increasingly
concerned that they may become exposed to civil
liability or criminal charges associated with employee
misuse of email—e.g., importation of viruses and worms,
transmission of pornography, defamation, discriminatory
statements, trade secrets, etc. Employers typically seek
to reduce the chance of potential abuse by periodically
monitoring employee use of email and the Internet.
Further, upon termination of employment, employers often
audit and collect information from employee email
accounts and continue to receive, respond to and dispose
of email which continues to arrive after the employee is
terminated.
The tort most relevant to e-mail
interception by employers is unreasonable intrusion upon
the seclusion of another. Liability under this tort does
not require that the information acquired be publicized
or used by the employer. Restatement (Second) of Torts,
Comment a. However, to establish the tort, the intrusion
must be highly offensive to a reasonable person. Courts
generally consider electronic surveillance, such as
telephone monitoring, an "intrusion" sufficient to
establish that element of the tort. Courts generally
consider electronic surveillance, such as telephone
monitoring, an "intrusion" sufficient to establish that
element of the tort. See, e.g., Billings v. Atkinson, 489
S.W.2d 858 (Tex. 1973); Nader v.
General Motors Corp., 255 N.E.2d 765 (N.Y. 1970)
(telephone wiretapping). In determining the
offensiveness of the intrusion, courts examine "the
degree of intrusion, the context, conduct and
circumstances surrounding the intrusion, as well as the
intruder's motives and objectives, the setting into
which he intrudes, and the expectations of those whose
privacy is invaded. See Miller
v. National Broadcasting Co., 232 Cal. Rptr. 668,
679 (Cal. Ct. App. 1986). While express or implied
consent is one defense to liability, the mere good faith
belief that consent has been given is normally not a
defense.
In deciding whether an intrusion
invades a private matter, courts require both that the
employee have a subjective expectation of privacy and
that the expectation be objectively reasonable. State
courts responding to such tort claims have generally
attempted to balance an employee's reasonable
expectation of privacy against the employer's business
justification for monitoring. Thus, the critical issues
to examine when determining employer tort liability for
monitoring or intercepting employee e-mail messages are:
(1) does the plaintiff have a reasonable expectation of
privacy and, if so, (2) was there a legitimate business
justification for the intrusion sufficient to override
that privacy expectation.
The most frequently cited early
case to address the privacy rights of employees with
respect to e-mail messages applied Pennsylvania state
law. Smyth v. The Pillsbury
Co., 914 F. Supp. 97 (E.D. Pa. 1996). The plaintiff,
Michael A. Smyth, exchanged e-mails with his supervisor
which contained offensive references including threats
to kill the company's sales management and references to
the holiday party as the "Jim Jones Koolaid affair."
Company executives terminated Smyth for "inappropriate
and unprofessional comments over Defendant's e-mail
system."Plaintiff filed a wrongful discharge action
alleging that the employer's conduct violated
Pennsylvania's public policy protecting his right of
privacy. The court found that: 1. there is no reasonable
expectation of privacy in e-mail communications
voluntarily made to a supervisor over a company-wide
e-mail system despite the fact that the employer assured
the plaintiff that the e-mail messages would not be
intercepted by management; 2. even if there was a
reasonable expectation of privacy, a reasonable person
would not consider the employer's interception to be a
substantial and highly offensive intrusion upon
seclusion; 3. the company's interest in preventing
inappropriate and unprofessional comments or even
illegal activity over its e-mail system outweighed any
privacy interest the employee may have had in his
comments.
Subsequent significant cases
include:
Bourke
v. Nissan Motor Corp., No. BO68705 (Cal.Ct. App.
July 26, 1993) (unreported decision), (Defendant
employee, conducting training seminar about the use of
its e-mail system, randomly accessed an e-mail message
written by the plaintiff, which contained information of
a personal, sexual nature, leading to review of other
employee email, leading to reprimands and terminations.
Plaintiffs sued Nissan for invasion of privacy,
violation of criminal wiretapping statutes, and wrongful
discharge. Court found that Plaintiffs had no reasonable
expectation of privacy in their e-mail messages because
they had signed a waiver stating that it was company
policy that employees restrict their use of
company-owned computer hardware and software to company
business, and because many months before their
terminations, Plaintiffs had learned that their e-mail
messages were periodically read by employees other than
the intended recipients, despite fact that plaintiffs
were given passwords.)
Wesley
College v. Pitts 974
F.Supp. 375, (D.Del. 1997) Inadvertent glimpse of email
message displayed on a computer screen did not rise to
the level of an "interception" as contemplated by the
Electronic Communications Privacy Act. Further,
under ECPA, where an unknown person makes a copy of
e-mail and gives it away, other people who do not
provide an electronic communication service can lawfully
further distributions of copies of that private
e-mail.
McLaren
v. Microsoft Corp , No.
05-97-00824-CV (Texas Ct. App., May 28, 1999). Although
employee used private password to encrypt email messages
stored on office computer, this did not create
reasonable expectation of privacy that would prevent
company from decrypting and viewing files. Email account
and workstation to use it were provided for business,
not personal, use, and company had legitimate access to
data stored there.
Fraser
v. Nationwide Mutual Insurance Co. E.D. Pa., No.
98-CV-6726, 3/27/01. Plaintiff independent
insurance agent, alleged that Nationwide intercepted his
email communication in violation of the Federal
Wiretap Act, 18 U.S.C. § 2511 and the Pennsylvania
Wiretap Act, 18 Pa.C.S. § 5702 et seq. and that
Nationwide unlawfully accessed Fraser's e-mail from
storage, in violation of the federal and state Stored
Communications Acts, 18 U.S.C. § 2701 et seq. , and 18 Pa.C.S.
§ 5741. The court found that no
interception had taken place for the purpose of the
Wiretap Act, because the retrieval of a message from
storage after transmission is not an "interception." The
Stored Communications act prohibits unauthorized access
to an electronic communication while in electronic
storage. Electronic storage means temporary storage
incidental to the electronic transfer or storage by an
electronic communications server kept for the purpose of
backup. Therefore retrieval of a message from storage
after transmission is not illegal under the Act.
Top
Public Employers
Courts often find that public
employees lack a reasonable expectation of privacy. In
United States v. Simons , 206 F.3d 392 (4th Cir. 2000),
a government employee was charged with violating federal
laws against possession of child pornography. The
employing agency identified incriminating documents on
his computer. The court held that the employee did not
have a reasonable expectation of privacy as to the
fruits of his Internet use where the agency had notified
employees of limitations and a policy of periodic audits
to ensure compliance. Other courts have agreed with
the approach articulated in Simons and have held that
banners and policies generally eliminate a reasonable
expectation of privacy in contents stored in a
government employee’s network account. See Wasson v. Sonoma County Junior
College, 4 F. Supp.2d 893, 905-06 (N.D. Cal. 1997)
(holding that public employer’s computer policy giving
the employer "the right to access all information stored
on [the employer’s] computers" defeats an employee’s
reasonable expectation of privacy in files stored on
employer’s computers); Bohach v.
City of Reno, 932 F. Supp. 1232, 1235 (D. Nev. 1996)
(holding that police officers did not retain a
reasonable expectation of privacy in their use of a
pager system, in part because the Chief of Police had
issued an order announcing that all messages would be
logged); United States v.
Monroe, 52 M.J. 326 (C.A.A.F. 2000) (holding that
Air Force sergeant did not have a reasonable expectation
of privacy in his government e-mail account because
e-mail use was reserved for official business and
network banner informed each user upon logging on to the
network that use was subject to monitoring). But see DeMaine v. Samuels, 2000 WL
1658586, at *7 (D. Conn. 2000) (suggesting that the
existence of an employment manual explicitly authorizing
searches "weighs heavily" in the determination of
whether a government employee retained a reasonable
expectation of privacy at work, but "does not, on its
own, dispose of the question").
Typically, a warrant must be
obtained before a public agency can conduct a search
that violates an individual’s reasonable expectation of
privacy. Public employers, however, present a
special case. In O’Connor
v. Ortega, 480 U.S. 709 (1987), the Supreme Court
held that a public employer may conduct a workplace
search that violates a public employee’s reasonable
expectation of privacy so long as the search is
"reasonable." The Court reasoned that the need for
government officials to pursue legitimate
non-law-enforcement aims justifies a relaxing of the
warrant requirement because "the burden of obtaining a
warrant is likely to frustrate the [non-law-enforcement]
governmental purpose behind the search." O’Connor, 480 U.S. at 720
(quoting Camara v. Municipal
Court, 387 U.S. 523, 533 (1967)).
According to O’Connor, a warrantless search
must satisfy two requirements to qualify as
"reasonable." First, the employer or his agents
must participate in the search for a work-related
reason, rather than merely to obtain evidence for use in
criminal proceedings. Second, the search must be
justified at its inception and permissible in its
scope. The first element of O’Connor’s reasonableness test
limits the O’Connor
exception to circumstances in which the government
actors who conduct the search act in their capacity as
employers, rather than law enforcers. The Court
specified two such circumstances. First, the Court
concluded that public employers can conduct reasonable
work-related noninvestigatory intrusions, such as
entering an employee’s office to retrieve a file or
report while the employee is out. See id. at 722 (plurality);
Id. at 732 (Scalia, J.,
concurring). Second, the Court concluded that
employers can conduct reasonable investigations into an
employee’s work-related misconduct, such as entering an
employee’s office to investigate employee misfeasance
that threatens the efficient and proper operation of the
office. See id. at 724 (plurality); Id. at 732 (Scalia, J.,
concurring).
In general, the presence and
involvement of law enforcement officers will not
invalidate the search so long as the employer or his
agent participates in the search for legitimate
work-related reasons. See,
e.g., Gossmeyer v. McDonald, 128 F.3d
481, 492 (7th Cir. 1997) (presence of law enforcement
officers in team searching for evidence of work-related
misconduct did not invalidate search); Taketa, 923 F.2d at 674 (search
of DEA office space by DEA agents investigating
allegations of illegal wiretapping "was an internal
investigation directed at uncovering work-related
employee misconduct."). Shields
v. Burge, 874 F.2d 1201, 1202-05 (7th Cir. 1989)
(internal affairs investigation of a police sergeant
appropriate despite parallel criminal investigation); Ross v. Hinton, 740 F. Supp.
451, 458 (S.D. Ohio 1990) (concluding that a public
employer’s discussions with law enforcement officer
concerning employee’s alleged criminal misconduct,
culminating in officer’s advice to "secure" the
employee’s files, did not transform employer’s
subsequent search of employee’s office into a law
enforcement search).
It appears that the identity of
the person conducting the search will play a major role
in a Court’s determination as to whether a search has a
work related purpose. For example, in United States v. Simons, 206
F.3d 392, 400 (4th Cir. 2000), the Fourth Circuit
concluded that O’Connor
authorized the search of a government employee’s office
by his supervisor even though the dominant purpose of
the search was to uncover evidence of a crime.
("[The employer] did not lose its special need for the
efficient and proper operation of the workplace merely
because the evidence obtained was evidence of a crime.")
(internal quotations and citations omitted). On
the other hand, the Court in Rossi v. Town of Pelham, 35 F.
Supp.2d 58 (D.N.H. 1997) held that the O’Connor exception did not
apply when a government employer sent a uniformed police
officer to an employee’s office, even though the purpose
of the police officer’s presence was entirely
work-related.
To be "reasonable" under the
Fourth Amendment, a work-related employer search of the
type endorsed in O’Connor
must also be both "justified at its inception," and
"permissible in its scope." O’Connor, 480 U.S. at 726
(plurality). A search will be justified at its
inception "when there are reasonable grounds for
suspecting that the search will turn up evidence that
the employee is guilty of work-related misconduct, or
that the search is necessary for a noninvestigatory
work-related purpose." Id. A search will be
"permissible in its scope" when "the measures adopted
are reasonably related to the objectives of the search
and [are] not excessively intrusive in light of the
nature of the misconduct." O’Connor, 480 U.S. at 726
(plurality) (internal quotations omitted).
Although public employers may
search employees’ workplaces without a warrant for
work-related reasons, public employers acting in their
official capacity generally cannot consent to a law
enforcement search of their employees’ offices. See United States v. Blok, 188
F.2d 1019, 1021 (D.C. Cir. 1951) (concluding that a
government supervisor cannot consent to a law
enforcement search of a government employee’s desk); Taketa, 923 F.2d at 673; Kahan, 350 F. Supp. at
791. The rationale for this result is that the
Fourth Amendment cannot permit one government official
to consent to a search by another. Therefore, law
enforcement searches conducted pursuant to a public
employer’s consent must be evaluated under O’Connor rather than the
third-party consent rules of Matlock. The question in
such cases is not whether the public employer had common
authority to consent to the search, but rather whether
the combined law enforcement and employer search
satisfied the Fourth Amendment standards of O’Connor v. Ortega.
Top
Email and Internet Use Policies
In light of the foregoing
discussion of common law tort of non-consensual
intrusion upon seclusion, the ECPA, the CFAA, and the
Fourth Amendment, employer’s counsel should be convinced
of the need for clear email and Internet use
policies. For maximum protection of the employer,
such policies must: notify users of employer monitoring;
restrict usage to business purposes; prohibit
solicitation (including, but not limited, to those that
solicit for personal business ventures, religious or
other personal causes); define misuse (gambling,
transmitting derogatory, abusive, offensive, demeaning
or disruptive statements, defamation, discriminatory
statements, sexual harassment, propagation of
pornography, transmission of jokes, cartoons, chain
e-mails, and spam); inform employees that misuse is
prohibited and can be the basis for discipline,
including dismissal; inform users that any and all
communications may be turned over to law enforcement
agencies; prohibit third party access; notify all users
that the email system is owned by the business, and that
nothing stored on, or transmitted by, the system will be
considered confidential or private, even if protected by
password or encryption, except when such confidentiality
is for the benefit of the corporation. Employees
should be told to treat e-mail messages as they would
postcards or shared paper documents and, as such, the
e-mail messages should not include any information or
statements that they would mind having a third party
read or have read in open court. Further, the network
should bear a banner of the sort described in the
discussion of the CFAA and employees should be required
to sign a statement (which re-states the policy)
acknowledging receipt of the policy.
On the other hand, employers
should also consider that draconian policies sometimes
reduce productivity. Preventing employees from
shopping on Amazon from the office during the Holiday
season may result in the employee missing half a day of
work. Network administrator access to a CEO’s email or
that of a sitting federal judge may reduce
security. Therefore, each employer and network must
consider the special needs of its users when
establishing policies and consider utilizing technical
tools such as encryption and extraordinary procedures
for monitoring of highly sensitive email.
On the other hand, all employees
should be admonished not to engage in illegal copying of
copyright protected works, or making available copies of
such works. They should be cautioned to observe
copyright and licensing agreements that may apply to
files, documents and software they wish to download.
They should also be required to obtain approval from the
employer’s supervisory personnel before downloading any
materials for which a registration fee is
requested. They should be informed that software
containing encryption functionality must not be placed
on the Internet for downloading outside the United
States, because United States export control laws
closely regulate such software; users are to comply with
all laws and government regulations.
In practice, the employer should
utilize the least intrusive means of monitoring and
limit monitoring to that needed to protect the
employer’s business purposes. Another purpose of
such policies is to protect the intellectual property
and trade secrets of the employer. Therefore, it is
good practice to inform employees that: deleting
email does not eliminate the message from the system;
email attachments sometimes include prior revisions of
documents, which may reveal secrets or embarrassing
detail; highly confidential, sensitive or otherwise
proprietary information should not be sent by email
without appropriate encryption; users may not, without
specific authority from the Chief Information Officer,
establish ports for entry into Employer’s systems; when
using any computer attached to the employer network,
users should not access the Internet except through an
employer-approved Internet Firewall and they should not
access the Internet directly, whether through a modem or
through another service provider, unless their accessing
computer is disconnected from all employer networks; all
files downloaded from the Internet must be checked for
possible viruses; files (other than brand new programs
from approved vendors) contained on some other media,
such as diskette, CD, zip disk, etc. must be downloaded
by appropriately trained representatives of the CIO.
Top
APPENDIX A
COMPUTER
FRAUD AND ABUSE ACT
TITLE 18 UNITED STATE
