(written spring semester 1996)
By Eric Wiltse
University of Wyoming
INTRODUCTION
"Electronic mail (e-mail) is becoming an increasingly popular
method of communication, especially in the workplace. Approximately
25 million people now send and receive e-mail messages over the
enormous web of connected networks known as the Internet..."
(Veeder, 1995, p. 123). The rise in e-mail use has led to increased
concerns that individuals' rights to privacy may be violated in the
workplace, at home and in academia. The United States has laws
protecting privacy, but are those laws keeping pace with the rapid
changes in how people communicate, particularly with e-mail and
other forms of telecommunication technology? This paper will
attempt to determine whether individual rights to privacy are
jeopardized by e-mail monitoring, and whether e-mail is protected
by privacy laws.
LITERATURE REVIEW
The First, Fourth and Fifth Amendments in the Bill of Rights
form the basis for the body of privacy law that has developed in
the 19th and 20th centuries. Of course, nowhere is e-mail privacy
mentioned in the Bill of Rights. However, the questions of e-mail
privacy didn't arise until the late 1980s. The issues of e-mail are
similar to those involved in court cases of government wiretapping
of private phone calls in the 1960s. In 1967, the case of U.S. vs.
Katz established a reasonable expectation of privacy for the
individual in a wiretap case. Partly as a result of that case, the
next year Congress passed the Omnibus Crime Control Act which
required that law enforcement obtain a court order before tapping
wire communication (which has been interpreted as phone calls) or
oral conversation in which the parties involved had expectations of
privacy. Exemptions to the wiretap protections were allowed for
national security reasons, murder, kidnapping, riots, drug offenses
and organized crime offenses (Hendricks, Hayden, Novik, 1990).
While these instances addressed government eavesdropping on
phone calls and conversations, some observers became concerned
about the increasing amount of information about people being
stored on government computers. Norback (1981) observed:
A framework for protection of the public must be developed
and it must be superimposed on information practices to
minimize the misuse of an otherwise socially desirable
instrument ... The problem of striking a balance between
democracy and technology has been manageable in the past,
and the nation's policymakers should not shrink from the
task.
Others wondered whether federal wiretap laws also should apply
to the communication technologies involving computers. U.S.
Senator Pat Leahy asked the Justice Department in 1984 whether the
federal wiretap law also covered e-mail or other computer-to-
computer communications. Subsequently, in 1986, the Electronic
Communication Privacy Act (ECPA) extended wiretap safeguards to
"non-aural communications" (Hendricks, Hayden, Novik, 1990). The
ECPA is the law that most telecommunications experts cite regarding
e-mail privacy.
The ECPA did not resolve all questions about e-mail privacy,
though. There have been several court cases in the 1990s involving
disputes over e-mail monitoring by employers and commercial online
service providers, such as Compuserve. Controversies over e-mail
privacy are not surprising when considering how the passage of laws
traditionally has lagged behind problems involving privacy. "The
history of protection of personal privacy in the United States is
the history of the rule of law chronically struggling to keep up
with new technological threats to the seclusion of the individual"
(Rubin, 1988, p. 7). Rubin (1988) details three steps in the
development of privacy rights: 1) The Fourth Amendment was spawned
by British searches of American colonists' homes and businesses; 2)
Privacy laws emerged in the 1890s after the excesses of "yellow
journalism" by William Randolph Hearst's newspapers intruded into
the private lives of individuals; and 3) Wiretap laws came into
effect in the 1920s due to public concern about government
eavesdropping on telephone calls. He sees a process in the
development of privacy laws: a problem is identified, a political
consensus is worked out, and a remedy is developed.
The same process might be followed as e-mail privacy laws
evolve. Already in the 1990s there have been several highly
publicized cases involving employers reading employees' e-mail.
Branscomb (1994) traces these cases, starting with Shoars vs. Epson
America in which a manager was reading employees' e-mail. Employees
filed a class-action suit claiming invasion of privacy. The court
ruled that state and federal privacy statutes don't address e-mail
confidentiality in the workplace. Workplace monitoring of employee
e-mail seems to be fairly commonplace. Branscomb (1994) cited a
survey of 301 companies that found 21.6 percent searched employee
files, including e-mail and voice mail. Only 30.8 percent of those
companies gave employees advance notice that their files could be
monitored.
The notification question has become a key issue in e-mail
privacy policies. Federal Express, American Air, Pacific Bell and
United Parcel Service's e-mail systems automatically inform
employees of the monitoring whenever they log into their electronic
mailboxes. Citicorp goes so far as to inform employees that all e-
mail messages are company property (Branscomb, 1994). In another
employee-employer e-mail dispute, Bourke vs. Nissan Motor Corp., a
California court ruled that the plaintiffs had no reasonable
expectation of privacy in their e-mail because they were aware that
e-mail could be accessed and read without the sender's knowledge or
consent (Pedrow and Kohn, 1995).
Corporations and other businesses justifiably are concerned
about protecting their financial interests and intellectual
property, which has led to e-mail monitoring in the workplace.
Besen (1987) notes that new technologies increase the risk of
unauthorized users gaining access to business databases and
records. "New technologies, and declining costs of
telecommunications and computer storage, permit users to download
entire databases to be searched later at their convenience" (Besen,
1987, p. vi).
Legal precedence in e-mail privacy law will likely emerge from
the business sector where e-mail usage, and accompanying problems,
is booming. Branscomb (1994) predicted that in 1995, there would be
38 million e-mail users of corporate local area networks. Pedrow
and Kohn (1995) noted:
The use -- and misuse -- of electronic mail has raised new
legal issues, with little precedent to go by. Employers must
abide by the Electronic Communications Privacy Act of 1986,
which ensures online privacy in many situations ... A written
electronic mail policy between employers and employees is
urged.
The ECPA has been interpreted by courts to give employees
certain privacy rights involving electronic communications. In Deal
vs. Spears, an Arkansas court found that the owners of a liquor
store violated the ECPA when they tape recorded and listened to
phone calls made by an employee suspected of theft. The case
involved only the telephone, so it did not set a precedent for e-
mail cases. However, the ECPA makes it illegal to intercept
electronic communications in general. Shear (1996) observed that:
The statute was written before business e-mail systems
became common and may not have been intended to keep a
business from reviewing employee e-mail ... Deal v. Spears
demonstrates that the ECPA, a statute worded very awkwardly
and unclearly, may be interpreted in unpredictable ways.
Similar confusion exists in workplace situations that use e-
mail. Pedrow and Kohn (1995) discovered that:
Though aware that the employer owns and provides the system
on which e-mail is transmitted, many employees nonetheless
equate e-mail with more traditional communication methods,
such as telephone calls and the U.S. mail, and mistakenly
assume that the same expectations of privacy hold for e-mail
as for other communication forms.
Another source of confusion is that e-mail takes on different
forms and uses. Branscomb (1994) lists five types of e-mail used in
the business sector alone: electronic briefings, electronic
conferencing, computer-mediated queries, lightning rods and
metaforums. In addition, there are numerous forms of e-mail use
that are better known to non-corporate users, such as Listserv and
UseNet discussion groups on the Internet. Most online services also
offer forums, in which subscribers with shared interests
communicate via the online service's e-mail system. The commercial
services vary in their e-mail policies. Prodigy says it doesn't
censor e-mail, but it did shut down a gay forum when other
subscribers complained about its content. Compuserve and GEnie both
censor obscene or illegal messages and remove messages if members
complain that they're offensive (Branscomb, 1994).
DISCUSSION
The aim of this research is to determine whether e-mail
privacy is threatened by monitoring and whether laws are sufficient
to protect e-mail from illegal monitoring. The literature on the
subject indicates that e-mail monitoring has become fairly
commonplace in the workplace. However, no literature was found
specifically addressing the question of monitoring in academia.
This research has found that monitoring exists even university
campuses, where one would expect that the traditional principles of
academic freedom would allow unfettered and unmonitored discussion
and exchange of ideas.
At the University of Wyoming, for example, e-mail and other
files stored on the university's computer network can be and are
monitored (D. Haas, personal communication, March 13, 1996).
University Regulation No. 690 (1993) states that UW computer
facilities are to be used:
primarily for University related work. Proper use includes
using the facilities for homework, class projects,
sanctioned research projects, business operations of the
University, or use directed by a University administrator,
faculty, or staff member.
Unireg 690 prohibits use for personal gain or to threaten
others, including sexual harassment. Concerning privacy, Unireg 690
(1993) states:
Data or information stored in the facilities is considered as
an electronic extension of an individual's personal work
area. It cannot be inspected, copied, or otherwise tampered
with unless permission is given by the owner, except during
administration of the facilities by Information Technology,
as demanded by due process of law, or as determined to be in
the best interests of the University.
In addition, there are Wyoming statutes against computer
crimes that cover crimes against intellectual property and against
other computer users (Unireg 690, 1993).
UW officials have monitored e-mail when they were informed of
sexual harassment complaints and illegal chain letters. Cases of
sex harassment have been turned over to law enforcement. When users
register to get accounts on UW's e-mail system, they are notified
about proper use of the system, but they are not notified that
their e-mail is subject to monitoring by campus officials (D. Haas,
personal communication, March 13, 1996).
The lack of monitoring notification at UW seems contrary to
what is becoming standard practice for the private sector. Business
lawyers are recommending that corporations develop written
monitoring policies and make sure that employees are aware of them
to avoid litigation over ECPA violations. Jeffrey Michelman, a
lawyer who concentrates on intellectual property and computer law,
"advises employers to eliminate the expectation of privacy for
their employees' e-mail" (Faust, 1995, p. 1C) and also recommends
that companies program their computers so that the monitoring
policy appears on users' screens each time the computer is
accessed.
Businesses have some legitimate reasons to monitor e-mail,
including to protect corporate secrets, and to investigate employee
theft, fraud, drug dealing and insider trading. In addition, if
employees are using e-mail for personal reasons, it can harm the
company's productivity. A university could have similar reasons to
monitor e-mail of its employees. However, knowing that their e-mail
may be read by university officials could have a "chilling effect"
on researchers and faculty who use e-mail to communicate with their
colleagues around the world. Often these communications are a
mixture of personal and professional messages that would be
difficult to separate. Should a graduate student who e-mails a
researcher at another campus refrain from asking about the health
of the researcher's family at the same time he or she inquires
about the researcher's latest experiment on the Ebola virus, for
example?
There seem to be several technological remedies to the e-mail
monitoring question. At UW and other universities, e-mail users
should be sure to store their messages on their office computer
rather than on a network server. That way, the university has no
record of stored e-mail and can confiscate an individual's computer
only with a court order (Haas, personal communication, March 13,
1996).
Another solution would be for users to encode their messages
with encryption software that protects computer communications.
Encryption programs scramble e-mail so that only the sender and the
receiver can decode messages. But even this seemingly workable
solution has become controversial. A Boulder, Colo., man was
prosecuted by the federal government in 1995 for distributing his
Pretty Good Privacy encryption software over the Internet,
allegedly violating export regulations (Holmes, 1995). The Clinton-
Gore administration also has advocated use of the Clipper Chip,
which would allow users to encode messages. However, the sender and
receiver would not be the only ones holding the key to decode their
messages. The Clipper Chip also would allow government agencies to
unlock the codes (Leyden, 1995).
In conclusion, current laws seem insufficient to protect the
competing interests of law enforcement, business and individual e-
mail users. However, as the history of privacy law shows, once
problems become widespread and politicians are pressured by
constituents, suitable compromises will be found. At the same time,
invasions of individual privacy by e-mail monitoring do not seem
widespread yet, perhaps because of a vague sense by society that
such intrusions are simply wrong. As Leyden (1995) observed:
Cyberspace is not all that different from the everyday
world. The same law-abiding people who stop at traffic
lights are navigating the electronic terrain. The force that
stops someone from tearing open a letter or bill or check
delivered through the U.S. mail is not the flimsy envelope:
It's purely social convention and the vague threat of
violating a federal law. Similar conventions and vague
threats generally protect the integrity of electronic
information, whether it's e-mail or databases.