(written spring semester 1996)
By Eric Wiltse University of Wyoming INTRODUCTION "Electronic mail (e-mail) is becoming an increasingly popular method of communication, especially in the workplace. Approximately 25 million people now send and receive e-mail messages over the enormous web of connected networks known as the Internet..." (Veeder, 1995, p. 123). The rise in e-mail use has led to increased concerns that individuals' rights to privacy may be violated in the workplace, at home and in academia. The United States has laws protecting privacy, but are those laws keeping pace with the rapid changes in how people communicate, particularly with e-mail and other forms of telecommunication technology? This paper will attempt to determine whether individual rights to privacy are jeopardized by e-mail monitoring, and whether e-mail is protected by privacy laws. LITERATURE REVIEW The First, Fourth and Fifth Amendments in the Bill of Rights form the basis for the body of privacy law that has developed in the 19th and 20th centuries. Of course, nowhere is e-mail privacy mentioned in the Bill of Rights. However, the questions of e-mail privacy didn't arise until the late 1980s. The issues of e-mail are similar to those involved in court cases of government wiretapping of private phone calls in the 1960s. In 1967, the case of U.S. vs. Katz established a reasonable expectation of privacy for the individual in a wiretap case. Partly as a result of that case, the next year Congress passed the Omnibus Crime Control Act which required that law enforcement obtain a court order before tapping wire communication (which has been interpreted as phone calls) or oral conversation in which the parties involved had expectations of privacy. Exemptions to the wiretap protections were allowed for national security reasons, murder, kidnapping, riots, drug offenses and organized crime offenses (Hendricks, Hayden, Novik, 1990). While these instances addressed government eavesdropping on phone calls and conversations, some observers became concerned about the increasing amount of information about people being stored on government computers. Norback (1981) observed: A framework for protection of the public must be developed and it must be superimposed on information practices to minimize the misuse of an otherwise socially desirable instrument ... The problem of striking a balance between democracy and technology has been manageable in the past, and the nation's policymakers should not shrink from the task. Others wondered whether federal wiretap laws also should apply to the communication technologies involving computers. U.S. Senator Pat Leahy asked the Justice Department in 1984 whether the federal wiretap law also covered e-mail or other computer-to- computer communications. Subsequently, in 1986, the Electronic Communication Privacy Act (ECPA) extended wiretap safeguards to "non-aural communications" (Hendricks, Hayden, Novik, 1990). The ECPA is the law that most telecommunications experts cite regarding e-mail privacy. The ECPA did not resolve all questions about e-mail privacy, though. There have been several court cases in the 1990s involving disputes over e-mail monitoring by employers and commercial online service providers, such as Compuserve. Controversies over e-mail privacy are not surprising when considering how the passage of laws traditionally has lagged behind problems involving privacy. "The history of protection of personal privacy in the United States is the history of the rule of law chronically struggling to keep up with new technological threats to the seclusion of the individual" (Rubin, 1988, p. 7). Rubin (1988) details three steps in the development of privacy rights: 1) The Fourth Amendment was spawned by British searches of American colonists' homes and businesses; 2) Privacy laws emerged in the 1890s after the excesses of "yellow journalism" by William Randolph Hearst's newspapers intruded into the private lives of individuals; and 3) Wiretap laws came into effect in the 1920s due to public concern about government eavesdropping on telephone calls. He sees a process in the development of privacy laws: a problem is identified, a political consensus is worked out, and a remedy is developed. The same process might be followed as e-mail privacy laws evolve. Already in the 1990s there have been several highly publicized cases involving employers reading employees' e-mail. Branscomb (1994) traces these cases, starting with Shoars vs. Epson America in which a manager was reading employees' e-mail. Employees filed a class-action suit claiming invasion of privacy. The court ruled that state and federal privacy statutes don't address e-mail confidentiality in the workplace. Workplace monitoring of employee e-mail seems to be fairly commonplace. Branscomb (1994) cited a survey of 301 companies that found 21.6 percent searched employee files, including e-mail and voice mail. Only 30.8 percent of those companies gave employees advance notice that their files could be monitored. The notification question has become a key issue in e-mail privacy policies. Federal Express, American Air, Pacific Bell and United Parcel Service's e-mail systems automatically inform employees of the monitoring whenever they log into their electronic mailboxes. Citicorp goes so far as to inform employees that all e- mail messages are company property (Branscomb, 1994). In another employee-employer e-mail dispute, Bourke vs. Nissan Motor Corp., a California court ruled that the plaintiffs had no reasonable expectation of privacy in their e-mail because they were aware that e-mail could be accessed and read without the sender's knowledge or consent (Pedrow and Kohn, 1995). Corporations and other businesses justifiably are concerned about protecting their financial interests and intellectual property, which has led to e-mail monitoring in the workplace. Besen (1987) notes that new technologies increase the risk of unauthorized users gaining access to business databases and records. "New technologies, and declining costs of telecommunications and computer storage, permit users to download entire databases to be searched later at their convenience" (Besen, 1987, p. vi). Legal precedence in e-mail privacy law will likely emerge from the business sector where e-mail usage, and accompanying problems, is booming. Branscomb (1994) predicted that in 1995, there would be 38 million e-mail users of corporate local area networks. Pedrow and Kohn (1995) noted: The use -- and misuse -- of electronic mail has raised new legal issues, with little precedent to go by. Employers must abide by the Electronic Communications Privacy Act of 1986, which ensures online privacy in many situations ... A written electronic mail policy between employers and employees is urged. The ECPA has been interpreted by courts to give employees certain privacy rights involving electronic communications. In Deal vs. Spears, an Arkansas court found that the owners of a liquor store violated the ECPA when they tape recorded and listened to phone calls made by an employee suspected of theft. The case involved only the telephone, so it did not set a precedent for e- mail cases. However, the ECPA makes it illegal to intercept electronic communications in general. Shear (1996) observed that: The statute was written before business e-mail systems became common and may not have been intended to keep a business from reviewing employee e-mail ... Deal v. Spears demonstrates that the ECPA, a statute worded very awkwardly and unclearly, may be interpreted in unpredictable ways. Similar confusion exists in workplace situations that use e- mail. Pedrow and Kohn (1995) discovered that: Though aware that the employer owns and provides the system on which e-mail is transmitted, many employees nonetheless equate e-mail with more traditional communication methods, such as telephone calls and the U.S. mail, and mistakenly assume that the same expectations of privacy hold for e-mail as for other communication forms. Another source of confusion is that e-mail takes on different forms and uses. Branscomb (1994) lists five types of e-mail used in the business sector alone: electronic briefings, electronic conferencing, computer-mediated queries, lightning rods and metaforums. In addition, there are numerous forms of e-mail use that are better known to non-corporate users, such as Listserv and UseNet discussion groups on the Internet. Most online services also offer forums, in which subscribers with shared interests communicate via the online service's e-mail system. The commercial services vary in their e-mail policies. Prodigy says it doesn't censor e-mail, but it did shut down a gay forum when other subscribers complained about its content. Compuserve and GEnie both censor obscene or illegal messages and remove messages if members complain that they're offensive (Branscomb, 1994). DISCUSSION The aim of this research is to determine whether e-mail privacy is threatened by monitoring and whether laws are sufficient to protect e-mail from illegal monitoring. The literature on the subject indicates that e-mail monitoring has become fairly commonplace in the workplace. However, no literature was found specifically addressing the question of monitoring in academia. This research has found that monitoring exists even university campuses, where one would expect that the traditional principles of academic freedom would allow unfettered and unmonitored discussion and exchange of ideas. At the University of Wyoming, for example, e-mail and other files stored on the university's computer network can be and are monitored (D. Haas, personal communication, March 13, 1996). University Regulation No. 690 (1993) states that UW computer facilities are to be used: primarily for University related work. Proper use includes using the facilities for homework, class projects, sanctioned research projects, business operations of the University, or use directed by a University administrator, faculty, or staff member. Unireg 690 prohibits use for personal gain or to threaten others, including sexual harassment. Concerning privacy, Unireg 690 (1993) states: Data or information stored in the facilities is considered as an electronic extension of an individual's personal work area. It cannot be inspected, copied, or otherwise tampered with unless permission is given by the owner, except during administration of the facilities by Information Technology, as demanded by due process of law, or as determined to be in the best interests of the University. In addition, there are Wyoming statutes against computer crimes that cover crimes against intellectual property and against other computer users (Unireg 690, 1993). UW officials have monitored e-mail when they were informed of sexual harassment complaints and illegal chain letters. Cases of sex harassment have been turned over to law enforcement. When users register to get accounts on UW's e-mail system, they are notified about proper use of the system, but they are not notified that their e-mail is subject to monitoring by campus officials (D. Haas, personal communication, March 13, 1996). The lack of monitoring notification at UW seems contrary to what is becoming standard practice for the private sector. Business lawyers are recommending that corporations develop written monitoring policies and make sure that employees are aware of them to avoid litigation over ECPA violations. Jeffrey Michelman, a lawyer who concentrates on intellectual property and computer law, "advises employers to eliminate the expectation of privacy for their employees' e-mail" (Faust, 1995, p. 1C) and also recommends that companies program their computers so that the monitoring policy appears on users' screens each time the computer is accessed. Businesses have some legitimate reasons to monitor e-mail, including to protect corporate secrets, and to investigate employee theft, fraud, drug dealing and insider trading. In addition, if employees are using e-mail for personal reasons, it can harm the company's productivity. A university could have similar reasons to monitor e-mail of its employees. However, knowing that their e-mail may be read by university officials could have a "chilling effect" on researchers and faculty who use e-mail to communicate with their colleagues around the world. Often these communications are a mixture of personal and professional messages that would be difficult to separate. Should a graduate student who e-mails a researcher at another campus refrain from asking about the health of the researcher's family at the same time he or she inquires about the researcher's latest experiment on the Ebola virus, for example? There seem to be several technological remedies to the e-mail monitoring question. At UW and other universities, e-mail users should be sure to store their messages on their office computer rather than on a network server. That way, the university has no record of stored e-mail and can confiscate an individual's computer only with a court order (Haas, personal communication, March 13, 1996). Another solution would be for users to encode their messages with encryption software that protects computer communications. Encryption programs scramble e-mail so that only the sender and the receiver can decode messages. But even this seemingly workable solution has become controversial. A Boulder, Colo., man was prosecuted by the federal government in 1995 for distributing his Pretty Good Privacy encryption software over the Internet, allegedly violating export regulations (Holmes, 1995). The Clinton- Gore administration also has advocated use of the Clipper Chip, which would allow users to encode messages. However, the sender and receiver would not be the only ones holding the key to decode their messages. The Clipper Chip also would allow government agencies to unlock the codes (Leyden, 1995). In conclusion, current laws seem insufficient to protect the competing interests of law enforcement, business and individual e- mail users. However, as the history of privacy law shows, once problems become widespread and politicians are pressured by constituents, suitable compromises will be found. At the same time, invasions of individual privacy by e-mail monitoring do not seem widespread yet, perhaps because of a vague sense by society that such intrusions are simply wrong. As Leyden (1995) observed: Cyberspace is not all that different from the everyday world. The same law-abiding people who stop at traffic lights are navigating the electronic terrain. The force that stops someone from tearing open a letter or bill or check delivered through the U.S. mail is not the flimsy envelope: It's purely social convention and the vague threat of violating a federal law. Similar conventions and vague threats generally protect the integrity of electronic information, whether it's e-mail or databases.