Learn why you shouldn’t write anything in an email that you wouldn’t want to read in tomorrow’s newspaper.
Email feels like a private, one-to-one conversation safe from prying eyes. But as many folks can tell you (Bill Gates for one) email is about as confidential as whispering at the White House. Your messages can be intercepted and read anywhere in transit, or reconstructed and read off of backup devices for a potentially infinite period of time.
If you’re sending email at work, your boss can legally monitor it, and if your company becomes involved in a lawsuit, your adversary has the legal right to review it. If you send email from home, anonymous hackers can intercept it, and if you are suspected of a crime, law enforcement officials with a warrant can seize your electronic correspondence. Even your Internet service provider may legally be able to scrutinize it.
What all this amounts to is simple: Unless you take affirmative steps to encrypt your messages – a process that uses sophisticated software to garble your words and then allow the recipient to unscramble and read them – don’t send anything in an email that you wouldn’t want to read in tomorrow’s newspaper.
Email at Work: No Reasonable Expectation of Privacy
On your first day of a new job, you’ll probably be asked to sign and acknowledge some form of employer email policy. This policy will probably inform you that email is to be used only for everyday business purposes, the computer systems at work are the property of your employer, email may be monitored and you have no reasonable expectation of privacy in your use of email.
A written statement like this, signed by an employee, creates a contract upon which an employer can rely if they want to snoop. Equally important, if a dispute arises over monitoring of email, the employer can point to the signed statement to show that it was unreasonable for the employee to think that email was private. Even if there is no signed agreement or written policy, an employer can still peek into email (or your desk for that matter) – assuming, as is usually the case, that you have no reasonable expectation of privacy as to the contents. Determining an employee’s reasonable privacy expectations is based upon the custom and practice in each particular workplace. What this amounts to is that courts may find that an employee’s personal email is private only if the employer has acted in a way that supports this conclusion.
In some states, the employer’s promises or behavior don’t matter at all. Even if your employer promises not to spy on your email, that, by itself, may not establish a reasonable expectation of privacy.
Monitoring the Email of Government Employees
If the government employs you, the rules are similar. For example, two police officers were facing an internal investigation over email type messages that were sent to visual display pagers and stored on police department computers. When the officers sued the city government, a court held that the officers could not claim privacy for email sent over the city’s computer paging system. Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996).
In another court decision, an employee of the CIA used a government computer to download pornography. The FBI later seized and searched the employee’s computer system and emails. A court ruled that the employee had no expectation of privacy because the government had a long-standing government policy permitting audits of computer hard drives. U.S. v. Simons, 29 F. Supp. 2d 324 (E.D. Va. 1998).
Not only can government employers monitor employee email, but in some cases, the public can also obtain access to government employee email under “public record” laws. In one case, a California newspaper was able to obtain all email relating to city business in Menlo Park written over a six week period under California’s Public Record Act. San Gabriel Tribune v. Superior Court 143 Cal. App. 3d 762 (1983). In another matter, an Arizona newspaper was able to obtain backup tapes of a computer server containing email from a local county assessor’s office. Star Pub. Co. v. Pima County Attorney’s Office, 891 P. 2d 899 (Ariz. Ct. App. 1995).
The Employer’s Perspective
There’s more to employer monitoring of email than voyeurism. Employers have several legitimate concerns about employee email. Old fashioned as it may seem, employers prefer to pay employees for doing work, not sending personal messages. Employers also want to make sure that their investment in office computing is being used effectively, not siphoned off to support employees who overload the system’s communication capacity or “bandwidth.”
Employers are also worried that email will be used within the workplace to harass or offend other employees. For that reason, most of the monitoring software available to employers – and more than one-third of employers reportedly use such software – allow employers to locate email with offensive language. Monitoring may also alert the employer to who is sending lots of email and even who is sending messages with “resume attached.”
But the biggest concern that many businesses have is that archived email will come back to haunt them in court. Unlike a conversation around the water cooler, the email statements of employees can live indefinitely on in backup tapes of corporate systems. Unless a company has a plan to purge old backups – and most don’t – archived email can be a gold mine for lawyers representing anyone that sues the business. For example, when government lawyers sued Microsoft over antitrust issues, some of the most incendiary evidence came from archived emails that documented statements by Microsoft executives about its strategy against competitors such as Netscape.
Similarly, in lawsuits alleging sexual harassment or discrimination, judges have permitted use in evidence of inflammatory emails with off-color jokes and sexist comments – for instance, nominating one employee as a “spandex queen” – as well as email requests to a human resources director on how to avoid a wrongful termination claim when firing an older employee.
By placing employees on notice that email isn’t private, employers try to avoid the creation of such incriminating emails in the first place.
Email on the Internet: Open Systems, Open Messages
While adopting a policy of sending personal email only from home is an obvious step towards protecting your privacy at work, it doesn’t guarantee that your messages will be fully protected from prying eyes. After your email leaves your home it travels over multiple online services and open networks to reach its destination. Although interception of email transmission – that is, snooping while an email is in “real-time” transmission between sender and receiver – is a federal crime under the Electronic Communications Protection Act (ECPA), 18 U.S.C.A 2517 (4), it has been accomplished by hackers.
The ECPA also permits an ISP to look through all stored messages, including email awaiting you in your mailbox or recently sent and received mail. Some ISPs temporarily store all messages that pass through the system. The ECPA normally prevents the ISP from disclosing the messages to others, but even here there are exceptions. Law enforcement officials, when armed with proper warrants or administrative subpoenas, can gather basic information about users from ISPs, including their names, and also gain access to the content of stored messages. Also, once the email reaches its destination, the ECPA does not protect against snooping at the recipient’s mailbox.
Some ISPs, worried about their own liability for the email content, require subscribers to conform to an End User Service Agreement that further reduces the user’s expectation of privacy with ISP-favorable terms. For example, the service agreement for one popular ISP states: “Service Provider has no obligation to monitor the Service, but may do so and disclose the information regarding the use of the Service for any reason if Service Provider in its sole discretion believes that it is reasonable to do so, including to satisfy governmental or legal requests.”
Keeping it Secret: Encryption
Ultimately, the only way to ensure a high degree of privacy for your messages on the Internet is to encrypt them. Encryption is a system in which sophisticated software using cryptographic algorithms garbles your message, sends it across the networks as gibberish, and then – assuming the recipient has the correct digital “key” – reconstitutes it, or decrypts it. Commonly used public key technology uses two keys: one that is unique and private and one that is public and freely distributed to all users of a particular system. These keys only work when matched – what one scrambles, only the other can undo. These techniques can also verify the integrity of the data (that it wasn’t altered along the way) and authenticate it (check to make sure the stated creator is the person who sent the message).
But successfully using encryption requires some foresight, because the person receiving the message has to be able to decode it. Since there are two competing encryption standards (Secure Multipurpose Internet Mail Extension (“S/MIME”) and Open Pretty Good Privacy (“OpenPGP”) battling it out for supremacy and each can’t decode the other’s algorithms, you have to know the recipient’s email supports before you can send them an encrypted message.
In the end, email’s speed and convenience outweighs its non-private nature for most every day discussions. But you should think of it like a postcard, not a letter – a message open to every eye along the way.