by Michael Sall aka mrrockford
Abstract
Email at Work: Can Your Boss Spy on You? covers one of the most important legal aspects of today’s advanced technological world, the expectation of privacy in the work place. It discusses the questions of increased usage of surveillance and monitoring in the workplace and calls for a better understanding of privacy at work. What kind of privacy may employees expect? And perhaps more importantly, to what extent should they expect privacy?
The general and legal definition of subjects that are important to this idea; The First and Fourth Amendments to the Constitution, Company Privacy Policies, “Third Party Doctrine”, National Security Letters and the “Postal Letter Doctrine” are covered and explained in some detail.
The Eleventh Federal Circuit Courts case Rehberg v. Paulk and the Ninth Federal Circuit Courts Quon v. Arch Wireless case are compared and contrasted along with underlying information and concepts, to show how employees should have an expectation of privacy in their emails at work and that the Federal government must enact an “employee workplace privacy rights law” that has the same or similar protections as those afforded citizens in private life.
Introduction
In today’s modern workplace it is impossible to avoid use of any electronic devices. Technology has created a faster and more efficient workplace environment. In order for businesses to increase bottom line profits they have had to make major investments in technology that allow them to better serve their customers. In protecting that investment there has been also a large investment of employee monitoring. Within the realm of work, surveillance can be carried out with a scrutiny and continuity that is most often not possible in public places and it can provide the observer with detailed person-specific data. In addition to traditional camera monitoring, location based device can display employees’ movements past and present. Radio Frequency IDs enable employers to trace and track an employee’s movements in the fixed workplace and GPS-equipped company cars and cell-phones provide control of the mobile workforce. Computerized work equipment enables assessment of an employee’s output by means of key-stroke loggers. An employee’s interaction with clients, customers and colleagues can be video recorded and intercepted. Additionally, workers may be asked to state information about their health status or to undergo certain capacity tests. Inherent in these practices is the capacity of creating more or less permanent records. When combined, surveillance generated information and employment record data can provide exclusive information about individual employees.
The technology that has had the largest impact on the increase of bottom line profits has been the Internet and its resulting services such as email. Email is defined as “a means or system for transmitting messages electronically (as between computers on a network)” or the “messages sent and received electronically through an e-mail system” (Berghel, 1997). The use of email in the business sector has led to increased efficiency within companies and with their customers and partners by being an almost instant form of direct communication. Business email is used by employees on a daily basis because the costs involved are almost zero. This daily use in the business world, at the workplace, by employees is expected for business purposes. These emails often times contain business secrets that need to be protected, which is important. Use of this email system by employees for private, non-business related communication is frowned on and often considered grounds for termination. The contents of these emails have been made available to employers through commercial spying software and are often of a very private nature. Employers spy on their employees in those ways and others, but, employers can get away with unreasonable employee electronic surveillance too, because there is no Federal law that universally prohibits it across all states. Therefore the Federal government must enact an “employee workplace privacy rights law” that has the same or similar protections as those afforded citizens in private life.
Argument against the Right to Privacy
Many Employers will argue that because they have the right to protect their buildings, office equipment and other assets, allowing employees to be spied on is necessary. Subsequently, security legally trumps employee privacy rights in the workplace (Everett, Wong, Paynter, 2005). Employers also have the right to thwart potentially-damaging employee behavior, such as sexual harassment in order to protect the company from legal recourse, and ensure employee productivity by monitoring all incoming and outgoing email (E-Monitoring in the Workplace, 2006). Most Employers equate the importance of security of their company to that that the United States uses in protecting itself. Employers tend to use the idea of a “National Security Letter” when spying on employees. A National Security Letter (NSL) is a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense (Garlinger, 2009). It is a demand letter issued to a particular entity or organization to turn over various records and data pertaining to individuals. NSL's can only request non-content information, such as transactional records, phone numbers dialed or email addresses mailed to and from. They require no probable cause or judicial oversight (Yeh, Doyle, 2006). Although an NSL does not allow “non-content” information, this is ignored by Employers as they expect to protect their business. An Employer uses the NSL ideal as not requiring the employees to be informed of any monitoring or recovery of email information.
In addition to the above most employers have their employees sign a computer and network usage policy, which typically will set forth that your email is to be used only for business purposes and grants the employer the right to monitor email and computer usage. This agreement normally deprives an employee of any reasonable expectation of privacy, and means that your emails are fair game for an employer to search through. Employers, unlike law enforcement, do not have very many obstacles preventing them from searching your emails. You are sending communications from their equipment that could affect their business, which usually provides them with the justification to search through your emails.
Many legal experts hired by businesses state that the “Third Party Doctrine” applies to email and therefore employees have no right to privacy in their emails. The “Third Party Doctrine” is the Fourth Amendment rule that governs collection of evidence from third parties in criminal investigations. The rule is simple: By disclosing to a third party, the subject gives up all of his Fourth Amendment rights in the information revealed. According to the Supreme Court,
“[T]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed” (United States v. Miller, 1976).
In other words, a person cannot have a reasonable expectation of privacy in information disclosed to a third party. The Fourth Amendment simply does not apply.
The Eleventh Federal Circuit Courts case Rehberg v. Paulk is used when the right to email privacy is concerned. In this case, Rehberg’s voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information. Rehberg does not allege that the defendants, Hodges and Paulk, illegally searched his home computer for emails, but alleges Hodges and Paulk subpoenaed the emails directly from the third-party Internet service provider to which Rehberg transmitted the messages. Lacking a valid expectation of privacy in that email information, Rehberg fails to state a Fourth Amendment violation for the subpoenas for his Internet records (Rehberg v. Paulk, 2010).
“A person also loses a reasonable expectation of privacy in emails, at least
after the email is sent to and received by a third party (“Every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment’s privacy expectation”)” (Rehberg v. Paulk, 2010).
In this case the court decided that the “Third Party Doctrine” was involved in that each mail server located along the path used by the sent emails is considered a “third party” and therefore the sender loses his Fourth Amendment protections.
Businesses also like to use First Amendment protection when supporting their spying activities on employees. The First Amendment to the U.S. Constitution reads, “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances”.
In the area of free speech, does the right to speak your mind include the right to use offensive language that could start a fight or incite a riot? Is Freedom of Speech synonymous with freedom of expression, such that the right to condemn the U.S. government extends to offensive symbolic actions involving no written or spoken words, like burning the U.S. flag?
The U.S. Supreme Court has confronted most of these questions. Its answers have not always produced unanimous, or even widespread, agreement around the United States. But the Court's decisions have provided a prism through which U.S. citizens have examined the appropriate limitations society may place on the freedoms protected by the First Amendment, and have sparked colorful and spirited discussions among friends and family members, as well as politicians and their constituents. However, all speech is not equal under the First Amendment. The high court has identified five areas of expression that the government may legitimately restrict under certain circumstances. These areas are speech that incites illegal activity and subversive speech, fighting words, Obscenity and Pornography, commercial speech, and symbolic expression.
Businesses tend to use the area of the “commercial speech” part of the First Amendment when limiting employee’s rights. They see limiting use of personal email rights at the workplace as protecting against leaks of proprietary information and therefore stopping any kind of “commercial speech” leaving the company email system.
A businesses expectation of security allows for the argument that because they have the right to protect their buildings, office equipment, other assets, and also have the right to thwart potentially-damaging employee behavior, such as sexual harassment in order to protect the company from legal recourse, and to ensure employee productivity by monitoring all incoming and outgoing email, spying on employees is necessary and legal. Subsequently, security, most employers feel, legally trumps employee privacy rights in the workplace.
Argument for the Right to Privacy
Most employees will argue that they have a right to expectation of privacy in the work place. A privacy policy being a legal document that discloses some or all of the ways a party gathers, uses, discloses and manages a customer's data. The exact contents of a privacy policy will depend upon the applicable law. Employees argue that they should have the same rights afforded a business’s customers under generally accepted company privacy policies (Palm, 2009). Although there are no current federal laws concerning workplace privacy, several guidelines have been established.
Company privacy policies that protect Employee workplace privacy rights are virtually nonexistent in private-sector employment. That is because most private-sector employers conduct some type of electronic surveillance on their employees. Most may do so even without the consent or knowledge of their employees. Using sophisticated software, hidden cameras, phone-tapping devices, “smart card” security badges and global-positioning technology, employers may electronically snoop on employee computer keystrokes and files; Internet, Web and email usage; locations, movements and activities and phone conversations and numbers dialed (Riedy, Wen, 2010). Most states don't have so-called employee workplace privacy rights laws. Even in the few that do, the laws have no “teeth”. In a nutshell, they require only that employers give employees prior notice of electronic surveillance and/or avoid watching employees while they're changing clothes. In fact, the state laws essentially legalize electronic surveillance, because they don't universally prohibit it.
Employees’ needs for protection of communication and correspondence are articulated in debates on employers’ usage of email interception and listening-in devices in call-centers. However, discretion regarding interpersonal communication and various types of correspondence are not claims exclusively addressed to employers. Due to the long-term and often close interaction with colleagues, employees are likely to expect co-workers to withdraw their attention as far as possible rather than to overhear phone conversations or go through documents left in the fax or printer. Although it may, for reasons of limited space, be difficult for colleagues to avoid hearing a conversation altogether, there is a significant difference between withdrawing one’s attention as far as possible and actively listening in. Even in the case of work-related material that co-workers are entitled to access, they would be expected to make a request first. Many legal experts believe that a company privacy policy may deny them some but not all workplace privacy rights.
The Fourth Amendment to the U.S. Constitution reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” .
The Fourth Amendment was intended to create a constitutional buffer between U.S. citizens and the intimidating power of law enforcement. It has three components. First, it establishes a privacy interest by recognizing the right of U.S. citizens to be “secure in their persons, houses, papers, and effects.” Second, it protects this privacy interest by prohibiting searches and seizures that are “unreasonable” or are not authorized by a warrant based upon probable cause. Third, it states that no warrant may be issued to a law enforcement officer unless that warrant describes with particularity “the place to be searched, and the persons or things to be seized”.
Two requirements must be met before a particular search or seizure will give rise to Fourth Amendment protection. First, the search or seizure must have been conducted by a government agent or pursuant to government direction. Thus, the actions of state and federal law enforcement officers or private persons working with law enforcement officers will be subject to the strictures of the Fourth Amendment. Bugging, wire tapping, and other related eavesdropping activities performed by purely private citizens, such as private investigators, will not receive Fourth Amendment protection.
Second, a defendant must be able to demonstrate that he or she had a "reasonable expectation of privacy" in the place that was searched or the thing that was seized (Katz v. United States, 1967). In Katz, the U.S. Supreme Court explained that "[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection… . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."
Although the Eleventh Circuit Court has set a precedent that a businesses employees enjoy no reasonable expectation of privacy in light of such company policies, the Ninth Federal Circuit Courts case Quon v. Arch Wireless is used to assert an employee’s right to privacy in their emails.
The “Postal Letter Doctrine” is the rule that the Fourth Amendment ordinarily protects postal mail and packages during delivery. The same rule applies to both government postal mail and private delivery companies like UPS. As soon as the sender drops off the mail in the mailbox, both the sender and recipient enjoy Fourth Amendment protection in the contents of the mail during delivery. When the mail is delivered to the recipient, the sender loses his Fourth Amendment protection. The Fourth Amendment rights are transferred solely to the recipient. In practice, this works pretty simply, each party has Fourth Amendment protection in the mail when they’re in possession of it, and both the sender and receiver have Fourth Amendment rights in the contents of the mail when the postal service or private mail carrier is holding the mail on their mutual behalf.
It should be clear that there are exceptions to these rules. For example, if a person sends a letter in what the Postal Service used to call “Fourth Class” mail, that is, mail that the Postal Service reserves the right to open, then it is not protected by the Fourth Amendment. The information on a postcard is also not protected by the Fourth Amendment as it is open to the public (Tokson, 2009). The Fourth Amendment protection only applies to the contents of the communication, not the outside, therefore the sender and recipient addresses do not require a warrant to be collected. This basic approach has governed postal mail privacy for a long time.
"Letters and other sealed packages are in the general class of effects in which the public at large has a legitimate expectation of privacy. However, as with the phone numbers they dial, individuals do not enjoy a reasonable expectation of privacy in what they write on the outside of an envelope” (United States v. Hernandez, 2002).
A person has a legitimate interest and trusts that a mailed package will not be opened and searched en route. There can be no reasonable expectation that postal service employees will not handle the package or that they will not view its exterior.
“Like the Supreme Court in Smith, in Forrester we explicitly noted that "e-mail to/from addresses ... constitute addressing information and do not necessarily reveal any more about the underlying contents of communication than do phone numbers." Id. Thus, we concluded that "[t]he privacy interests in these two forms of communication [letters and e-mails] are identical," and that, while "[t]he contents may deserve Fourth Amendment protection... the address and size of the package do not." (Quon v. Arch Wireless, 2008).
In some ways, this trust is increasingly irrelevant, because, if we are to be members of the internet enabled society, we have no other option but to rely on the powerful tools we have at our disposal (such as those provided by employers). Like rats forced to endure electric shocks to acquire food, we must use these tools to acquire information and communicate. The implications of data disclosure and retention are profound, including corporate and law enforcement abuses and identity theft, as well as second- and third-order effects impossible to predict. Those of us who are aware of the risks already self-censor our activities, even as we continue to indulge them.
An Employees argument that they should have the same rights afforded a business’s customers under generally accepted company privacy policies and law, including the right of privacy in their emails should be the accepted norm. Also, that these emails be afforded the same protection under the Fourth Amendment as is a company’s business postal mail and the employee’s private postal mail. The Ninth Federal Circuit Courts case Quon v. Arch Wireless is the basis needed to implement state if not federal employee workplace privacy rights laws that do have “teeth”.
Conclusion
With the importance of daily use of email in the workplace, whether for business or private use, I believe that the Federal government must enact an “employee workplace privacy rights law” that has the same or similar protections as those afforded citizens in private life.
The Eleventh Federal Circuit Courts decision in Rehberg v. Paulk to define an intermediate server as a third party is flawed and thus negates the entire decision. When an email is sent, it travels through many “hands”, these “hands” are the email servers that the email passes through to reach the final destination, the recipient. At each point of this chain the email remains unopened and therefore content of the email has not been delivered which makes the contents private as far as Fourth Amendment protections are concerned. The Eleventh Federal Circuit Court defines each individual email server as a recipient and therefore decides that the email has been delivered and the email loses it Fourth Amendment protection. If the Courts decision is to be taken as valid then a sealed postal letter also loses its Fourth Amendment protection as soon as it is placed into a mail drop or mailman’s hands. The Eleventh Federal Circuit Courts decision in Rehberg v. Paulk does not see that the intermediate email servers are the same as the mail drop (Zwillinger, & Genetski, 2007) or mailman’s hands. If this were the case then at any point after having placed your sealed “snail mail” letter into the postal system it could be opened by the government and its contents read and used as they wished.
In the Ninth Federal Circuit Courts decision of the case Quon v. Arch Wireless, the judges agreed in case law and precedence that should be used when deciding the right to privacy.
“It is well-settled that, "since 1878, ... the Fourth Amendment's protection against `unreasonable searches and seizures' protects a citizen against the warrantless opening of sealed letters and packages addressed to him in order to examine the contents” (United States v. Choate, 1978).
My reasons that the Quon v. Arch Wireless case be used are based on an assumption of “technology neutrality” within the court system. This assumption is that the degree of privacy that the Fourth Amendment offers in the Internet setting should match the degree of privacy protection that the Fourth Amendment provides in the physical world. This assumption follows from the general consensus among judges and scholars that the Fourth Amendment attempts to balance privacy and security interests in a way that both protects privacy and yet also gives the police the power needed to solve crimes or a business owner the right to protect business security.
This also assumes that the courts will extend that same goal to the cyber world. In other words, they should apply the Fourth Amendment protections in the new cyber setting in ways that roughly replicates the role of the Fourth Amendment in the traditional physical setting. As a result, the goal is to apply the protections of the Fourth Amendment from physical space to cyberspace, translating the concepts of the Fourth Amendment from the physical environment to the network environment.
Lawyers across the land are now recognizing that a gold mine of incriminating evidence can be found in corporate emails. I remember watching Microsoft's Bill Gates stumble through answers to questions about his own personal email, tossed at him by government lawyers in the courtroom. This has caused a high-level scramble among corporate bosses to review their own internal email policies.
Most people would now say that if something's really that important, there's always the encryption route. Encryption is a nice concept but hard in execution. The cold, hard reality of encryption is that only an insignificant fraction of email is ever encrypted. In more than 15 years of sending email, I have never sent an encrypted message, nor received one. I can't imagine that I'm alone.
Arguably, increased usage of surveillance and monitoring in the workplace calls for a better understanding of privacy at work. What kind of privacy may employees expect? And perhaps more importantly, to what extent should they expect privacy? The predominating view has been that privacy is a reasonable claim exclusively or at least primarily in obviously private domains such as an individual’s home. Outside this indisputably private domain, privacy expectations must be held reasonable in certain relations either of an intimate or institutionalized kind. The U.S. Congress has seen and anticipated a potential gap in constitutional privacy protections for remotely-stored electronic communications such as email, and set out to bridge that gap. In doing so, it carefully delineated the categories of information afforded protection and assigned corresponding limitations on the rights of the government. Despite some bumps along the way in applying those rules to unforeseen new technologies, a clear regime has been established that dictates when privacy rights must yield to the needs of law enforcement but does not cover an employee’s right of privacy. The Federal government has a set of rules that are enforced for the government but not for employees of a business and this is why the government must enact an “employee workplace privacy rights law” that has the same or similar protections as those afforded citizens in private life.
