Privacy of E-Mail in the USA
Copyright 1998 by Ronald B. Standler
Table of Contents
II. general statement of the law
A. extension of old law
telephone monitoring cases
B. law of e-mail
privacy of free e-mail
III. case law in the USA
Shoars v. Epson and Bourke v. Nissan
Steve Jackson Games
Davis in Oklahoma
Is e-mail a public record?
Smyth v. Pillsbury
Wesley College v. Pitts
McVeigh v. Navy
encryption of e-mail
Electronic mail (e-mail) is a way of sending text, graphics, and
computer files from one computer to another computer. There are three
common ways to send and receive e-mail:
Who would want to read someone else's e-mail? Law enforcement
agents are interested in communications involving the planning or
admission of criminal activity. A businessman is interested in
learning proprietary secrets of his competitors. A supervisor is
interested in learning about criticism by his/her employees. Agents
of foreign governments may conduct espionage on military contractors,
diplomatic or defense communications, etc.
- The sender and recipient might be directly connected as part of a
local-area network (now often called an Intranet), which is common
on a university campus, company occupying contiguous office space
in one building (i.e, a law firm), or industrial park.
- The sender and recipient might both have accounts at one central
computer (e.g., CompuServe, AOL, a privately-owned computer
"bulletin board" service, or a computer at a university). The
sender and recipient each access this central computer by using a
modem and the telephone network.
- The sender and recipient both have accounts on separate computers
that both have access to the Internet. Each party accesses their
internet service provider (ISP) by using a modem and the telephone
network. Messages between different ISPs are carried on the
Internet, which uses high-speed, long-distance telephone network.
Examples of ISPs include a private local company or university, or
a national service, e.g., UUNet, CompuServe, America OnLine.
There are three situations in which privacy of e-mail could be a concern.
- Interception during transmission, for example, by a wiretap on the
telephone line at the sender's building.
- Reading during storage on the destination computer. For example,
if one sends e-mail to firstname.lastname@example.org, this e-mail is stored on
a hard drive of a computer at fplc until the recipient deletes it.
If the recipient does not read the message within a reasonable
time, typically a few months of sending the message, the system
operator may delete the message to recover space on the hard drive
for other users. Good operating practice of a computer system
involves making routine backup copies (typically on magnetic tape)
of all files on the hard drive, since hard drives can fail.
An e-mail may be retrieved from a backup tape even after that
e-mail was deleted from the hard drive by the recipient.
- Disclosure of contents by the recipient.
General Statement of the Law
The law regards each of these situations as distinct.
Reading e-mail that is stored on a computer is not an
"interception" under 18 U.S.C. § 2510, et seq., because an
interception must be contemporaneous with the transmission of the
message between different locations. Steve Jackson Games v. U.S.
Secret Service, 816 F.Supp. 432, 442 (W.D.Tex. 1993), aff'd,
36 F.3d 457, 460 (5thCir. 1994). This holding has been accepted in
several subsequent cases, including Wesley College v. Pitts,
974 F.Supp. 375, 384-390 (D.Del. 1997); U.S. v. Moriarty,
962 F.Supp. 217, 221 (D.Mass. 1997); Bohach v. City of Reno, 932
F.Supp. 1232, 1235-36 (D.Nev. 1996).
- Interception of e-mail during transmission is prohibited by federal
wiretap statute, 18 U.S.C. § 2510-2521 and also some state wiretap
statutes. The federal statutes were amended in 1986 by Title I of
the Electronic Communications Privacy Act (ECPA) to include e-mail.
- Reading e-mail during storage on a computer system is prohibited by
federal statute, 18 U.S.C. § 2701-2711, Title II of the Electronic
Communications Privacy Act (ECPA), provided that the system is
"providing an electronic communication service to the public."
This means, among other things, that your e-mail messages are
confidential when stored on a computer owned by an ISP that offers
to any member of the public the ability to send e-mail and you pay
for the account yourself. But there is no protection in
18 U.S.C. § 2702 for e-mail stored on a computer system operated by
a corporation primarily for its own business communications. So,
if you send e-mail to a company (e.g., email@example.com) and the
e-mail is stored on that company's computer, you have no privacy
rights under this statute.
- The recipient of e-mail is generally free to share the information
in the e-mail with anyone, subject to legal obligations that are
mentioned later in this paper.
One court noted that there is a loophole in Title II of the ECPA,
where an unknown person can make a copy of e-mail and give it away,
then other people who do not provide an electronic communication
service can lawfully make a further distribution of copies of that
private e-mail. Wesley College v. Pitts, 974 F.Supp. 375, 389 (D.Del.
extension of old law
Because e-mail is a new medium, invented during the 1970's, there
are not many reported cases involving privacy of e-mail. Therefore,
attorneys and judges initially looked for analogies in older law. The
obvious analogy is voice telephone conversations. Early books on
computer law and early law review articles on privacy of e-mail focused
on this analogy, to suggest what the law was or should be.
However, now, we have several
cases interpreting the ECPA, so, when considering privacy of
e-mail, cases in analogous areas are mostly of historical importance.
The landmark case of Katz v. U.S., 389 U.S. 347 (1967) considered a
wiretap on a public telephone booth. The principal holding in this
case was that the police had violated the defendant's privacy upon
which he justifiably relied and the police made an unreasonable
seizure under the Fourth Amendment to the U.S. Constitution. In
Justice Harlan's concurring opinion in Katz, 389 U.S. at 361, a
two-part test was proposed: (1) Did the person have an actual
expectation of privacy in the communication? and (2) Does society
recognize this expectation as reasonable? The U.S. Supreme Court
accepted this two-part test in Smith v. Maryland, 442 U.S. 735, 740
(1979) and restated their acceptance again in California v. Ciraolo,
476 U.S. 207, 211 (1986).
Disclosure of contents of e-mail by the recipient is not a crime,
unless there were disclosure of classified material to unauthorized
Unless the recipient has some duty of confidentiality (e.g.,
physician-patient, attorney-client, trade secret disclosed in
communication), the recipient is free to share the information with
anyone. However, under some circumstances, the sender might sue the
recipient for publicity given to private life, under Restatement
(Second) Torts § 652D (1977).
If the e-mail were reproduced verbatim, or with only trivial
changes, the sender could also sue the recipient for violation of
copyright laws. However, if the e-mail was not marked with a
copyright notice, then the author can only recover the author's actual
damages and "any profits of the infringer that are attributable to the
infringement", and the defendants can claim "innocent infringement".
17 U.S.C. §§ 401(d), 412, 504(b). Since most e-mail is not marked
with a copyright notice and the expression in most e-mail is not
valuable [There is no copyright protection for either ideas or
information. 17 U.S.C. § 102(b)], copyright law gives little protection
to typical e-mail.
In the special case of e-mail that contains evidence of criminal
activity, there is no protection for the confidentiality of the
message when the recipient discloses the contents of a communication
to law enforcement agents or to a criminal trial. U.S. v. White, 401
U.S. 745 (1971)(no violation of Fourth Amendment when defendant spoke
to informant who had concealed microphone and transmitter); Hoffa v.
U.S., 385 U.S. 293 (1966)(statements made by Hoffa to undercover
informant not protected by Fourth Amendment). Furthermore, there is
no protection under the Fifth Amendment to the U.S. Constitution for
production of documents at a criminal trial, U.S. v. Doe, 465 U.S. 605
(1984). In summary, the author of an e-mail message generally can not
prevent disclosure of the message by the recipient.
telephone monitoring cases
Two telephone monitoring cases established rules that are relevant
to monitoring of employee's e-mail by an employer.
One of the most famous telephone monitoring cases is Watkins v.
Berry & Co., 704 F.2d 577 (11thCir. 1983), in which Watkins'
supervisor listened to one of Watkins' personal telephone calls.
Watkins' employer, the Berry Company, had "an established policy, of
which all employees are informed, of monitoring solicitation calls as
part of its regular training program." Id. at 579. However, this
particular call was not an outgoing "solicitation call", but an
incoming call from a friend during Watkins' lunch hour. The company's
policy, to which Watkins consented, was only to monitoring of sales
calls, not personal calls. Id. at 581. The court stated:
The court stated that the supervisor
- We hold that a personal call may not be intercepted in the ordinary
course of business under the exemption in 18 U.S.C. § 2510(5)(a)(i),
except to the extent necessary to guard against unauthorized use of
the telephone or to determine whether a call is personal or not.
In other words, a personal call may be intercepted in the ordinary
course of business to determine its nature but never its contents.
- Id. at 583.
The holdings in Watkins are relevant to a supervisor's viewing of an
employee's e-mail, perhaps during inadvertent view of a message on a
CRT, or during review of an absent employee's e-mail to ensure the
continuity of business operations during the employee's absence.
- was justified in listening to that portion of the call which
indicated that it was not a business call; beyond that, she was
not. Determination of the relevant points [sic] in the call is for
the trier of fact. .... We think the conclusion is inescapable
that these exemptions [consent and business extension] do not
automatically justify interception of an entire call. The
expectation of privacy in a conversation is not lost entirely
because the privacy of part of it is violated. .... Therefore,
[the supervisor] was obliged to cease listening as soon as she had
determined that the call was personal, regardless of the contents
of the legitimately heard conversation.
- Id. at 584. (footnotes omitted)
Three years later, the same circuit court considered a case in
which an employee, Smith, overheard another employee in the same room,
who was making disparaging remarks on a business telephone about a
supervisor. Smith recorded part of the conversation and played the
recording to the supervisor. The court held that "this telephone call
was not a personal call" so there was no illegal interception
This case makes clear that if an employee wishes to criticize a
supervisor, it should not be done using company e-mail. Could
criticism of a supervisor be done from home, using a personal
telephone line and a personal e-mail account at an ISP? No, because
the recipient of the e-mail could print a copy and show it to someone
at the company.
- it occurred during office hours, between co-employees, ... and
concerned scurrilous remarks about supervisory employees in their
capacities as supervisors. Certainly the potential contamination
of a working environment is a matter in which the employer has a
- Epps v. St. Mary's Hospital, 802 F.2d 412, 417 (11thCir. 1986).
law of e-mail
Privacy of e-mail was given a statutory basis in 1986 with the
passage of the ECPA that provided both criminal and civil penalties
for interception of e-mail during transmission (in 18 U.S.C. § 2510-21)
and access to e-mail during storage (in 18 U.S.C. § 2701-11).
In addition to the protections in federal statute, an e-mail service
(e.g., CompuServe, AOL, bulletin-board operator, or ISP) may
explicitly offer written assurance that e-mail messages are private.
Such assurances are important for two reasons: (1) they provide a
basis for the reasonable expectation of privacy in the Katz test and
(2) they are an undertaking for breach of which the computer operator
may be held liable, either under a warranty claim or tort.
In contrast to privacy of personal e-mail accounts, an employer may
monitor e-mail stored on a computer owned by the company, under
federal statute. However, it would be prudent for the employer to
openly declare to employees this policy of (possibly) monitoring
e-mail on the company computer, because such a declaration to
employees defeats any claim of privacy under the Katz test and weakens
the ability of the employees to sue the employer under the common law
Note that 18 U.S.C. § 2701 is directed at hackers without
authorization, or users who intentionally exceed their authorization,
who enter a computer system and then "obtains, alters, or prevents
authorized access" to e-mail. Section 2701
is directed more toward computer crime than privacy of e-mail.
Sometimes, attorneys misuse the phrase "e-mail" to describe
messages sent to a group of people in a chat room. Such
communications to a chat room fail the second part of the Katz test,
since society does not recognize a reasonable expectation of privacy
in disclosures made in a public forum. In a chat room, there will be
people who are unknown to the author of communications with the chat
room, so there can be no legitimate expectation of privacy in a chat
room. For example, U.S. v. Charbonneau, 979 F.Supp. 1177 (S.D.Ohio
1997) held, in a case concerning a pedophile, that there was
no reasonable expectation of privacy in e-mail sent to others in AOL
chat room. Use of a chat room must be carefully distinguished from
sending e-mail to one person, which is a private communication,
analogous to a telephone call or first-class letter via the U.S. Post
privacy of free e-mail
Up to the mid-1990's, there were commonly only two kinds of e-mail:
(1) an e-mail service (e.g., CompuServe, AOL) in which each customer
pays a monthly fee for access to personal e-mail and (2) e-mail
provided by an employer for company business. But in the mid-1990's,
a third kind of e-mail became available: free e-mail services provided
to individuals by companies like hotmail and Yahoo!.
There is a intriguing question about the privacy of the individual messages in
these free e-mail services. On first glance, it would seem that free
e-mail services come under the ECPA, 18 U.S.C. § 2701-2711.
But 18 U.S.C. § 2702 specifically limits the protections of
criminal law to "a subscriber or customer of such service." But the
customer of free e-mail services may be the advertisers who pay for
the service, not the individuals who use the service. I can find
no published commentary and no case law on this point. It would be
reasonable for a court to interpret "subscriber" to include nonpaying
authors and recipients of e-mail.
The interpretation of who is protected by statute is not a specious
point. In a different context, it has already arisen in one
complicated series of cases. Distributors of illicit drugs tried to
move more than twelve million dollars from banks in Texas to banks in
New York, using the FedWire e-mail system. The banks in New York had
a corresponding relationship with the drug distributors' bank in
Columbia. The federal government accessed the e-mail in the FedWire
system, seized the money, and instituted forfeiture proceedings. The
drug distributors alleged that the U.S. Government violated the ECPA
by accessing stored communications. The court noted that
18 U.S.C. § 2707(a) only protected a "provider", "customer", or
"subscriber". The e-mail on the FedWire system was between two banks
in the USA, and the ultimate beneficiary of the e-mail was neither a
customer nor a subscriber of FedWire. Therefore the court found that
the drug distributor had no standing to sue under the ECPA.
Organizacion J.D. Ltda v. U.S., 1996 WL 162271 (S.D.N.Y. 1996), aff'd,
124 F.3d. 354, 361 (2dCir. 1997). Earlier reported cases in this
protracted litigation are reported at 6 F.3d 37 (2dCir. 1993), cert.
denied, 510 U.S. 1191 (1994) and 18 F.3d 91 (2dCir. 1994).
The statute 18 U.S.C. § 2702 is part of the criminal statute. The
right of a civil action arises under 18 U.S.C. § 2707(a), which was
amended in 1996 to change "customer" to "any ... other person
aggrieved by any violation of this chapter ...." This change clearly
gives standing to sue under Title II of the ECPA to authors or
recipients of e-mail on free e-mail services.
Shoars v. Epson and Bourke v. Nissan
The first two cases of privacy of e-mail in the workplace both
occurred in California.
The Epson corporation, which made dot-matrix printers for computers,
had no written e-mail policy. When Shoars, the administrator of the
company e-mail, discovered in 1989 that her manager, Hillseth, was reading
employee's e-mail, she confronted Hillseth. When Hillseth refused to stop
reading employee's e-mail, Shoars reported his activity to Epson's general
manager. Hillseth terminated Shoars' employment, because of her alleged
"gross insubordination." Shoars sued Epson under claims for wrongful discharge
(because Hillseth's monitoring of employee e-mail was wiretapping and
eavesdropping under state law, and hence contrary to public policy),
conspiracy, and slander. The trial court granted summary judgment to
Epson, and the appellate court affirmed except on the count of slander.
The wiretapping/eavesdropping basis was held to be inappropriate,
because employers had a right to monitor communications in the workplace.
The case was not published in any reporter, however a copy of the 1994
appellate court decision is posted on the Internet.
Bonita Bourke and Rhonda Hall, who established and operated
an e-mail system for Nissan, were found by Nissan to have sent e-mail
containing inappropriate jokes, soft-core pornography, and language
that contained disparaging remarks about a supervisor and the company.
Nissan terminated the employment of Hall and allowed Bourke to resign.
Bourke and Hall sued for
wrongful discharge, invasion of privacy, and violation of state statutes
prohibiting wiretapping and eavesdropping. The state court granted Nissan's
motion for summary judgment on all counts and the appellate court affirmed.
The unreported case has the
citation Bourke v. Nissan, No. YC-003979 (Cal.Super.Ct., L.A.Cty.)
aff'd, No. B-068705 (Cal.Ct.App. 26 July 1993).
Neither of these cases can be cited as precedent, but they are consistent
with later cases (e.g. Smyth v. Pillsbury) that give employees no
privacy rights for e-mail on a computer owned by their employer.
The cases of Shoars and Bourke were decided under California
state statutes, not the ECPA. If they had been decided under the ECPA,
the court would probably have found a "business use exception" for the
interceptions and found that 18 U.S.C. 2702 does not apply to computers
owned by the employer for the employer's internal e-mail system.
seizure from Steve Jackson Games, 1 Mar 1990
The most famous e-mail seizure case was Steve Jackson Games v. U.S.
Secret Service, 816 F.Supp. 432 (W.D.Tex. 1993), aff'd, 36 F.3d 457
(5thCir. 1994). Steve Jackson owned a company that produces games,
books, and magazines. Beginning in the mid-1980's, the company
operated a computer bulletin board service, called Illuminati, for
information about the company's products. Users of Illuminati could
also send/receive private e-mail through the bulletin board service.
Illuminati was operated by Blankenship, who was employed by Steve
Jackson for this job.
Blankenship operated the Phoenix bulletin board system from his
home, which contained a proprietary document about 911 telephone
service that had been stolen by hackers from Bell South. Neither the
Secret Service nor the Bell South's security people ever checked the
Illuminati bulletin board, they simply guessed that Illuminati might
contain stolen documents, because Blankenship operated both boards.
On this meager basis, a Secret Service agent obtained a search warrant
to seize the computer used to operate Illuminati.
816 F.Supp. at 435-436, 443.
On 1 Mar 1990, the Secret Service entered the premises of Steve
Jackson Games, seized three computers, over 300 diskettes, a printer,
modems, and other items. During this first contact between the Secret
Service agent and Steve Jackson games, the agent was told that the
company was a publisher. Despite the fact that the Secret Service
agent was also an attorney, he was unaware of 42 U.S.C. § 2000aa, et
seq., which prohibits searches and seizures of work products of
journalists, authors, and publishers. 816 F.Supp. at 437, 439-440.
Although the seized material could have been copied and the
originals promptly returned to the company, the Secret Service did not
return the material until nearly four months later.
816 F.Supp. at 437, 441.
There were "162 items of unread, private e-mail" included in the
seizure. 36 F.3d at 459.
After review of the seized material, no arrests were made, and no
criminal charges were filed. In fact, "there has never been any basis
for suspicion that any of the plaintiffs have engaged in any criminal
activity, violated any law, or attempted to communicate, publish, or
store any illegally obtained information...."
816 F.Supp. at 435.
Steve Jackson and three people who had private e-mail on the seized
computer filed suit in federal court, alleging different causes of
- The seized materials included drafts of one book and several
magazines. Under the Privacy Protection Act, 42 U.S.C. § 2000aa,
et seq., the court did order the government to pay $ 8,781 in
direct damages and $ 42,259 in consequential damages to Steve
Jackson Games for lost profit in 1990. However, the court found
that the publicity surrounding the seizure of Illuminati increased
sales after Dec 1990, so there was no long-term economic damage to
Steve Jackson Games. 816 F.Supp. at 438-441.
- The four plaintiffs claimed that the Secret Service had read and
deleted their private e-mail, without their consent. The Secret
Service denied plaintiffs' claim, but the court found the Secret
Service had "intended not only to seize and read these
communications, but, in fact, did read the communications and
thereafter deleted or destroyed some communications either
intentionally or accidentally." The Court concluded that such
actions "cannot be justified." 816 F.Supp. at 438, 441.
The court found the Secret Service liable under 18 U.S.C. 2701 et
seq. and ordered the Secret Service to pay each plaintiff the
statutory damages of $ 1000. 816 F.Supp. at 443.
- The court awarded $ 195,000 in attorneys' fees and approximately
$ 57,000 in costs to plaintiffs. 36 F.3d. at 459.
seizure from Col. Maxwell, Dec 1990
Another well-known case regarding privacy of e-mail is the case of
U.S. v. Maxwell, 42 M.J. 568 (USAF Crim.App. 1995), rev'd in part,
45 M.J. 406 (1996). This case is distinguishable from others in that
the defendant was a military officer, being tried in a military court
under military law and under Military (not Federal) Rules of
Evidence, so it at best is only persuasive authority in a civilian court.
A private citizen in California reported to the FBI that screen
names of some subscribers of America OnLine (AOL) were sending and
receiving child pornography. With this information, the FBI obtained
a search warrant for graphics and e-mail to/from 89 screen names.
One of those screen names, Redde1, belonged to Col. Maxwell, the commander
of U.S. Air Force Goodfellow Training Center in Texas.
The FBI initially contacted AOL and informally provided screen
names to AOL. AOL began doing some searching of files belonging to
these screen names before the warrant was issued. This fact is
important, because the only screen name for Col. Maxwell that the FBI
provided was "Redde1", which was correctly spelled in the informal
disclosure, but mistyped in the warrant as "REDDEL". The change of
the final character from "1" to "L" would have prevented AOL from
finding any files in Col. Maxwell's space, but AOL did not rely on the
spelling in the warrant. There were more than
twenty typographical errors in the warrant. 45 M.J. at 416.
Each subscriber to AOL can have up to five different screen names.
AOL provided the FBI with data from all of the screen names registered
to an individual, although the search warrant contained only one of
the screen names for Maxwell. In the case of Col. Maxwell, AOL also
provided information under Col. Maxwell's alternate screen name,
Zirloc, although this name was not listed in the search warrant or in
any information that the FBI knew prior to contacting AOL.
When the FBI returned with the warrant in Dec 1991,
AOL had already printed out about 13,000 pages of computer paper
and copied files onto 39 high-density diskettes,
before AOL received the warrant. 42 M.J. at 574; 45 M.J. at 413, 421.
In addition to assembling information
before receiving the warrant, AOL provided substantially more information
than specified in the warrant (i.e., AOL also provided information on Zirloc).
45 M.J. at 413, 416, 420.
Based on data from AOL, there was a search of Col. Maxwell's living
quarters on 13 June 1992, which produced child pornography and obscene
The first appellate opinion, 42 M.J. 568, uses only the term "e-mail",
without any reference to "chat rooms" on AOL. But the second appellate
opinion makes numerous mentions of "chat rooms" in two different places
in the opinion, 45 M.J. at 411, 417-419. That court made a terse
statement that communications in chat rooms "lose any semblance of
privacy", without explaining why this was a relevant consideration in
the Maxwell case. 45 M.J. at 419. From these remarks, and the fact
that a private citizen in California tipped the FBI to the screen
names of people who were sending child pornography, I guess that some
of Col. Maxwell's communications were in a chat room. Communications
in a chat room are in a public forum and there is no legitimate
expectation of privacy there. Communications in chat rooms must be
carefully distinguished from sending e-mail to one person, which is a
private communication, analogous to a telephone call or
first-class letter via the U.S. Post Office.
Col. Maxwell was court-martialed on charges of (1) using his
personal computer to transmit indecent language to another service
member and (2) using his personal computer to transmit obscene
material and child pornography [violations of 18 U.S.C. §§ 1465 and
2252], all charges were misconduct which discredited the service under
Article 134 of the Uniform Code of Military Justice. 42 M.J. 568,
573. That Maxwell used AOL only when he was in his home and off-duty
was irrelevant to discrediting the service.
The trial judge ruled that Maxwell has no objective expectation of
privacy in his e-mail, because (1) the e-mail could be neither
recalled nor erased after it was sent, (2) the sender sent messages
anonymously to screen names, not real names of individuals, and (3)
the distribution of one message to more than one recipient was
analogous to third-class mail. 42 M.J. at 575-576. After trial,
Maxwell was sentenced to a dishonorable discharge and stripped of his
retirement benefits. The second appellate court noted that stripping
Maxwell of his retirement benefits was "equivalent to a deprivation of
approximately one million dollars ... grossly disproportionate, and
thus unconstitutional, for a first non-violent felony ...."
45 M.J. at 427.
The first appellate court ruled that:
The first appellate court affirmed the findings of guilt and the sentence.
42 M.J. at 583.
- Maxwell did have an objective expectation of privacy.
42 M.J. at 576.
- the misspelling of "REDDEL" in the warrant did not invalidate the
warrant. 42 M.J. at 576-77.
- there was probable cause for AOL to furnish information on Redde1,
but not Zirloc, to the FBI. 42 M.J. at 577. However, this court
ruled that the evidence from screen name Zirloc was admissible
under the "good-faith exception". 42 M.J. at 578-579.
The second appellate court, the U.S. Court of Appeals for the Armed
Forces, U.S. v. Maxwell, 45 M.J. 406 (1996), affirmed the first two
points of appeal: Maxwell did have an objective expectation of
privacy; misspelling of "Redde1" did not invalidate warrant. However,
the court ruled that fruits of seizure from screen name Zirloc were
not admissible. 45 M.J. at 421-423. The loss of the government's
evidence from Zirloc meant that Maxwell could not be found guilty of
transmitting indecent language to another service member, and that
charge was dismissed. 45 M.J. at 414, 424, 428.
The second appellate court, while affirming that Maxwell had a
objective expectation of privacy in his e-mail, this court limited the
expectation because the sender of e-mail could not control what the
recipient would do with the e-mail. 45 M.J. at 417-418. This is a
bizarre holding, because the same argument applied to e-mail sent to
one person would also limit the privacy of telephone conversations and
letters sent by first-class mail.
My search of the Washington Post newspaper database
and the WestLaw MJ and ALLFEDS databases on 7 May 1998 found
no information on the final disposition of Col. Maxwell's case.
seizure from Davis in Oklahoma, 20 July 1993
Davis operated a computer bulletin board and CD-ROM production
service that was producing and distributing obscene material. The
State of Oklahoma obtained a search warrant, and then seized the
equipment used to produce and distribute the obscene material. After
a hearing, the equipment was forfeited to the state, because the
equipment was an instrumentality of a crime. Davis claimed that the
two seized computers were not specifically mentioned in the search
warrant. State of Oklahoma v. One (1) Pioneer CD-ROM Changer, 891
P.2d 600 (Okla.Ct.App. 1994). The court held that the computers were
properly seized under the "plain view" rule. Id. at 605.
At the time of the seizure, the computer used in operating the
bulletin board service contained approximately 150,000 e-mail messages
to/from approximately 2000 subscribers. Davis claimed that the
seizure of the computer was an unlawful interception under
18 U.S.C. § 2510 et seq.. 891 P.2d at 605-606. However, the capture of
the e-mail was inadvertent, in that the computer also contained
obscene material. Further, the officers did not read any of the
e-mail, and the State "offered to return any e-mail ... as long as the
information did not compromise the criminal case." Id. at 606. The
court also noted that Davis
Therefore, the court denied all of Davis' claims and
affirmed the trial court's order of summary judgment to the State.
Id. at 607. In passing, the court noted that "we express no opinion
regarding whether Davis may have a viable civil cause of action under
the Privacy Act [42 U.S.C. § 2000aa]." Id.
- failed to show that the lawful, physical seizure of the computer
equipment which was allegedly used to distribute obscene material,
and which contained private communications in the form of e-mail,
constitutes an "interception" ....
- Id. at 606.
Clearly, Davis' attorney cited the wrong statute in the case in
state court. Seizure of the computer was not an interception under
the authority of a contemporary case, Steve Jackson Games,
816 F.Supp. 432 (W.D.Tex. 1993), which was later affirmed,
36 F.3d. 457 (5thCir. 1994). The correct statute for a seizure would
be 18 U.S.C. 2701 et seq. But even the correct statute would not help
Davis, since the police never read any of the e-mail, hence the
privacy of the e-mail was maintained.
Davis then filed suit in federal court, alleging claims under
40 U.S.C. § 1983 for violation of his First and Fourth Amendment
rights, the Privacy Protection Act [42 U.S.C. § 2000aa], and the ECPA.
The trial court granted summary judgment for the police and the court
of appeals affirmed. Davis v. Gracey, 111 F.3d 1472 (10thCir. 1997).
The appellate court stated
- The question then is whether the incidental temporary seizure of
stored electronic materials invalidated the seizure of the computer
within which they were stored. We hold that it did not. .... The
fact that a given object may be used for multiple purposes, one
licit and one illicit, does not invalidate the seizure of the
object when supported by probable cause and a valid warrant. We
also note the obvious difficulties attendant in separating the
contents of electronic storage from the computer hardware during
the course of a search. Perhaps cognizant of the potential burdens
of equipment, expertise, and time required to access, copy, or
remove stored computer files, plaintiffs have not suggested any
workable rule. In short, we can find no legal or practical basis
for requiring officers to avoid seizing a computer's contents in
order to preserve the legality of the seizure of the computer
hardware. In any event, we are well able to distinguish between
the legality of the initial seizure of a container, and any
subsequent search or retention of the contents. .... The seizure
of a container is not invalidated by the probability that some part
of its "innocent" contents will be temporarily detained without
independent probable cause. We will not hold unlawful the
otherwise constitutional seizure of the computer equipment in order
to prevent the temporary deprivation of plaintiffs' rights to the
contents. However, our conclusion that the seizure of the computer
equipment pursuant to a warrant here allowed the incidental seizure
of files stored therein should not be read as approval of any
subsequent efforts by the police to search or retain the stored
files without a warrant.
- 111 F.3d at 1480-81. (footnotes and citations omitted)
It was an issue of first impression for this federal Court of
Appeals to determine whether seizure of e-mail, without reading the
e-mail, was a violation of the ECPA. 111 F.3d at 1482. The appellate
court rejected Davis' claim that the seizure of the computer, with the
e-mail stored on it, violated the ECPA, because there is an exception
in the ECPA, 18 U.S.C. § 2707(e)(1), for "good-faith reliance on ... a
court warrant or order." 111 F.3d at 1483-85.
Is e-mail a public record?
A county attorney executed a subpoena for all of the computer
backup tapes containing all of documents of the county assessor's
office for one year, for an investigation into alleged improprieties in
the operation of the assessor's office. The local newspaper requested
copies of the tapes, under the state's public record law. A trial
court ordered production of the records, the county attorney appealed
and the appellate court affirmed, plus ordered the county attorney to
pay the newspaper's attorney's fees in both actions. Star Pub. Co. v.
Pima County Attorney's Office, 891 P.2d 899 (Ariz.Ct.App. 1995). The
appellate court noted that all
The court also said:
- public records are presumed open to the public for inspection
unless the public official can demonstrate a factual basis why a
particular record ought not be disclosed to further an important
public or private interest
- and the county attorney had made no such showing. Id. at 901.
- While we doubt that public employees have any legitimate
expectation of privacy in personal documents that they have chosen
to lodge in public computer files, we are unable to even assess the
nature of any claim they might have, given the paucity of this
At 651 So.2d 1185 (Fla. 1995), the Supreme Court of Florida
considered amendments to Florida Rules of Judicial Administration, so
as to allow public access to e-mail from court employees. The court
decided that e-mail was generally a public record:
- E-mail is a new computer-based technology that the court system has
only recently begun to use. .... E-mail transmissions are
quickly becoming a substitute for telephonic and printed
communications, as well as a substitute for direct oral
communications. E-mail is already being used as a communication
device for various trial court functions during the course of trial
as well as multiple appellate court functions. Many of these
communications are sent between judges and their staffs. Further,
it is clear that the definition of "judicial records" contained in
proposed rule 2.051(b) includes information transmitted by an
e-mail system and that many such transmissions are exempt under
2.051(c). The fact that information made or received in connection
with the official business of the judicial branch can be made or
received electronically does not change the constitutional and
rule-mandated obligation of judicial officials and employees to
direct and channel such official business information so that it
can be properly recorded as a public record. The obligation is the
same whether the information is sent as a letter or memo by hard
copy or as an e-mail transmission. Official business e-mail
transmissions must be treated just like any other type of official
communication received and filed by the judicial branch.
- 651 So.2d 1185, 1186-87 (Fla. 1995).
However, the court, among other items, excluded all of the following
from the public record:
- communications between judges and their staff (e.g., proposed
drafts of opinions, memoranda concerning pending case, notes,
proposed jury instructions, etc.) Id. at 1187
- use of outside research facilities (e.g. WestLaw) Id. at 1187
- official business e-mail sent to, or received from, judges or
employees using modems and a telephone line Id. at 1187
- individual e-mail addresses of judges and staff, for various
reasons including computer security. Id. at 1187-88.
Smyth v. Pillsbury Co.
Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D.Penn. 1996) is the
first reported case of privacy of an employee's e-mail on a company's
computer system. Pillsbury maintained an e-mail system "to promote
internal corporate communications between its employees." Pillsbury
"repeatedly assured its employees, including plaintiff, that all
e-mail communications would remain confidential and privileged."
Id. at 98. Smyth sent e-mail to his supervisor that, among other
things, "concerned sales management and contained threats to 'kill the
backstabbing bastards....'" Id. at 98-99, n.1. Smyth's employment
was then terminated for "inappropriate and unprofessional comments
over defendant's e-mail system." Id. at 98-99.
The court dismissed Smyth's complaint for failure to state a claim
for which relief can be granted. The court noted that Smyth was an
at-will employee, which means that Pillsbury could terminate Smyth's
employment at any time for any reason.
The court said
- [W]e do not find a reasonable expectation of privacy in e-mail
communications voluntarily made by an employee to his supervisor
over the company e-mail system notwithstanding any assurances that
such communications would not be intercepted by management. ....
[P]laintiff voluntarily communicated the alleged unprofessional
comments over the company e-mail system. We find no privacy
interests in such communications. .... Moreover, the company's
interest in preventing inappropriate and unprofessional comments or
even illegal activity over its e-mail system outweighs any privacy
interest the employee may have in those comments.
- Id. at 101.
Pillsbury had assured its employees that "e-mail communications
could not be intercepted and used by defendant against its employees
as ground for termination or reprimand." Id. at 98. The court held
that this representation did not estop Pillsbury from ending Smyth's
employment. Id. at 100, n.2.
The court's published opinion does not mention any reference to
either 18 U.S.C. § 2510 et seq. or 18 U.S.C. § 2701 et seq. I do not
see any valid claim for "interception" of e-mail, since Smyth sent the
e-mail directly to his supervisor. Although the opinion does not
discuss this matter, the supervisor probably gave copies of the
e-mails to others in the company. That is not "interception" as the
term is used in 18 U.S.C. § 2510 et seq.
Wesley College v. Pitts
Wesley College v. Pitts, 974 F.Supp. 375, (D.Del. 1997) has a
bizarre set of facts. Stewart, the president of Wesley College,
decided to deny tenure to an English teacher, Hudson. Hudson then
filed suit against the college and Stewart for breach of contract.
During a deposition in connection with that suit, Hudson revealed that
Pitts, a computer operator at the college, had seen an e-mail from
Stewart concerning Hudson's case.
Pitts sent an unmarked envelope to Stewart at his home in July 1995
that contained a printed copy of a 15 Feb 1995 e-mail from Stewart to
his administrative assistant, another employee of the college, and his
wife. The text of this dramatic e-mail stated Stewart's belief that
Prof. Pelzer was "an advocate for Hudson" and any information
disclosed about Hudson's case that was disclosed to Pelzer had the
potential to "ruin" Stewart and "cripple" the College. Pitts also
sent a copy of this e-mail to Pelzer.
Stewart sent over one thousand e-mail messages each month.
However, Stewart apparently did not know how to print them. Stewart
often printed his e-mail at the printer in the computer center,
which is in the basement of the library, instead of at the printer in
Stewart's office, according to Pitts's testimony.
The college filed suit that alleged violations of the ECPA against
three people: Pitts, Ferguson: a faculty member who had received some
information from Pitts, and Hudson. Ferguson and Hudson never had an
e-mail account at the college and had no ability to get messages from
the college's computer. For these and other reasons, the court
granted summary judgment to Ferguson and Hudson.
Ferguson testified that Pitts told her that Pitts saw incriminating
e-mail on the screen of employees' terminals, which activity by Pitts
was held to be not an "intercept" under 18 U.S.C. § 2510.
974 F.Supp. at 384.
The College's case under Title I of the ECPA was "built upon a
series of innuendo and inferential leaps of faith."
974 F.Supp. at 390. The court granted summary judgment to the
defendants on all counts.
During the College's litigation in federal court against Pitts,
Ferguson, and Hudson in which e-mail was shared through discovery and
discussed in court, the College obtained from the federal court a
protective order to keep the e-mail confidential. In effect, this
protective order would keep this e-mail out of Hudson's breach of
contract case in state court against the College. The federal court
dissolved the protective order, with the observation that "Wesley
wants to wield the e-mail as a rapier in the federal action and then
blithely sheathe it from view in the state case. But such one-sided
swordsmanship is not permitted." Wesley College v. Pitts,
1997 WL 557554, *2 (D.Del. 11 Aug 1997).
In reading these two cases brought by Wesley College, I get the
impression that the president of the College sends hysterical e-mail
and sues on theories based more on his paranoia than facts. Maybe
Stewart intended to use litigation to keep his faculty under his
As noted earlier in this article, the court noted that there is a
loophole in Title II of the ECPA, where an unknown person can make a
copy of e-mail and give it away, then other people who do not provide
an electronic communication service can lawfully make a further
distribution of copies of that private e-mail. 974 F.Supp. at 389.
However, this case involved a private computer system on the Wesley
College campus. Title II of the ECPA, 18 U.S.C. § 2702(a), only applies
to e-mail systems for which the public has access, so it is not clear
to me that the ECPA applied to the e-mail system at Wesley College.
McVeigh v. Navy
Timothy McVeigh (no relation to the defendant in the Oklahoma City
bombing case) was a Senior Chief Petty Officer in the U.S. Navy; he
was the highest ranking enlisted man on the submarine U.S.S. Chicago.
In Sep 1997, he sent an e-mail message through AOL to a civilian who
was coordinating a Christmas toy drive for the Chicago crew members'
children. The message header stated that the message came from
"boysrch", McVeigh's screen name on AOL, but the message was signed by
"Tim". When the civilian searched the AOL member profile directory to
find the real name of the sender, she discovered that the sender
listed his marital status as "gay". The civilian gave the e-mail and
the directory data to her husband, who also served aboard the
U.S.S. Chicago. The material was given to the captain of the ship,
who gave it to the ship's legal adviser. The legal adviser asked a
paralegal on her staff to contact AOL. The paralegal called AOL on
the telephone, did not identify himself as a member of the Navy, but
mentioned a pretext about being "in receipt of a fax sheet and wanted
to confirm the profile sheet, [and] who it belonged to." McVeigh v.
Cohen, 983 F.Supp. 215, 217 (D.D.C. 1998). Amazingly, the AOL
representative told the paralegal that the screen name "boysrch"
belonged to Timothy McVeigh.
The U.S. Navy promptly instituted proceedings to discharge McVeigh
from the Navy, because of his homosexuality.
McVeigh filed suit, and the district court granted a preliminary
injunction against the discharge. The court noted that "the Navy
violated its own regulations" by actively investigating when McVeigh
had not openly expressed his homosexuality. Id. at 219. The court
also noted that the Navy's actions in "pursuit" of McVeigh "were not
only unauthorized under its policy, but likely illegal" under
18 U.S.C. § 2703(b)(1)(A) and (B), (c)(1)(B), because the Navy failed to
get a warrant before contacting AOL. Id. at 219. The court found
that there was a likelihood of success on the merits of McVeigh's
claim that "the government, at the least, solicited a violation of the
ECPA by AOL." Id. at 220.
The court stated
- In these days of "big brother," where through technology and
otherwise the privacy interests of individuals from all walks of
life are being ignored or marginalized, it is imperative that
statutes explicitly protecting these rights be strictly observed.
- Id. at 220.
The court began its discussion of the public interest portion of
the legal test for the issuance of an preliminary injunction:
- Certainly, the public has an inherent interest in the preservation
of privacy rights as advanced by Plaintiff in this case. With
literally the entire world on the world-wide web, enforcement of
the ECPA is of great concern to those who bare the most personal
information about their lives in private accounts through the
Internet. In this case in particular, where the government may
well have violated a federal statute in its zeal to brand the
Plaintiff a homosexual, the actions of the Navy must be more
closely scrutinized by this Court. It is disputed in the record
exactly as to how the Navy represented itself to AOL when it
requested information about the Plaintiff. The Defendants contend
that Legalman Kaiser merely asked for confirmation of a fax sheet
bearing Plaintiff's account. Plaintiff contends, and AOL confirms,
however, that the Naval officer "mislead" AOL's representative by
"both failing to disclose the identity and purpose [of his request]
and by portraying himself as a friend or acquaintance of Senior
- Id. at 221.
Because this case was only about the issuance of a preliminary
injunction to prevent McVeigh's imminent discharge from the Navy, the
court made no remarks about AOL's civil liability to McVeigh for AOL's
On 29 Jan 1998, Judge Sporkin of the Federal District Court made permanent
his preliminary injunction against the discharge of McVeigh from the Navy.
The Navy planned to appeal. A spokesman for AOL acknowledged to the
Washington Post that AOL had violated its own confidentiality policies.
Washington Post, 30 Jan 1998, page A02. 1998 WL 2464889
On 9 May 1998, the Navy promoted McVeigh to Master Chief Petty Officer,
its highest enlisted rank, which confirms that he was an outstanding sailor.
On 12 June 1998, the Navy reached a settlement with McVeigh in which
(1) McVeigh would retire with full benefits,
(2) the Navy would pay McVeigh's legal fees, approximately $ 90,000,
and (3) the Navy would withdraw its appeal of Judge Sporkin's rulings.
AOL settled with McVeigh: AOL paid an undisclosed amount of damages for
violating McVeigh's privacy.
Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996) considered
the claim of police officers that terse messages to each other on
their pagers were protected by the ECPA. The City had obtained, for
use in an internal affairs investigation, copies of the messages from
a computer owned by the city. The court ruled that the officers were
"most unlikely" to have an objectively reasonable expectation of
privacy under the Katz test. Id. at 1234. Further, the court ruled
that the recording of the messages from the computer was within the
ordinary course of business exception in Title I of the ECPA,
18 U.S.C. § 2510(5)(a). See Briggs v. American Air Filter,
630 F.2d 414, 420 (5thCir. 1980)(interpreting "ordinary course of
business"). Finally, the computer system was owned by the city and
installed to allow communications on official police business; it was
"incidental to its primary function" that the system could also send
private messages between police officers, therefore, the system falls
within the exception in Title II of the ECPA, 18 U.S.C. § 2701(c)(1).
The court denied the officers' request for a preliminary injunction.
In this case, I get the impression that the attorneys and the judge
were not clear on the distinction between Title I of the ECPA, which
deals with interception of messages as they are transmitted, and
Title II of the ECPA, which deals with retrieval of messages from
storage. This case should only consider Title II of the ECPA, since
the internal affairs investigators sought the messages from storage,
long after the messages were initially sent via pager.
Anderson v. UOP, 1998 WL 30703 (N.D.Ill. 26 Jan 1998) considered
the distinction between a public and private e-mail system. Employees
of Andersen were hired by UOP to do some computer system work. During
this project, the employees of Andersen "used UOP's internal e-mail
system to communicate with each other, with UOP, and with third
parties." Id. at *1. UOP was dissatisfied with Andersen's
performance and terminated the project. Subsequently, UOP and their
attorneys divulged the contents of some of Andersen's e-mail messages
to the Wall Street Journal. Andersen sued, alleging violations of
Title II of the ECPA, 18 U.S.C. § 2701 et seq. The court dismissed
Andersen's ECPA claim, because the UOP's e-mail system was not
available to the public, as required in 18 U.S.C. § 2702(a)(1). The
court noted that the word "public" is not defined in the ECPA and
there is no case law on the subject, but the court found the word
"public" could be given its plain meaning. UOP did not provide a
communication service to any member of the public who wanted to send
e-mail from the UOP system. Andersen had access to the UOP system
only because Andersen was a contractor hired by UOP. The court also
noted that "UOP's internal e-mail system is separate from the
internet." Id. at *2. However, I think this fact about connection to
the internet is probably not necessary to a determination of "service
to the public", since a company could connect its private e-mail
system to the internet in order to receive messages from the public
(e.g., questions from past customers, orders from current customers,
requests from information from potential customers) without allowing
the public to send messages from the company's computer(s) or internet
encryption of e-mail
The above essay discussed how the law considers confidentiality of
e-mail. Instead of relying only on the law for a remedy after
harm has occurred, one can use software to encrypt a message and prevent
harm from interception or copying of confidential information in e-mail.
Encryption prevents unauthorized people from reading e-mail, even
if they obtain a copy from a wiretap or from a hard disk on a computer.
There are two additional benefits: (1) encryption
can also serve to authenticate a message and (2) encrypted messages are smaller
than the original message, because of compression of common characters into
less space than a 7- or 8-bit ASCII character, so encrypted messages are
quicker to send.
There is one major disadvantage of encryption of e-mail:
Encryption makes it essentially impossible for the police to get
useful information from a wiretap. Wiretaps for voice communications
have led to the arrest and conviction of many criminals, which is definitely
in the public interest. However, this disadvantage does not mean that
one must refuse to use encryption technology to protect confidential
personal or business information. Encryption technology is just another
tool that can have both good and bad applications.
Perhaps a statute should be enacted that provides additional criminal
penalties for using encrypted e-mail to further a criminal conspiracy,
in the same way that existing statutes provide additional criminal
penalties for using a firearm in the commission of a crime.
Different people have different levels of comfort about possible surveillance
of their activities. Some people are paranoid, perhaps with good reason
if they are contemplating illegal activity. Other people trust the government
not to wiretap them. It is also possible for individuals and business competitors
to do electronic surveillance, although there are fewer legal cases involving
My personal opinion is that encryption of e-mail between friends and
colleagues is not necessary, unless the e-mail contains confidential
information. Examples of confidential information include: medical history,
financial information (e.g., credit card numbers), attorney-client communications,
and proprietary business information. The obvious use of encryption is
to prevent some third person from reading the message. However, another
effect of encryption is to impress on the recipient that the information
is confidential and should be treated carefully.
some links to encryption and computer security
Prof. Ronald L. Rivest
at MIT was one of the three inventors of the popular RSA algorithm for
encryption. His web pages include technical information on encryption and
links to other web sites.
Encryption Policy and Market Trends,
an essay by
Prof. Dorothy Denning
at Georgetown University. Prof. Denning is an expert in computer security.
NIST Computer Security Resource Clearinghouse
SRI Computer Science Laboratory
U.S. Citizens can download a free copy of Pretty Good Privacy (PGP)
from a site on the Internet. I used the MIT
site to obtain PGP version 2.6.2 for DOS.
Free versions for the Apple Macintosh, Unix, Linux, Windows 95, and
Windows NT are also available from the MIT website. Alternatively, one
can purchase a more sophisticated version of this encryption program from
Note that these programs are
only available to citizens of the U.S.A., because the U.S. Government
considers encryption technology as a munition (because of its obvious military
applications), and therefore the program is subject to export controls.
Because the free copy of PGP2.6.2 contains only poorly organized
documentation amongst its files, a new user will also need to purchase some books.
Official PGP User's Guide by Philip R. Zimmermann, MIT Press, 1995,
ISBN: 0-262-74017-6, 216 pages. Zimmermann wrote version 1.0 of the
PGP program and was the leader in the development of subsequent versions.
- PGP: Pretty
Good Privacy by Simson Garfinkel, O'Reilly & Associates, 1995,
There is a fascinating history of the PGP program that interweaves politics
and law. One notes that technology is an equalizer: more than one hundred
years ago in the Western USA, a Colt .45 pistol enabled a small man to
stand up against a large bully, today encryption programs enable an individual
to obtain privacy from a large government with massive resources. In the
acknowledgments section of his book (p. xvii), Zimmermann says:
- I used to tell a lot of lawyer jokes, before I encountered so many positive
examples of lawyers in my legal defense team, most of whom work pro bono.
created 7 May 1998, modified 13 June 1998
go to my essay on privacy law in the USA
return to my homepage