Privacy of E-Mail in the USA

Copyright 1998 by Ronald B. Standler


Table of Contents

I. introduction
II. general statement of the law
   A. extension of old law
      telephone monitoring cases
   B. law of e-mail
      privacy of free e-mail
III. case law in the USA
      Shoars v. Epson   and   Bourke v. Nissan
      Steve Jackson Games
      Col. Maxwell
      Davis in Oklahoma
      Is e-mail a public record?
      Smyth v. Pillsbury
      Wesley College v. Pitts
      McVeigh v. Navy
      miscellaneous cases
encryption of e-mail
   encryption software



Introduction

Electronic mail (e-mail) is a way of sending text, graphics, and computer files from one computer to another computer. There are three common ways to send and receive e-mail:
  1. The sender and recipient might be directly connected as part of a local-area network (now often called an Intranet), which is common on a university campus, company occupying contiguous office space in one building (i.e, a law firm), or industrial park.
  2. The sender and recipient might both have accounts at one central computer (e.g., CompuServe, AOL, a privately-owned computer "bulletin board" service, or a computer at a university). The sender and recipient each access this central computer by using a modem and the telephone network.
  3. The sender and recipient both have accounts on separate computers that both have access to the Internet. Each party accesses their internet service provider (ISP) by using a modem and the telephone network. Messages between different ISPs are carried on the Internet, which uses high-speed, long-distance telephone network. Examples of ISPs include a private local company or university, or a national service, e.g., UUNet, CompuServe, America OnLine.
Who would want to read someone else's e-mail? Law enforcement agents are interested in communications involving the planning or admission of criminal activity. A businessman is interested in learning proprietary secrets of his competitors. A supervisor is interested in learning about criticism by his/her employees. Agents of foreign governments may conduct espionage on military contractors, diplomatic or defense communications, etc.

There are three situations in which privacy of e-mail could be a concern.
  1. Interception during transmission, for example, by a wiretap on the telephone line at the sender's building.
  2. Reading during storage on the destination computer. For example, if one sends e-mail to lstudent@fplc.edu, this e-mail is stored on a hard drive of a computer at fplc until the recipient deletes it. If the recipient does not read the message within a reasonable time, typically a few months of sending the message, the system operator may delete the message to recover space on the hard drive for other users. Good operating practice of a computer system involves making routine backup copies (typically on magnetic tape) of all files on the hard drive, since hard drives can fail. An e-mail may be retrieved from a backup tape even after that e-mail was deleted from the hard drive by the recipient.
  3. Disclosure of contents by the recipient.


General Statement of the Law

The law regards each of these situations as distinct.
  1. Interception of e-mail during transmission is prohibited by federal wiretap statute, 18 U.S.C. § 2510-2521 and also some state wiretap statutes. The federal statutes were amended in 1986 by Title I of the Electronic Communications Privacy Act (ECPA) to include e-mail.
  2. Reading e-mail during storage on a computer system is prohibited by federal statute, 18 U.S.C. § 2701-2711, Title II of the Electronic Communications Privacy Act (ECPA), provided that the system is "providing an electronic communication service to the public." This means, among other things, that your e-mail messages are confidential when stored on a computer owned by an ISP that offers to any member of the public the ability to send e-mail and you pay for the account yourself. But there is no protection in 18 U.S.C. § 2702 for e-mail stored on a computer system operated by a corporation primarily for its own business communications. So, if you send e-mail to a company (e.g., jdoe@ibm.com) and the e-mail is stored on that company's computer, you have no privacy rights under this statute.
  3. The recipient of e-mail is generally free to share the information in the e-mail with anyone, subject to legal obligations that are mentioned later in this paper.
Reading e-mail that is stored on a computer is not an "interception" under 18 U.S.C. § 2510, et seq., because an interception must be contemporaneous with the transmission of the message between different locations. Steve Jackson Games v. U.S. Secret Service, 816 F.Supp. 432, 442 (W.D.Tex. 1993), aff'd, 36 F.3d 457, 460 (5thCir. 1994). This holding has been accepted in several subsequent cases, including Wesley College v. Pitts, 974 F.Supp. 375, 384-390 (D.Del. 1997); U.S. v. Moriarty, 962 F.Supp. 217, 221 (D.Mass. 1997); Bohach v. City of Reno, 932 F.Supp. 1232, 1235-36 (D.Nev. 1996).

One court noted that there is a loophole in Title II of the ECPA, where an unknown person can make a copy of e-mail and give it away, then other people who do not provide an electronic communication service can lawfully make a further distribution of copies of that private e-mail. Wesley College v. Pitts, 974 F.Supp. 375, 389 (D.Del. 1997).


extension of old law

Because e-mail is a new medium, invented during the 1970's, there are not many reported cases involving privacy of e-mail. Therefore, attorneys and judges initially looked for analogies in older law. The obvious analogy is voice telephone conversations. Early books on computer law and early law review articles on privacy of e-mail focused on this analogy, to suggest what the law was or should be. However, now, we have several cases interpreting the ECPA, so, when considering privacy of e-mail, cases in analogous areas are mostly of historical importance.

The landmark case of Katz v. U.S., 389 U.S. 347 (1967) considered a wiretap on a public telephone booth. The principal holding in this case was that the police had violated the defendant's privacy upon which he justifiably relied and the police made an unreasonable seizure under the Fourth Amendment to the U.S. Constitution. In Justice Harlan's concurring opinion in Katz, 389 U.S. at 361, a two-part test was proposed: (1) Did the person have an actual expectation of privacy in the communication? and (2) Does society recognize this expectation as reasonable? The U.S. Supreme Court accepted this two-part test in Smith v. Maryland, 442 U.S. 735, 740 (1979) and restated their acceptance again in California v. Ciraolo, 476 U.S. 207, 211 (1986).

Disclosure of contents of e-mail by the recipient is not a crime, unless there were disclosure of classified material to unauthorized persons.

Unless the recipient has some duty of confidentiality (e.g., physician-patient, attorney-client, trade secret disclosed in communication), the recipient is free to share the information with anyone. However, under some circumstances, the sender might sue the recipient for publicity given to private life, under Restatement (Second) Torts § 652D (1977).

If the e-mail were reproduced verbatim, or with only trivial changes, the sender could also sue the recipient for violation of copyright laws. However, if the e-mail was not marked with a copyright notice, then the author can only recover the author's actual damages and "any profits of the infringer that are attributable to the infringement", and the defendants can claim "innocent infringement". 17 U.S.C. §§ 401(d), 412, 504(b). Since most e-mail is not marked with a copyright notice and the expression in most e-mail is not valuable [There is no copyright protection for either ideas or information. 17 U.S.C. § 102(b)], copyright law gives little protection to typical e-mail.

In the special case of e-mail that contains evidence of criminal activity, there is no protection for the confidentiality of the message when the recipient discloses the contents of a communication to law enforcement agents or to a criminal trial. U.S. v. White, 401 U.S. 745 (1971)(no violation of Fourth Amendment when defendant spoke to informant who had concealed microphone and transmitter); Hoffa v. U.S., 385 U.S. 293 (1966)(statements made by Hoffa to undercover informant not protected by Fourth Amendment). Furthermore, there is no protection under the Fifth Amendment to the U.S. Constitution for production of documents at a criminal trial, U.S. v. Doe, 465 U.S. 605 (1984). In summary, the author of an e-mail message generally can not prevent disclosure of the message by the recipient.


telephone monitoring cases

Two telephone monitoring cases established rules that are relevant to monitoring of employee's e-mail by an employer.

One of the most famous telephone monitoring cases is Watkins v. Berry & Co., 704 F.2d 577 (11thCir. 1983), in which Watkins' supervisor listened to one of Watkins' personal telephone calls. Watkins' employer, the Berry Company, had "an established policy, of which all employees are informed, of monitoring solicitation calls as part of its regular training program." Id. at 579. However, this particular call was not an outgoing "solicitation call", but an incoming call from a friend during Watkins' lunch hour. The company's policy, to which Watkins consented, was only to monitoring of sales calls, not personal calls. Id. at 581. The court stated:
We hold that a personal call may not be intercepted in the ordinary course of business under the exemption in 18 U.S.C. § 2510(5)(a)(i), except to the extent necessary to guard against unauthorized use of the telephone or to determine whether a call is personal or not. In other words, a personal call may be intercepted in the ordinary course of business to determine its nature but never its contents.
Id. at 583.
The court stated that the supervisor
was justified in listening to that portion of the call which indicated that it was not a business call; beyond that, she was not. Determination of the relevant points [sic] in the call is for the trier of fact. .... We think the conclusion is inescapable that these exemptions [consent and business extension] do not automatically justify interception of an entire call. The expectation of privacy in a conversation is not lost entirely because the privacy of part of it is violated. .... Therefore, [the supervisor] was obliged to cease listening as soon as she had determined that the call was personal, regardless of the contents of the legitimately heard conversation.
Id. at 584. (footnotes omitted)
The holdings in Watkins are relevant to a supervisor's viewing of an employee's e-mail, perhaps during inadvertent view of a message on a CRT, or during review of an absent employee's e-mail to ensure the continuity of business operations during the employee's absence.

Three years later, the same circuit court considered a case in which an employee, Smith, overheard another employee in the same room, who was making disparaging remarks on a business telephone about a supervisor. Smith recorded part of the conversation and played the recording to the supervisor. The court held that "this telephone call was not a personal call" – so there was no illegal interception – because
it occurred during office hours, between co-employees, ... and concerned scurrilous remarks about supervisory employees in their capacities as supervisors. Certainly the potential contamination of a working environment is a matter in which the employer has a legal interest.
Epps v. St. Mary's Hospital, 802 F.2d 412, 417 (11thCir. 1986).
This case makes clear that if an employee wishes to criticize a supervisor, it should not be done using company e-mail. Could criticism of a supervisor be done from home, using a personal telephone line and a personal e-mail account at an ISP? No, because the recipient of the e-mail could print a copy and show it to someone at the company.


law of e-mail

Privacy of e-mail was given a statutory basis in 1986 with the passage of the ECPA that provided both criminal and civil penalties for interception of e-mail during transmission (in 18 U.S.C. § 2510-21) and access to e-mail during storage (in 18 U.S.C. § 2701-11).

In addition to the protections in federal statute, an e-mail service (e.g., CompuServe, AOL, bulletin-board operator, or ISP) may explicitly offer written assurance that e-mail messages are private. Such assurances are important for two reasons: (1) they provide a basis for the reasonable expectation of privacy in the Katz test and (2) they are an undertaking for breach of which the computer operator may be held liable, either under a warranty claim or tort.

In contrast to privacy of personal e-mail accounts, an employer may monitor e-mail stored on a computer owned by the company, under federal statute. However, it would be prudent for the employer to openly declare to employees this policy of (possibly) monitoring e-mail on the company computer, because such a declaration to employees defeats any claim of privacy under the Katz test and weakens the ability of the employees to sue the employer under the common law of privacy.

Note that 18 U.S.C. § 2701 is directed at hackers without authorization, or users who intentionally exceed their authorization, who enter a computer system and then "obtains, alters, or prevents authorized access" to e-mail. Section 2701 is directed more toward computer crime than privacy of e-mail.

Sometimes, attorneys misuse the phrase "e-mail" to describe messages sent to a group of people in a chat room. Such communications to a chat room fail the second part of the Katz test, since society does not recognize a reasonable expectation of privacy in disclosures made in a public forum. In a chat room, there will be people who are unknown to the author of communications with the chat room, so there can be no legitimate expectation of privacy in a chat room. For example, U.S. v. Charbonneau, 979 F.Supp. 1177 (S.D.Ohio 1997) held, in a case concerning a pedophile, that there was no reasonable expectation of privacy in e-mail sent to others in AOL chat room. Use of a chat room must be carefully distinguished from sending e-mail to one person, which is a private communication, analogous to a telephone call or first-class letter via the U.S. Post Office.


privacy of free e-mail

Up to the mid-1990's, there were commonly only two kinds of e-mail: (1) an e-mail service (e.g., CompuServe, AOL) in which each customer pays a monthly fee for access to personal e-mail and (2) e-mail provided by an employer for company business. But in the mid-1990's, a third kind of e-mail became available: free e-mail services provided to individuals by companies like hotmail and Yahoo!. There is a intriguing question about the privacy of the individual messages in these free e-mail services. On first glance, it would seem that free e-mail services come under the ECPA, 18 U.S.C. § 2701-2711.

But 18 U.S.C. § 2702 specifically limits the protections of criminal law to "a subscriber or customer of such service." But the customer of free e-mail services may be the advertisers who pay for the service, not the individuals who use the service. I can find no published commentary and no case law on this point. It would be reasonable for a court to interpret "subscriber" to include nonpaying authors and recipients of e-mail.

The interpretation of who is protected by statute is not a specious point. In a different context, it has already arisen in one complicated series of cases. Distributors of illicit drugs tried to move more than twelve million dollars from banks in Texas to banks in New York, using the FedWire e-mail system. The banks in New York had a corresponding relationship with the drug distributors' bank in Columbia. The federal government accessed the e-mail in the FedWire system, seized the money, and instituted forfeiture proceedings. The drug distributors alleged that the U.S. Government violated the ECPA by accessing stored communications. The court noted that 18 U.S.C. § 2707(a) only protected a "provider", "customer", or "subscriber". The e-mail on the FedWire system was between two banks in the USA, and the ultimate beneficiary of the e-mail was neither a customer nor a subscriber of FedWire. Therefore the court found that the drug distributor had no standing to sue under the ECPA. Organizacion J.D. Ltda v. U.S., 1996 WL 162271 (S.D.N.Y. 1996), aff'd, 124 F.3d. 354, 361 (2dCir. 1997). Earlier reported cases in this protracted litigation are reported at 6 F.3d 37 (2dCir. 1993), cert. denied, 510 U.S. 1191 (1994) and 18 F.3d 91 (2dCir. 1994).

The statute 18 U.S.C. § 2702 is part of the criminal statute. The right of a civil action arises under 18 U.S.C. § 2707(a), which was amended in 1996 to change "customer" to "any ... other person aggrieved by any violation of this chapter ...." This change clearly gives standing to sue under Title II of the ECPA to authors or recipients of e-mail on free e-mail services.


Case Law

Shoars v. Epson   and   Bourke v. Nissan

The first two cases of privacy of e-mail in the workplace both occurred in California.

The Epson corporation, which made dot-matrix printers for computers, had no written e-mail policy. When Shoars, the administrator of the company e-mail, discovered in 1989 that her manager, Hillseth, was reading employee's e-mail, she confronted Hillseth. When Hillseth refused to stop reading employee's e-mail, Shoars reported his activity to Epson's general manager. Hillseth terminated Shoars' employment, because of her alleged "gross insubordination." Shoars sued Epson under claims for wrongful discharge (because Hillseth's monitoring of employee e-mail was wiretapping and eavesdropping under state law, and hence contrary to public policy), conspiracy, and slander. The trial court granted summary judgment to Epson, and the appellate court affirmed except on the count of slander. The wiretapping/eavesdropping basis was held to be inappropriate, because employers had a right to monitor communications in the workplace. The case was not published in any reporter, however a copy of the 1994 appellate court decision is posted on the Internet.

Bonita Bourke and Rhonda Hall, who established and operated an e-mail system for Nissan, were found by Nissan to have sent e-mail containing inappropriate jokes, soft-core pornography, and language that contained disparaging remarks about a supervisor and the company. Nissan terminated the employment of Hall and allowed Bourke to resign. Bourke and Hall sued for wrongful discharge, invasion of privacy, and violation of state statutes prohibiting wiretapping and eavesdropping. The state court granted Nissan's motion for summary judgment on all counts and the appellate court affirmed. The unreported case has the citation Bourke v. Nissan, No. YC-003979 (Cal.Super.Ct., L.A.Cty.) aff'd, No. B-068705 (Cal.Ct.App. 26 July 1993).

Neither of these cases can be cited as precedent, but they are consistent with later cases (e.g. Smyth v. Pillsbury) that give employees no privacy rights for e-mail on a computer owned by their employer. The cases of Shoars and Bourke were decided under California state statutes, not the ECPA. If they had been decided under the ECPA, the court would probably have found a "business use exception" for the interceptions and found that 18 U.S.C. 2702 does not apply to computers owned by the employer for the employer's internal e-mail system.

seizure from Steve Jackson Games, 1 Mar 1990

The most famous e-mail seizure case was Steve Jackson Games v. U.S. Secret Service, 816 F.Supp. 432 (W.D.Tex. 1993), aff'd, 36 F.3d 457 (5thCir. 1994). Steve Jackson owned a company that produces games, books, and magazines. Beginning in the mid-1980's, the company operated a computer bulletin board service, called Illuminati, for information about the company's products. Users of Illuminati could also send/receive private e-mail through the bulletin board service. Illuminati was operated by Blankenship, who was employed by Steve Jackson for this job.

Blankenship operated the Phoenix bulletin board system from his home, which contained a proprietary document about 911 telephone service that had been stolen by hackers from Bell South. Neither the Secret Service nor the Bell South's security people ever checked the Illuminati bulletin board, they simply guessed that Illuminati might contain stolen documents, because Blankenship operated both boards. On this meager basis, a Secret Service agent obtained a search warrant to seize the computer used to operate Illuminati. 816 F.Supp. at 435-436, 443.

On 1 Mar 1990, the Secret Service entered the premises of Steve Jackson Games, seized three computers, over 300 diskettes, a printer, modems, and other items. During this first contact between the Secret Service agent and Steve Jackson games, the agent was told that the company was a publisher. Despite the fact that the Secret Service agent was also an attorney, he was unaware of 42 U.S.C. § 2000aa, et seq., which prohibits searches and seizures of work products of journalists, authors, and publishers. 816 F.Supp. at 437, 439-440.

Although the seized material could have been copied and the originals promptly returned to the company, the Secret Service did not return the material until nearly four months later. 816 F.Supp. at 437, 441.

There were "162 items of unread, private e-mail" included in the seizure. 36 F.3d at 459.

After review of the seized material, no arrests were made, and no criminal charges were filed. In fact, "there has never been any basis for suspicion that any of the plaintiffs have engaged in any criminal activity, violated any law, or attempted to communicate, publish, or store any illegally obtained information...." 816 F.Supp. at 435.

Steve Jackson and three people who had private e-mail on the seized computer filed suit in federal court, alleging different causes of action.
  1. The seized materials included drafts of one book and several magazines. Under the Privacy Protection Act, 42 U.S.C. § 2000aa, et seq., the court did order the government to pay $ 8,781 in direct damages and $ 42,259 in consequential damages to Steve Jackson Games for lost profit in 1990. However, the court found that the publicity surrounding the seizure of Illuminati increased sales after Dec 1990, so there was no long-term economic damage to Steve Jackson Games. 816 F.Supp. at 438-441.
  2. The four plaintiffs claimed that the Secret Service had read and deleted their private e-mail, without their consent. The Secret Service denied plaintiffs' claim, but the court found the Secret Service had "intended not only to seize and read these communications, but, in fact, did read the communications and thereafter deleted or destroyed some communications either intentionally or accidentally." The Court concluded that such actions "cannot be justified." 816 F.Supp. at 438, 441. The court found the Secret Service liable under 18 U.S.C. 2701 et seq. and ordered the Secret Service to pay each plaintiff the statutory damages of $ 1000. 816 F.Supp. at 443.
  3. The court awarded $ 195,000 in attorneys' fees and approximately $ 57,000 in costs to plaintiffs. 36 F.3d. at 459.


seizure from Col. Maxwell, Dec 1990

Another well-known case regarding privacy of e-mail is the case of U.S. v. Maxwell, 42 M.J. 568 (USAF Crim.App. 1995), rev'd in part, 45 M.J. 406 (1996). This case is distinguishable from others in that the defendant was a military officer, being tried in a military court under military law and under Military (not Federal) Rules of Evidence, so it at best is only persuasive authority in a civilian court.

A private citizen in California reported to the FBI that screen names of some subscribers of America OnLine (AOL) were sending and receiving child pornography. With this information, the FBI obtained a search warrant for graphics and e-mail to/from 89 screen names. One of those screen names, Redde1, belonged to Col. Maxwell, the commander of U.S. Air Force Goodfellow Training Center in Texas.

The FBI initially contacted AOL and informally provided screen names to AOL. AOL began doing some searching of files belonging to these screen names before the warrant was issued. This fact is important, because the only screen name for Col. Maxwell that the FBI provided was "Redde1", which was correctly spelled in the informal disclosure, but mistyped in the warrant as "REDDEL". The change of the final character from "1" to "L" would have prevented AOL from finding any files in Col. Maxwell's space, but AOL did not rely on the spelling in the warrant. There were more than twenty typographical errors in the warrant. 45 M.J. at 416.

Each subscriber to AOL can have up to five different screen names. AOL provided the FBI with data from all of the screen names registered to an individual, although the search warrant contained only one of the screen names for Maxwell. In the case of Col. Maxwell, AOL also provided information under Col. Maxwell's alternate screen name, Zirloc, although this name was not listed in the search warrant or in any information that the FBI knew prior to contacting AOL.

When the FBI returned with the warrant in Dec 1991, AOL had already printed out about 13,000 pages of computer paper and copied files onto 39 high-density diskettes, before AOL received the warrant. 42 M.J. at 574; 45 M.J. at 413, 421. In addition to assembling information before receiving the warrant, AOL provided substantially more information than specified in the warrant (i.e., AOL also provided information on Zirloc). 45 M.J. at 413, 416, 420.

Based on data from AOL, there was a search of Col. Maxwell's living quarters on 13 June 1992, which produced child pornography and obscene material.

The first appellate opinion, 42 M.J. 568, uses only the term "e-mail", without any reference to "chat rooms" on AOL. But the second appellate opinion makes numerous mentions of "chat rooms" in two different places in the opinion, 45 M.J. at 411, 417-419. That court made a terse statement that communications in chat rooms "lose any semblance of privacy", without explaining why this was a relevant consideration in the Maxwell case. 45 M.J. at 419. From these remarks, and the fact that a private citizen in California tipped the FBI to the screen names of people who were sending child pornography, I guess that some of Col. Maxwell's communications were in a chat room. Communications in a chat room are in a public forum and there is no legitimate expectation of privacy there. Communications in chat rooms must be carefully distinguished from sending e-mail to one person, which is a private communication, analogous to a telephone call or first-class letter via the U.S. Post Office.

Col. Maxwell was court-martialed on charges of (1) using his personal computer to transmit indecent language to another service member and (2) using his personal computer to transmit obscene material and child pornography [violations of 18 U.S.C. §§ 1465 and 2252], all charges were misconduct which discredited the service under Article 134 of the Uniform Code of Military Justice. 42 M.J. 568, 573. That Maxwell used AOL only when he was in his home and off-duty was irrelevant to discrediting the service.

The trial judge ruled that Maxwell has no objective expectation of privacy in his e-mail, because (1) the e-mail could be neither recalled nor erased after it was sent, (2) the sender sent messages anonymously to screen names, not real names of individuals, and (3) the distribution of one message to more than one recipient was analogous to third-class mail. 42 M.J. at 575-576. After trial, Maxwell was sentenced to a dishonorable discharge and stripped of his retirement benefits. The second appellate court noted that stripping Maxwell of his retirement benefits was "equivalent to a deprivation of approximately one million dollars ... grossly disproportionate, and thus unconstitutional, for a first non-violent felony ...." 45 M.J. at 427.

The first appellate court ruled that:
  1. Maxwell did have an objective expectation of privacy. 42 M.J. at 576.
  2. the misspelling of "REDDEL" in the warrant did not invalidate the warrant. 42 M.J. at 576-77.
  3. there was probable cause for AOL to furnish information on Redde1, but not Zirloc, to the FBI. 42 M.J. at 577. However, this court ruled that the evidence from screen name Zirloc was admissible under the "good-faith exception". 42 M.J. at 578-579.
The first appellate court affirmed the findings of guilt and the sentence. 42 M.J. at 583.

The second appellate court, the U.S. Court of Appeals for the Armed Forces, U.S. v. Maxwell, 45 M.J. 406 (1996), affirmed the first two points of appeal: Maxwell did have an objective expectation of privacy; misspelling of "Redde1" did not invalidate warrant. However, the court ruled that fruits of seizure from screen name Zirloc were not admissible. 45 M.J. at 421-423. The loss of the government's evidence from Zirloc meant that Maxwell could not be found guilty of transmitting indecent language to another service member, and that charge was dismissed. 45 M.J. at 414, 424, 428.

The second appellate court, while affirming that Maxwell had a objective expectation of privacy in his e-mail, this court limited the expectation because the sender of e-mail could not control what the recipient would do with the e-mail. 45 M.J. at 417-418. This is a bizarre holding, because the same argument applied to e-mail sent to one person would also limit the privacy of telephone conversations and letters sent by first-class mail.

My search of the Washington Post newspaper database and the WestLaw MJ and ALLFEDS databases on 7 May 1998 found no information on the final disposition of Col. Maxwell's case.


seizure from Davis in Oklahoma, 20 July 1993

Davis operated a computer bulletin board and CD-ROM production service that was producing and distributing obscene material. The State of Oklahoma obtained a search warrant, and then seized the equipment used to produce and distribute the obscene material. After a hearing, the equipment was forfeited to the state, because the equipment was an instrumentality of a crime. Davis claimed that the two seized computers were not specifically mentioned in the search warrant. State of Oklahoma v. One (1) Pioneer CD-ROM Changer, 891 P.2d 600 (Okla.Ct.App. 1994). The court held that the computers were properly seized under the "plain view" rule. Id. at 605.

At the time of the seizure, the computer used in operating the bulletin board service contained approximately 150,000 e-mail messages to/from approximately 2000 subscribers. Davis claimed that the seizure of the computer was an unlawful interception under 18 U.S.C. § 2510 et seq.. 891 P.2d at 605-606. However, the capture of the e-mail was inadvertent, in that the computer also contained obscene material. Further, the officers did not read any of the e-mail, and the State "offered to return any e-mail ... as long as the information did not compromise the criminal case." Id. at 606. The court also noted that Davis
failed to show that the lawful, physical seizure of the computer equipment which was allegedly used to distribute obscene material, and which contained private communications in the form of e-mail, constitutes an "interception" ....
Id. at 606.
Therefore, the court denied all of Davis' claims and affirmed the trial court's order of summary judgment to the State. Id. at 607. In passing, the court noted that "we express no opinion regarding whether Davis may have a viable civil cause of action under the Privacy Act [42 U.S.C. § 2000aa]." Id.

Clearly, Davis' attorney cited the wrong statute in the case in state court. Seizure of the computer was not an interception under the authority of a contemporary case, Steve Jackson Games, 816 F.Supp. 432 (W.D.Tex. 1993), which was later affirmed, 36 F.3d. 457 (5thCir. 1994). The correct statute for a seizure would be 18 U.S.C. 2701 et seq. But even the correct statute would not help Davis, since the police never read any of the e-mail, hence the privacy of the e-mail was maintained.

Davis then filed suit in federal court, alleging claims under 40 U.S.C. § 1983 for violation of his First and Fourth Amendment rights, the Privacy Protection Act [42 U.S.C. § 2000aa], and the ECPA. The trial court granted summary judgment for the police and the court of appeals affirmed. Davis v. Gracey, 111 F.3d 1472 (10thCir. 1997). The appellate court stated
The question then is whether the incidental temporary seizure of stored electronic materials invalidated the seizure of the computer within which they were stored. We hold that it did not. .... The fact that a given object may be used for multiple purposes, one licit and one illicit, does not invalidate the seizure of the object when supported by probable cause and a valid warrant. We also note the obvious difficulties attendant in separating the contents of electronic storage from the computer hardware during the course of a search. Perhaps cognizant of the potential burdens of equipment, expertise, and time required to access, copy, or remove stored computer files, plaintiffs have not suggested any workable rule. In short, we can find no legal or practical basis for requiring officers to avoid seizing a computer's contents in order to preserve the legality of the seizure of the computer hardware. In any event, we are well able to distinguish between the legality of the initial seizure of a container, and any subsequent search or retention of the contents. .... The seizure of a container is not invalidated by the probability that some part of its "innocent" contents will be temporarily detained without independent probable cause. We will not hold unlawful the otherwise constitutional seizure of the computer equipment in order to prevent the temporary deprivation of plaintiffs' rights to the contents. However, our conclusion that the seizure of the computer equipment pursuant to a warrant here allowed the incidental seizure of files stored therein should not be read as approval of any subsequent efforts by the police to search or retain the stored files without a warrant.
111 F.3d at 1480-81. (footnotes and citations omitted)

It was an issue of first impression for this federal Court of Appeals to determine whether seizure of e-mail, without reading the e-mail, was a violation of the ECPA. 111 F.3d at 1482. The appellate court rejected Davis' claim that the seizure of the computer, with the e-mail stored on it, violated the ECPA, because there is an exception in the ECPA, 18 U.S.C. § 2707(e)(1), for "good-faith reliance on ... a court warrant or order." 111 F.3d at 1483-85.


Is e-mail a public record?

A county attorney executed a subpoena for all of the computer backup tapes containing all of documents of the county assessor's office for one year, for an investigation into alleged improprieties in the operation of the assessor's office. The local newspaper requested copies of the tapes, under the state's public record law. A trial court ordered production of the records, the county attorney appealed and the appellate court affirmed, plus ordered the county attorney to pay the newspaper's attorney's fees in both actions. Star Pub. Co. v. Pima County Attorney's Office, 891 P.2d 899 (Ariz.Ct.App. 1995). The appellate court noted that all
public records are presumed open to the public for inspection unless the public official can demonstrate a factual basis why a particular record ought not be disclosed to further an important public or private interest
and the county attorney had made no such showing. Id. at 901.
The court also said:
While we doubt that public employees have any legitimate expectation of privacy in personal documents that they have chosen to lodge in public computer files, we are unable to even assess the nature of any claim they might have, given the paucity of this record.
Id.

At 651 So.2d 1185 (Fla. 1995), the Supreme Court of Florida considered amendments to Florida Rules of Judicial Administration, so as to allow public access to e-mail from court employees. The court decided that e-mail was generally a public record:
E-mail is a new computer-based technology that the court system has only recently begun to use. .... E-mail transmissions are quickly becoming a substitute for telephonic and printed communications, as well as a substitute for direct oral communications. E-mail is already being used as a communication device for various trial court functions during the course of trial as well as multiple appellate court functions. Many of these communications are sent between judges and their staffs. Further, it is clear that the definition of "judicial records" contained in proposed rule 2.051(b) includes information transmitted by an e-mail system and that many such transmissions are exempt under 2.051(c). The fact that information made or received in connection with the official business of the judicial branch can be made or received electronically does not change the constitutional and rule-mandated obligation of judicial officials and employees to direct and channel such official business information so that it can be properly recorded as a public record. The obligation is the same whether the information is sent as a letter or memo by hard copy or as an e-mail transmission. Official business e-mail transmissions must be treated just like any other type of official communication received and filed by the judicial branch.
651 So.2d 1185, 1186-87 (Fla. 1995).

However, the court, among other items, excluded all of the following from the public record:

Smyth v. Pillsbury Co.

Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D.Penn. 1996) is the first reported case of privacy of an employee's e-mail on a company's computer system. Pillsbury maintained an e-mail system "to promote internal corporate communications between its employees." Pillsbury "repeatedly assured its employees, including plaintiff, that all e-mail communications would remain confidential and privileged." Id. at 98. Smyth sent e-mail to his supervisor that, among other things, "concerned sales management and contained threats to 'kill the backstabbing bastards....'" Id. at 98-99, n.1. Smyth's employment was then terminated for "inappropriate and unprofessional comments over defendant's e-mail system." Id. at 98-99.

The court dismissed Smyth's complaint for failure to state a claim for which relief can be granted. The court noted that Smyth was an at-will employee, which means that Pillsbury could terminate Smyth's employment at any time for any reason.

The court said
[W]e do not find a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management. .... [P]laintiff voluntarily communicated the alleged unprofessional comments over the company e-mail system. We find no privacy interests in such communications. .... Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.
Id. at 101.

Pillsbury had assured its employees that "e-mail communications could not be intercepted and used by defendant against its employees as ground for termination or reprimand." Id. at 98. The court held that this representation did not estop Pillsbury from ending Smyth's employment. Id. at 100, n.2.

The court's published opinion does not mention any reference to either 18 U.S.C. § 2510 et seq. or 18 U.S.C. § 2701 et seq. I do not see any valid claim for "interception" of e-mail, since Smyth sent the e-mail directly to his supervisor. Although the opinion does not discuss this matter, the supervisor probably gave copies of the e-mails to others in the company. That is not "interception" as the term is used in 18 U.S.C. § 2510 et seq.


Wesley College v. Pitts

Wesley College v. Pitts, 974 F.Supp. 375, (D.Del. 1997) has a bizarre set of facts. Stewart, the president of Wesley College, decided to deny tenure to an English teacher, Hudson. Hudson then filed suit against the college and Stewart for breach of contract. During a deposition in connection with that suit, Hudson revealed that Pitts, a computer operator at the college, had seen an e-mail from Stewart concerning Hudson's case.

Pitts sent an unmarked envelope to Stewart at his home in July 1995 that contained a printed copy of a 15 Feb 1995 e-mail from Stewart to his administrative assistant, another employee of the college, and his wife. The text of this dramatic e-mail stated Stewart's belief that Prof. Pelzer was "an advocate for Hudson" and any information disclosed about Hudson's case that was disclosed to Pelzer had the potential to "ruin" Stewart and "cripple" the College. Pitts also sent a copy of this e-mail to Pelzer.

Stewart sent over one thousand e-mail messages each month. However, Stewart apparently did not know how to print them. Stewart often printed his e-mail at the printer in the computer center, which is in the basement of the library, instead of at the printer in Stewart's office, according to Pitts's testimony.

The college filed suit that alleged violations of the ECPA against three people: Pitts, Ferguson: a faculty member who had received some information from Pitts, and Hudson. Ferguson and Hudson never had an e-mail account at the college and had no ability to get messages from the college's computer. For these and other reasons, the court granted summary judgment to Ferguson and Hudson.

Ferguson testified that Pitts told her that Pitts saw incriminating e-mail on the screen of employees' terminals, which activity by Pitts was held to be not an "intercept" under 18 U.S.C. § 2510. 974 F.Supp. at 384.

The College's case under Title I of the ECPA was "built upon a series of innuendo and inferential leaps of faith." 974 F.Supp. at 390. The court granted summary judgment to the defendants on all counts.

During the College's litigation in federal court against Pitts, Ferguson, and Hudson in which e-mail was shared through discovery and discussed in court, the College obtained from the federal court a protective order to keep the e-mail confidential. In effect, this protective order would keep this e-mail out of Hudson's breach of contract case in state court against the College. The federal court dissolved the protective order, with the observation that "Wesley wants to wield the e-mail as a rapier in the federal action and then blithely sheathe it from view in the state case. But such one-sided swordsmanship is not permitted." Wesley College v. Pitts, 1997 WL 557554, *2 (D.Del. 11 Aug 1997).

In reading these two cases brought by Wesley College, I get the impression that the president of the College sends hysterical e-mail and sues on theories based more on his paranoia than facts. Maybe Stewart intended to use litigation to keep his faculty under his control.

As noted earlier in this article, the court noted that there is a loophole in Title II of the ECPA, where an unknown person can make a copy of e-mail and give it away, then other people who do not provide an electronic communication service can lawfully make a further distribution of copies of that private e-mail. 974 F.Supp. at 389. However, this case involved a private computer system on the Wesley College campus. Title II of the ECPA, 18 U.S.C. § 2702(a), only applies to e-mail systems for which the public has access, so it is not clear to me that the ECPA applied to the e-mail system at Wesley College.


McVeigh v. Navy

Timothy McVeigh (no relation to the defendant in the Oklahoma City bombing case) was a Senior Chief Petty Officer in the U.S. Navy; he was the highest ranking enlisted man on the submarine U.S.S. Chicago. In Sep 1997, he sent an e-mail message through AOL to a civilian who was coordinating a Christmas toy drive for the Chicago crew members' children. The message header stated that the message came from "boysrch", McVeigh's screen name on AOL, but the message was signed by "Tim". When the civilian searched the AOL member profile directory to find the real name of the sender, she discovered that the sender listed his marital status as "gay". The civilian gave the e-mail and the directory data to her husband, who also served aboard the U.S.S. Chicago. The material was given to the captain of the ship, who gave it to the ship's legal adviser. The legal adviser asked a paralegal on her staff to contact AOL. The paralegal called AOL on the telephone, did not identify himself as a member of the Navy, but mentioned a pretext about being "in receipt of a fax sheet and wanted to confirm the profile sheet, [and] who it belonged to." McVeigh v. Cohen, 983 F.Supp. 215, 217 (D.D.C. 1998). Amazingly, the AOL representative told the paralegal that the screen name "boysrch" belonged to Timothy McVeigh.

The U.S. Navy promptly instituted proceedings to discharge McVeigh from the Navy, because of his homosexuality.

McVeigh filed suit, and the district court granted a preliminary injunction against the discharge. The court noted that "the Navy violated its own regulations" by actively investigating when McVeigh had not openly expressed his homosexuality. Id. at 219. The court also noted that the Navy's actions in "pursuit" of McVeigh "were not only unauthorized under its policy, but likely illegal" under 18 U.S.C. § 2703(b)(1)(A) and (B), (c)(1)(B), because the Navy failed to get a warrant before contacting AOL. Id. at 219. The court found that there was a likelihood of success on the merits of McVeigh's claim that "the government, at the least, solicited a violation of the ECPA by AOL." Id. at 220.

The court stated
In these days of "big brother," where through technology and otherwise the privacy interests of individuals from all walks of life are being ignored or marginalized, it is imperative that statutes explicitly protecting these rights be strictly observed.
Id. at 220.

The court began its discussion of the public interest portion of the legal test for the issuance of an preliminary injunction:
Certainly, the public has an inherent interest in the preservation of privacy rights as advanced by Plaintiff in this case. With literally the entire world on the world-wide web, enforcement of the ECPA is of great concern to those who bare the most personal information about their lives in private accounts through the Internet. In this case in particular, where the government may well have violated a federal statute in its zeal to brand the Plaintiff a homosexual, the actions of the Navy must be more closely scrutinized by this Court. It is disputed in the record exactly as to how the Navy represented itself to AOL when it requested information about the Plaintiff. The Defendants contend that Legalman Kaiser merely asked for confirmation of a fax sheet bearing Plaintiff's account. Plaintiff contends, and AOL confirms, however, that the Naval officer "mislead" AOL's representative by "both failing to disclose the identity and purpose [of his request] and by portraying himself as a friend or acquaintance of Senior Chief McVeigh's."
Id. at 221.

Because this case was only about the issuance of a preliminary injunction to prevent McVeigh's imminent discharge from the Navy, the court made no remarks about AOL's civil liability to McVeigh for AOL's disclosure.

On 29 Jan 1998, Judge Sporkin of the Federal District Court made permanent his preliminary injunction against the discharge of McVeigh from the Navy. The Navy planned to appeal. A spokesman for AOL acknowledged to the Washington Post that AOL had violated its own confidentiality policies.
Washington Post, 30 Jan 1998, page A02. 1998 WL 2464889

On 9 May 1998, the Navy promoted McVeigh to Master Chief Petty Officer, its highest enlisted rank, which confirms that he was an outstanding sailor. On 12 June 1998, the Navy reached a settlement with McVeigh in which (1) McVeigh would retire with full benefits, (2) the Navy would pay McVeigh's legal fees, approximately $ 90,000, and (3) the Navy would withdraw its appeal of Judge Sporkin's rulings. AOL settled with McVeigh: AOL paid an undisclosed amount of damages for violating McVeigh's privacy.


miscellaneous cases

Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996) considered the claim of police officers that terse messages to each other on their pagers were protected by the ECPA. The City had obtained, for use in an internal affairs investigation, copies of the messages from a computer owned by the city. The court ruled that the officers were "most unlikely" to have an objectively reasonable expectation of privacy under the Katz test. Id. at 1234. Further, the court ruled that the recording of the messages from the computer was within the ordinary course of business exception in Title I of the ECPA, 18 U.S.C. § 2510(5)(a). See Briggs v. American Air Filter, 630 F.2d 414, 420 (5thCir. 1980)(interpreting "ordinary course of business"). Finally, the computer system was owned by the city and installed to allow communications on official police business; it was "incidental to its primary function" that the system could also send private messages between police officers, therefore, the system falls within the exception in Title II of the ECPA, 18 U.S.C. § 2701(c)(1). The court denied the officers' request for a preliminary injunction. In this case, I get the impression that the attorneys and the judge were not clear on the distinction between Title I of the ECPA, which deals with interception of messages as they are transmitted, and Title II of the ECPA, which deals with retrieval of messages from storage. This case should only consider Title II of the ECPA, since the internal affairs investigators sought the messages from storage, long after the messages were initially sent via pager.

Anderson v. UOP, 1998 WL 30703 (N.D.Ill. 26 Jan 1998) considered the distinction between a public and private e-mail system. Employees of Andersen were hired by UOP to do some computer system work. During this project, the employees of Andersen "used UOP's internal e-mail system to communicate with each other, with UOP, and with third parties." Id. at *1. UOP was dissatisfied with Andersen's performance and terminated the project. Subsequently, UOP and their attorneys divulged the contents of some of Andersen's e-mail messages to the Wall Street Journal. Andersen sued, alleging violations of Title II of the ECPA, 18 U.S.C. § 2701 et seq. The court dismissed Andersen's ECPA claim, because the UOP's e-mail system was not available to the public, as required in 18 U.S.C. § 2702(a)(1). The court noted that the word "public" is not defined in the ECPA and there is no case law on the subject, but the court found the word "public" could be given its plain meaning. UOP did not provide a communication service to any member of the public who wanted to send e-mail from the UOP system. Andersen had access to the UOP system only because Andersen was a contractor hired by UOP. The court also noted that "UOP's internal e-mail system is separate from the internet." Id. at *2. However, I think this fact about connection to the internet is probably not necessary to a determination of "service to the public", since a company could connect its private e-mail system to the internet in order to receive messages from the public (e.g., questions from past customers, orders from current customers, requests from information from potential customers) without allowing the public to send messages from the company's computer(s) or internet site.


encryption of e-mail

The above essay discussed how the law considers confidentiality of e-mail. Instead of relying only on the law for a remedy after harm has occurred, one can use software to encrypt a message and prevent harm from interception or copying of confidential information in e-mail. Encryption prevents unauthorized people from reading e-mail, even if they obtain a copy from a wiretap or from a hard disk on a computer. There are two additional benefits: (1) encryption can also serve to authenticate a message and (2) encrypted messages are smaller than the original message, because of compression of common characters into less space than a 7- or 8-bit ASCII character, so encrypted messages are quicker to send.

There is one major disadvantage of encryption of e-mail: Encryption makes it essentially impossible for the police to get useful information from a wiretap. Wiretaps for voice communications have led to the arrest and conviction of many criminals, which is definitely in the public interest. However, this disadvantage does not mean that one must refuse to use encryption technology to protect confidential personal or business information. Encryption technology is just another tool that can have both good and bad applications. Perhaps a statute should be enacted that provides additional criminal penalties for using encrypted e-mail to further a criminal conspiracy, in the same way that existing statutes provide additional criminal penalties for using a firearm in the commission of a crime.

Different people have different levels of comfort about possible surveillance of their activities. Some people are paranoid, perhaps with good reason if they are contemplating illegal activity. Other people trust the government not to wiretap them. It is also possible for individuals and business competitors to do electronic surveillance, although there are fewer legal cases involving such perpetrators.

My personal opinion is that encryption of e-mail between friends and colleagues is not necessary, unless the e-mail contains confidential information. Examples of confidential information include: medical history, financial information (e.g., credit card numbers), attorney-client communications, and proprietary business information. The obvious use of encryption is to prevent some third person from reading the message. However, another effect of encryption is to impress on the recipient that the information is confidential and should be treated carefully.

some links to encryption and computer security

Prof. Ronald L. Rivest at MIT was one of the three inventors of the popular RSA algorithm for encryption. His web pages include technical information on encryption and links to other web sites.

Encryption Policy and Market Trends, an essay by Prof. Dorothy Denning at Georgetown University. Prof. Denning is an expert in computer security.

NIST Computer Security Resource Clearinghouse

SRI Computer Science Laboratory



encryption software

U.S. Citizens can download a free copy of Pretty Good Privacy (PGP) from a site on the Internet. I used the MIT site to obtain PGP version 2.6.2 for DOS. Free versions for the Apple Macintosh, Unix, Linux, Windows 95, and Windows NT are also available from the MIT website. Alternatively, one can purchase a more sophisticated version of this encryption program from Network Associates. Note that these programs are only available to citizens of the U.S.A., because the U.S. Government considers encryption technology as a munition (because of its obvious military applications), and therefore the program is subject to export controls.

Because the free copy of PGP2.6.2 contains only poorly organized documentation amongst its files, a new user will also need to purchase some books. I recommend:

  1. The Official PGP User's Guide by Philip R. Zimmermann, MIT Press, 1995, ISBN: 0-262-74017-6, 216 pages. Zimmermann wrote version 1.0 of the PGP program and was the leader in the development of subsequent versions.
  2. PGP: Pretty Good Privacy by Simson Garfinkel, O'Reilly & Associates, 1995, ISBN: 1-56592-098-8.

There is a fascinating history of the PGP program that interweaves politics and law. One notes that technology is an equalizer: more than one hundred years ago in the Western USA, a Colt .45 pistol enabled a small man to stand up against a large bully, today encryption programs enable an individual to obtain privacy from a large government with massive resources. In the acknowledgments section of his book (p. xvii), Zimmermann says:

I used to tell a lot of lawyer jokes, before I encountered so many positive examples of lawyers in my legal defense team, most of whom work pro bono.



created 7 May 1998, modified 13 June 1998
http://www.rbs2.com/email.htm

go to my essay on privacy law in the USA

return to my homepage