By SHANNA GHAZNAVI
Electronic privacy rights for employees in company networks remains unclear.
Most lawyers agree that, under present laws, workers do not have privacy rights on in-house computer systems unless their employer explicitly gives them those rights, according to Larry Berg, a Net law specialist.
A recent Gallup poll stated 90 percent of all large companies, 64 percent of mid-sized and 42 percent of small businesses use e-mail. More than 40 million workers correspond via e-mail. According to the poll, that number is increasing by 20 percent each year.
With more than three billion inter-office messages being sent each month, according to the Gallup poll, many lawyers suggest that companies have a clear e-mail policy in place.
“Employees may think they have privacy, but I would not bet my career on it,” said David C. Kurland, a human-computer interaction specialist.
In 1986, the Electronic Communication Privacy Act outlawed the interception of e-mail by anyone not a party to the communication.
There are, however, exceptions to the ECPA. The act defines electronic communications as “any transfer of signs, signals writings … transmitted in whole or in part by a … system that affects interstate or foreign commerce.”
Some courts rule against an employee’s right to e-mail privacy in the work-place based on the assumption inter-office e-mail is not encompassed by the ECPA since it does not affect interstate or foreign commerce.
Also, there is no ECPA violation if an e-mail system provider intercepts communications “in the normal course of employment while engaged in an activity … for the protection of the rights or property of the provider,” according to the act.
In 1994, a Subcommittee on Labor-Management Relations approved the Privacy for Workers and Consumers Act. This act would require employers to notify workers when they are being electronically monitored or recorded while working.
Little action has been taken with respect to this proposed bill, according to more than one legal website.
An appropriations committee in Colorado is also considering a bill which would require private employers to notify employees about their privacy policies for e-mail. This bill would also limit the availability of e-mail that can be obtained under the state open-records law.
An employee’s right to e-mail privacy is largely governed by state tort law, or “a wrongful act other than a breach of contract for which relief may be obtained in the form of damages or an injunction,” according to Webster’s Dictionary.
A portion of tort law forbids “unreasonable intrusion upon the seclusion of another.”
According to a legal website, the courts examine “the degree of intrusion, the context, conduct and circumstance surrounding the intrusion, as well as the intruders’ motives and objectives, the setting into which he intrudes and the expectations of those whose privacy is invaded.”
“It is my understanding that I have no expectation of privacy at work,” Kurland said in an e-mail interview. He said he does not expect privacy because everything at his workplace belongs to his employer.
“The abdication of the right of privacy is not necessary in order to facilitate performance evaluations or to maximize profits,” Berg said.
He also said if policies and procedures in the workplace create a reasonable expectation of privacy, and then those policies change without adequate notice to all affected, “the change should constitute an invasion of privacy.”
Using tort law, a Pennsylvania U.S. District Court ruled that there was no reasonable expectation of e-mail privacy in the Michael Smyth v. Pillsbury case, even if the employer had repeatedly promised that employee e-mail would not be intercepted.
Smyth’s employer had intercepted an e-mail message in which Smyth had threatened to kill sales managers. After his dismissal, as a result of his e-mail, Smyth brought suit against Pillsbury claiming that his rights of privacy had been violated under public policy and that he had been wrongfully discharged.
For more information on the Smyth v. Pillsbury case, see www.leepfrog.com/E-law/Cases/Smyth_v_Pillsbury.html.
Jonathan Wallace, general counsel and vice president of operations at Pencom Systems Inc., said he didn’t think the district court had a solid understanding of the technology underlying e-mail.
The court ruled no one should have an expectation of privacy in mail sent via an e-mail system “utilized by the entire company.” On a legal webpage Wallace said, “This, of course, is tantamount to saying that you shouldn’t assume the privacy of mail sent U.S. Post, because the postal service is used by everyone.”
Another reason Wallace said he doubted the court’s ruling was the fact that
The court never mentioned the ECPA in its ruling.
A Boston Law firm, Lucash, Gesmer and Updegrove, agrees with the District Court’s ruling in its online technology bulletin.
“There is not constitutional ‘right of privacy’ for this form of communication (e-mail), since the Constitution protects U.S. Citizens only from certain intrusions by government, not by private companies.” This bulletin, at www.lgu.com/cy50.htm., does not mention the ECPA.
A California court of appeals differed in a case similar to Smyth v. Pillsbury. According to the California court, in the case of Semore v. Pool, “the employee’s privacy expectations must be balanced against the employer’s interests. … We think that there is a public policy concern in an individual’s right to privacy.”
The Semore v. Pool case did not deal specifically with e-mail privacy, but it is an example of a case where the court system interpreted public policy in favor of the employee.
A legal website recommends workplaces consider employee privacy rights; disclosure of confidential information; the right of unions to access company employees via e-mail; and the rights of third parties to obtain access to company records.
The same security issues are not as big as a concern on the Internet. Unlike e-mail on an internal or company network, e-mail on the Internet is not routed through a central control point. Though it is possible for Internet e-mail to be viewed by computers between the sender and the recipient, third party interception is unlikely.
Internet e-mail is usually “packet” technology which breaks the message into pieces which may travel through different paths until reassembled for the recipient of the message, so third-party interception though, not likely, is still possible. In addition, e-mail can be encoded using passwords, test keys and encryption,according to a technology website.
Some other sensitive e-mail issues include defamation, sexual harassment, confidential information and inadvertent disclosure.
For more information on e-mail privacy see www.epic.org/alert and www.eff.org/pub/Legal/email_privacy.citations.