Printer Friendly

Electronic mail and privacy: can the conflicts be resolved?

With 12 million people now using electronic mail systems to convey messages to one another, and millions more expected to embrace the process soon, what pitfalls lie ahead in keeping personal and corporate messages private? Should privacy exist at all? How do you guard against misuse? Recent events involving the unforeseen consequences of electronic mail are descriptive of the uncharted waters of this new practice.

Oliver North, the now famous Marine officer at the heart of the Iran-Contra scandal, used an electronic mail (E-mail) system to communicate with staff at the White House. When it was apparent that he would be charged with illegal activity, he shredded paper documents and purged E-mail messages that might be incriminating. Unbeknownst to him, messages on the E-mail system were routinely copied by a backup procedure. It was from these backup tapes that evidence was retrieved and used against him in both the Senate hearings and criminal proceedings.(1)

At its inception, Prodigy Services (a popular electronic database service) offered subscribers a flat rate monthly charge for all available services, which included E-mail. Prodigy found that some customers were using the system for mass mailing instead of personal messaging. To deter this practice, Prodigy instituted a limit of 30 free messages each month and imposed a 25-cent charge for each additional message. Prodigy was sued in three states for deceptive advertising.(2)

An Epson Corporation employee alleges she was fired from her job because of her objections to her employer's practice of monitoring employee E-mail messages. She subsequently sued, and litigation is pending in the California courts (more about this later).

In the waning days of the Bush administration, a federal court in Washington ordered the White House not to erase backup computer tapes containing E-Mail messages. The White House argued that existing law requires only paper records be preserved, but the court was not impressed. Other questions spin as a result of this development. Are White House E-mail messages "presidential documents, " or are they in the same category as phone calls? "If the President and House majority leader trade E-mail messages, has a meeting occurred?"(3)

When we talk about E-mail systems, we talk about a process in which messages are electronically transferred from one computer terminal to another. E-mail systems messages can be answered, annotated, commented on, saved, converted into documents, or printed.(4) More formal than a telephone call but less formal than a memo, E-mail eliminates that bane of modern communication, "telephone tag." Its growing popularity was never more apparent than during the last U.S. presidential campaign. President Bill Clinton's campaign team used E-mail extensively during both the campaign and the transition.(5)

Conflicts in the Workplace

The widespread use of intra-company E-mail systems has been accompanied by an increase in problems between the corporate employers as providers of the systems and the employee users. We identified five specific problem areas: encryption, frivolity, privacy, harassment and multiple backups.

Encryption - A serious problem involves sending confidential business documents through an intra-company E-mail systems. E-mail systems store messages in standard data files. If the messages are not encrypted, it would be possible for a sophisticated user to retrieve and read messages that were thought to be confidential. Encryption is the process by which data in their readable form, or clear text, are encoded into an unreadable form (called cypher text] to ensure data security.

Frivolity - Corporations encourage the use of E-mail to enhance communication among employees. However, corporations do not want employees to use E-mail for personal or frivolous communication. One way to control the use of E-mail for the latter purpose is to monitor E-mail communication. However, monitoring opens a can of legal worms.

Privacy - Employees have an expectation of privacy in their communication, whether it is via paper memoranda, telephone, or E-mail. The corporate need to manage a productive operation contrasted with this expectation of personal privacy leads to conflict.

Harassment - The features of informality of correspondence, ease of use, and no face-to-face communication provide an opportunity for actual or perceived harassment. There are unpublished cases in which women in an organization have been the object of sexual harassing E-mail letters from a fellow employee. The employee retained anonymity by using the computer identification of another worker. The feature of informality also sometimes leads to E-mail messages being misinterpreted as harassing, although it was not the intention of the author.

Multiple backups - The standard procedure of "backing up" the messages stored as a file on disk to another medium is routinely performed to ensure that data will not be lost in case of system failure. The damage this would cause is so severe that multiple backups are often kept. This poses the following problem to both the user and the corporation: If the recipient of a message instructs the E-mail system to delete a message, how does the user know that the message had not been previously saved on a backup tape? If it has, the E-mail system does not have the capability to delete the message from the backup tape(s). Most corporations have paper document retention policies that reduce the risk of theft of data and also reduce exposure in the event of litigation. The backup of data compromises the retention policy because it is difficult to know if copies of a message have been deleted from all backups.

A Developing Legal Environment

The emergence and continuing integration of intracorporate E-mail systems is challenging the statutory, regulatory, and case law developments that define the limits of personal privacy within a corporate setting. The variety of forms of electronic communication are not protected by the constitutional right to privacy established by the United States Supreme Court. Thus, guidance concerning the limits of individual privacy rights must come from other sources.

The fundamental issue of privacy relates to ownership of the E-mail systems and its status relative to communication outside the in-house E-mail systems. Legislation concerning issues of E-mail systems and privacy is in the developmental stages. Federal legislation centers on the Electronic Communications Privacy Act of 1986 (ECPA), and state laws have not yet focused on this specific issue.

We will focus in part on the impact of the ECPA and its potential for resolving the conflicts presented herein.(6) Despite the lack of constitutional safeguards, the ECPA moves in the proper direction. This legislation provides guidelines for both criminal actions and civil remedies.(7)

Congress enacted the ECPA for two primary reasons. First, it was intended to be the legislative vehicle to protect all electronic communication systems, including E-mail systems, from outside intruders. Second, it was intended to protect the privacy of certain messages in transmission over public service E-mail systems.(8)

The ECPA qualifies the privacy coverage for E-mail systems by classifying use based on whether the network is intended for public or internal access. Classifications of these communications fall within three broad categories: messages exchanged within internal E-mail systems that are used solely for interoffice communication are not subject to the privacy provisions of the ECPA and therefore can be read by the company; messages exchanged within internal E-mail systems that allow access from outside the company, such as placing orders, can be read if either the sender or receiver gives permission; and messages exchanged over public E-mail systems, such as MCI Mail, cannot be read by anyone other than the sender and receiver. Violation of user privacy in the third instance is a felony.(9)

Employees Sue Epson

A class action lawsuit was filed in July 1990 against Epson Corporation over a personnel dispute surrounding employee use of its E-mail systems. The issue presented by this case revolves around ownership of communications on E-mail systems. Dismissed employee Alana Shoars contended that the manager of Epson's HP computer system illegally tapped messages passing through a gateway between the HP system and its external MCI Communications Corporation E-mail systems. Epson's unofficial policy has been to read only those messages snared through routine network administration or troubleshooting. Ms. Shoars claimed she was fired as E-mail systems administrator after she protested the alleged capture and printing of "thousands" of password protected messages by Epson.(10)

Epson has said that the firm dismissed Ms. Shoars for "gross misconduct and insubordination".(11) Noel Shipman, Ms. Shoars attorney, is relying on the California Penal Code for support in the suit. The code requires prior authorization from all parties involved in a communication before it is legal to intercept it.(12)

The uncertainty surrounding the interpretation of the ECPA and other sources of federal privacy law justifies why Shoars' case was brought under California statutes. California is one of only ten states whose constitution explicitly guarantees people privacy. It is also considered to be among the most favorable in the nation regarding workers' rights.(12) The ultimate resolution of this case will provide additional guidance to both employers and employees.

Congressional Action:

The Leahy Committee

Senator Patrick Leahy chairs the Senate Judiciary Subcommittee on Technology and the Law. He assembled a task force in August 1990 to explore the need for amendments to the ECPA in light of advances in technology that might have an adverse affect on the privacy protection embodied by the statute.(14)

The task force was charged with the examination of current developments in a wide array of emerging technologies and the impact of those technologies on the law. The task force examined a number of new areas including E-mail systems and concerns about the privacy of electronic messages carried on private networks.(15)

The task force found that the ECPA has generally served to protect the privacy of electronic communication. The task force specifically reviewed "... the nature and extent of an employer's duty to respect the privacy of electronic mail sent within the workplace by employees."(16) The committee found that because intra-company E-mail systems are not generally open to the public, employers may have a legal right to control access and disclosure of E-mail messages.

Although the Leahy Committee decided not to recommend changes in the ECPA, it did recognize that intra-company use of E-mail is growing, and there may be a need in the near future to amend the statute if a government agency seeks access to E-mail records.(17) The committee did, however, make several important recommendations: that employers adopt clear policies regarding use of intracompany E-mail, that employers provide employees clear notice concerning access to electronic mail, and, that employers adopt basic procedural safeguards before conducting searches of employees' E-mail files.(18) Resolution of the issue by legislative means is undoubtedly years away. This means that clear communications of company policy is necessary.

Corporate Solutions

Corporations can attack these conflicts in two ways: first, by implementing technological innovations, and second, by developing clear company policies about the use of E-mail systems by employees and managers.

Although E-mail in its current form will lead to widespread use, it will experience a further surge as it becomes the foundation for more advanced corporate applications. For example, a recent advertisement for a current E-mail package has a feature that provides form definition within the E-mail system. The E-mail system will route the form to appropriate users based upon values filled in on the form. The later version will permit the user to select a form such as an expense report, fill it out, and send it to a superior who will electronically sign it for approval and send copies to the appropriate people. By applying intelligent rules that you can base on content, the form will know where to route itself. For example, if the claim is for more than $10,000, the form will automatically be forwarded to a senior bank officer.(19)

There are a number of methodologies within E-mail systems designed to ensure privacy. The two most important features are password restriction and encryption of messages. Please note that the features discussed are generally available on current versions of E-mail packages. There are older E-mail systems that do not support either password restriction or encryption.

Most multi-user computer systems require passwords to gain access to the system. Although this will stop some non-authorized personnel from using the system, it still will leave the door open for authorized users to observe or change data that are private. To deter this activity, E-mail systems provide for the administration of user identification passwords. This facility allows only those users who are authorized to use E-mail to send and receive messages.

To ensure privacy, some E-mail systems provide encryption facilities. Through encryption, users can encode their messages so that only the intended recipient can read them. The encryption schemes vary in sophistication. The result is a variety of levels of difficulty to break the cypher that supports the encryption scheme. Although it is theoretically possible to provide an encryption scheme that is impossible to crack, no commercially available packages do so at this time. However, many of the packages do provide the means to make it practically impossible for one user to read or change another user's E-mail messages.

All encryption schemes are based on "keys" that are used to encrypt and decrypt a message. A key is either the user's E-mail password or a word that the user selects. These schemes are useless if users are not diligent about protecting their keys. Corporations wary about privacy should enforce routine changes of passwords on a periodic basis for all users.

A by-product of encrypting E-mail data is that the problem of backups of E-mail files is diminished. Because backup procedures make exact copies of disk files, the data on the backup medium are also encrypted. Thus anyone trying to read E-mail messages from the backup tape would be stymied by the encryption mechanism.

Most all E-mail systems automatically save the name of the sender with the text of the message. The E-mail system displays the name of the sender (or his or her E-mail identification) within the displayed message. If a user is harassing another employee, it would be easy to trace a message to the sender. One weakness in this enforcement procedure arises when users do not sign off from the system when leaving their desk. A user who wants to send an abusing message can do so at an unattended terminal without fear of being caught. Therefore, it is a good procedure to require users to sign off when leaving their terminals.

Finally, those corporations that wish to provide security for users but retain the ability to monitor messages face a dilemma. If they select an E-mail system that provides strict encryption, it is impossible for managers to monitor messages. If they purchase a package that allows E-mail administrators to read messages, there is an opportunity for unauthorized users to read those messages.

The development of a company policy is a clear first step to avoid some of these conflicts. E-mail is a communication technology that will grow in importance and enhance an assortment of other forms of corporate communications. Also, the integrated use of inter- and intra-company communication networks will further complicate these issues. Early development of well articulated company policies will provide an excellent basis for improved employer-employee relations, employee morale, and the perception of the company by its employees.

Policy ingredients Outlined

In a White Paper commissioned by the Electronic Mail Association, it is suggested that many constituencies have a stake in the development of such a policy. These include not only employers and employees, but also third parties such as law enforcement and government officials.

The White Paper notes two specific issues that the corporate policy must address. The first is whether an employee has a right to privacy requiring the employee's consent before the employer may gain access to corporate records that happen to be under the employee's control. The second is the personal use of the corporation's traditional or electronic communication networks.(20)

The criteria suggested in the White Paper for establishing such a policy are: a. Does the policy comply with the law

and with duties to third parties? b. Does the policy unnecessarily compromise

the interests of the employee,

the employer, or third parties? c. Is the policy workable as a practical

matter and likely to be enforced? d. Does the policy deal appropriately

with all different forms of communication

and record keeping within the

company? e. Has the policy been announced in

advance and agreed to by all concerned?(21)

We have identified the following

additional criteria: f. Does the policy identify the company-sanctioned

uses for E-mail? Is noncompany

business use acceptable and,

if so, by whom, for what, when, and

how often? g. If noncompany use is permitted, will

that type of communication be subject

to the monitoring, access, and

procedural constraints?

The development of the policy incorporating the above criteria should be a priority. The policy should address the needs of the various constituencies served by the E-mail system. The consensus reached during the development of the policy will only enhance the chances for successful implementation of such a policy.

In addition the company should identify how it will monitor E-mail. For example, will only the existence of the transaction be monitored or will the content of the message be checked? Once the form of monitoring has been established, will employees be notified when the monitoring takes place?

Having identified the type of transaction to be monitored, the firm should develop procedures for the use of E-mail. That is, a framework of notice and review requirements should be be instituted that will afford both employer and employee adequate opportunity to protect against, and be protected from, abuse. The procedural aspects of the disclosure of the contents of the E-mail must be established to ensure that sufficient review is undertaken to avoid unwarranted disclosure.(22)

The use of E-mail systems seems destined to explode. But as we have seen, conflicts have already arisen as a byproduct of this growth.

Louis Maltby, an American Civil Liberties Union lawyer, recently noted that "'s the usual pattern: the technology runs years ahead of the law..." when issues of privacy and E-mail systems are involved.(23) It is also apparently rare that a corporation will have articulated clearly its policy governing the use of E-mail systems, whether that use be company-related or personal.

The introduction of any new technology leads to confusion while the relationships that have been newly created adjust. E-mail will be the vehicle that supports the delivery of a broad array of data. Therefore, the anticipation of future problems and the ability to fashion creative solutions will result in a less stressful evolution of corporate and government personnel and E-mail systems.

Nuts and Bolts of E-mail

E-mail is a combination of software, hardware, and communications that allows a user to "send" messages to a user or set of users. The messages can be composed of text and images.

An "intra" organizational E-mail system allows users in the same company to send and receive data. This system can be implemented on one or many computer systems within the organization. The communication among users can be accomplished using a common communications carrier.

An "inter" organizational E-mail system allows data to be sent between users in different organizations. This system can also be implemented on one or many computer systems, with or without a common communications carrier.

E-mail in its simplest form is a computer program that stores and forwards messages from one person to another. Typically the sender types text and indicates the identity of the person (in the form of a computer I.D.) to whom it should be sent. The receiver, if currently logged on, will receive an alert that there is mail waiting to be read. If the receiver is not logged on when the message is sent, the E-mail program will wait until the next time the receiver signs on and will then alert him or her that E-mail has been sent.

It is important to note that E-mail programs actually store in a disk file the message the sender types - irrespective of whether the receiver is currently logged onto the computer. This is an essential technical consideration because this is the feature that allows for most of the E-mail abuses.

E-mail programs are commercially available on all platforms. These platforms range from PCC-networks to the largest mainframe. Although they have different advanced features, all provide at least the following: a. Allow users to type/edit messages and

send them to another user or set of users

as designated on a distribution list. This

function generally requires that senders

specify the intended receiver by some

form of I.D. designation. The system will

also display registered users of the E-mail

system. b. Allow receivers to keep messages and file

them in different electronic folders. c. Indicate to senders of messages the date

and time they are read. This information is

automatically sent to sendesr by the E-mail

program. d. Allow receivers to see all previously

unread mail and select only those items

they wish to read currently. e. Allow for forwarding of messages to other

users. This is particularly useful when a

message is incorrectly directed to a

particular user. A few simple keystrokes

will forward the message to the correct

user or group of users. f. Allow E-mail to run concurrently with other

applications. This approach is advantageous

because it enables the system to

notify users instantaneously that an E-mail

message has been sent. This occurs

irrespective of the application in use.

In addition, users do not have to terminate

the computer task they are currently

performing to read or respond to E-mail.

More advanced E-mail systems have expanded the type of information that can be sent. The following points briefly review these features: a. The ability to send image data along

with text b. The ability to send an existing text file c. The ability to send and receive FAX data d. Future E-mail enhancements will allow

receivers to set rules to sort incoming mail

to different folders based on a variety of


In general, E-mail packages are easy to use because they are analogous to sending paper memos. The terminology used to prompt a user through the preparation of a message is similar to that used in the manual preparation of a memo.

(1) Dennis Eskow, "Lawyer's Warn: Don't Back Up Your E-mail," PC. (2) "DA Probes BBS Practices at Prodigy," Barton Crockett, Network World, March 25, 1991, 4. (3) "E-mail to Gain an Ear At Clinton White House," THE WALL STREET JOURNAL, January 11, 1992. (4) "Where Does All the E-mail Go?," Conrad Blickenstorfer, Computerworld, July 22, 1991. (5) "Attention Clinton: Avoid E-mail Overload," William M. Bulkeley, THE WALL STREET JOURNAL, January 18, 1992. (6) For a discussion of the law pre-ECPA, see Ruel Torres Hernandez, "ECPA and Online Computer Privacy," Federal Communications Law Journal, Vol. 4, No. 1, 24-29. (7) Ruel Torres Hernandez, "ECPA and Online Computer Privacy," Federal Communications Law Journal, Vol. 4, No. 1, 18. (8) "E-mail Privacy Not Guaranteed: Some Systems Still Unprotected Legally," Nathalie Welch, Macweek, March 12, 1991, Vol. 5, No. 10, 12. (9) Ibid, 12. (10) E-mail Lawsuit Cranks Open Privacy Rights Can of Worms," Jim Nash, Computerworld, August 13, 1990, Vol. XXIV, No. 33. (11) "Epson E-mail: Private or Company Information," infoWorld. October 22, 1990, 66. (12) Ibid. (13) "Privacy at the Office: Is There a Right to Snoop?; Lawsuit May Set Limits On Firms' 'Eavesdropping'," Evelyn Richards, The Washington Post, September 9, 1990, H1. (14) Final Report of the Privacy and Technology Task Force, submitted to Senator Patrick J. Leahy, May 28, 1991, 2. (15) Ibid, 4. (16) Ibid, 18. (17) Ibid, 19. (18) Ibid, 18. (19) MailMan 1.0, Reach Software, PC World, August 1991, Vol. 9, No. 8, 108. (20) David R. Johnson and John D. Podesta, "Formulating a Company Policy on Access to and Use and Disclosure of Electronic Mail on Company Computer Systems," a White Paper presented for the Electronic Mail Association, October 22, 1990, 3-4. (21) Ibid, 5. (22) Ibid, 5-7. (23) Privacy Rulings Trail Technology," USA TODAY, July 8, 1991.
COPYRIGHT 1993 California State University, Los Angeles
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:includes related article
Author:Shannon, John H.; Rosenthal, David A.
Publication:Business Forum
Date:Jan 1, 1993
Previous Article:It's time for new thinking for a new age.
Next Article:Legal environment trends for the '90s.

Related Articles
Tips on balancing privacy rights at the job site.
Public Internet/Private Lives.
E-mail and the law: how to manage privacy issues using the AICPA/CICA framework.
E-mail intercept violates wiretap law, First Circuit holds.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters