All,
I know the original poster seems to have moved on, but here is a legal
mini-backgrounder from a law student who's done assistantships on several
IP cases involving e-mail privacy (I think some responders were sorely
underinformed about the complexity of an employer's "ownership" of data
generated by and stored on their systems--it's not so simple):
E-mail communications is governed by the Electronic Communications Privacy
Act (ECPA) of 1986. ECPA explicitly prohibits (like a trailing "deny all"
in an ACL) the real-time interception, off-line access, and subsequent
disclosure of e-mail, with the following exceptions:
- CONSENT EXCEPTION (CE): This exception states that when a single party
involved in said communications has consented to the interception or access
before it occurs, the prohibition does not apply. The provider of the
service itself (IT dept, ISP, telco) does NOT constitute a party under the
law, BUT both ends of the convo, sender and receiver, are parties whose
consent makes the whole convo eavesdroppable. You can think about many
consequences of single-party consent: for instance, if someone is sending
corporate secrets to someone at another company, but the receiving
company's management is secretly cooperating with the sender's management
in order to nab the sender (maybe a good-faith gesture!), the comms may be
monitored without much of a legal hangup. The CE directly applies to
published and agreed-upon (through clicking on "Yes" on login, etc)
corporate communications policies, which is why they're so important. (In
the world at large, single-party consent is also what allows you to
surreptitiously tape a conversation with just about anyone you want--as
long as you are really IN the convo and not just sitting quietly as a third
party--but separate regs apply to what you DO with the recording, of course.)
The CE does leave room for "implied consent," but the precedents are rather
fuzzy. It is not enough, under this exception, to assume that employees
"just know" that an employer is watching...for the CE, there generally have
to be policies published in some form regardless, but implied consent
allows for some flexibility in what constitutes "approval," i.e. whether
you kept working at a company after you knew of their policy, even if you
never actually signed anything, or whether you could have been expected to
have heard an announcement made over the PA on a given day.
- ORDINARY COURSE OF BUSINESS EXCEPTION (OCBE): This exception states that
the prohibition does not apply if the employer's actions can be perceived
as "in the ordinary course of business." You might think that this is a
catch-all, but case law suggests it is not so. The question here is
whether the scope of an employer's surveillance realistically reflects the
danger to the employer's business. For instance, recording all calls made
to and from a MacDonald's franchise without telling the employees would not
generally be legal, precedents suggest...but supposing that the franchise
were the one in NYC in which several employees were murdered last year
during an inside-job robbery, the courts would probably see it
differently. Again, if the CE does not apply, meaning that an employer has
effectively taken no action to alert employees to corporate surveillance,
the OCBE will NOT always fill in the gap.
- SYSTEM PROVIDER EXCEPTION (SPE): This one exempts "system providers" from
the prohibition, which has been variously interpreted as only including
commercial providers such as ISPs and as covering the whole range of public
and private infrastructure providers. This is a big one, but it really
hasn't been tested enough in court to warrant a clear
preceding interpretation. In one big case, a defendant specifically used
the lack publicized corporate policy to win a first trial, then lost on
appeal due to SPE.
- CONTEMPORANEOUS REQUIREMENT EXCEPTION (CRE): This exception does not
appear in ECPA, but several courts have interpreted the ECPA to suggest a
fourth exception that is quite inflammatory and appears to give employers a
"back door," provided they conduct themselves from the outset with the CRE
in mind. Basically, the CRE says that e-mails no longer in transit (i.e.
on backups) are completely exempted from all surveillance
prohibitions. Interesting, eh? But remember that if the ECPA has been
violated as regards a given employee, it won't matter that the same company
LATER abided by the ECPA, using the CRE as their targeted exception. Once
an employer has violated the act, it is liable for that violation,
regardless of subsequent by-the-books activity, and most employers would
not want to be involved in a suit-and-countersuit matter.
With all the differing interpretations of the ECPA, you'd think that
Congress would've found a more up-to-date and clearer successor to it, but
an attempt in 1993 failed, as did several others, so the ECPA still
stands. One would also want to look into any employment contracts signed
by those whose messages he intercepted, as there's a possibility that these
detailed a corporate hierarchy (they are/were directors, he a sysadmin) in
which their communications were explicitly deemed confidential and thus to
be shielded from those lower on the totem pole...such provisos are
sometimes built into executive contracts to protect an executive team from,
for instance, the trickle-out of the truths behind "morale-boosting"
(mis)representations of a company's cash situation. If this contingency
existed in their contracts, the mere act of "peeking" done by anyone other
than the directors' managers could have been a contract violation; this is
a good reason to use an automated content checker which would forward
messages to the higher-ups without human intervention, as then management
is doing the hands-on work.
On another note (sorry to run on), Dan introduced the concept of "libel" in
one of his posts--I don't know what the exact text of the e-mail was, but
be aware that insults and epithets, like "Sandy's the most arrogant
sysadmin I've ever seen," that don't really have objective true/false
qualities, usually can't be libelous. If provable facts are
misrepresented, like "Sandy's late every day," there may be a case. Also,
as for the idea of Dan's neglecting to forward the inflammatory e-mail
being itself criminal, this is unlikely--failure-to-report cases
necessitate knowledge that a felony is being committed, and it should be
obvious that, given that he is a techie and not a lawyer, Dan could not
reasonably be expected to "know" this; IP infractions, though they may be
felonious, are much harder for the average person to pinpoint than, say,
child abuse or rape. On the other hand, speaking strictly in terms of
grounds for dismissal, COMPANY policy might punish the failure to report a
breach of security or usage policies.
Well, the upshot of all of this is, as many noted, "Get a lawyer." There
simply is not enough case law out there, especially not at the Supreme
Court level, to draw privacy-related conclusions based on the data that Dan
provided. I would welcome further discussion of such topics in this forum,
though some pure-techies might object, and I'd be happy to recite some
interesting case law.
Best,
Sandy
P.S. One would also wonder whether or why Dan used his real name on this
ML...I don't know if anyone's serving up archives anywhere...
At 01:13 AM 6/16/2001, you wrote:
>Dan you have Subject Matter Authority. you can speak as to when, where,
>how, but not why.
>
>leave that to line authority, it keeps your algorithmic problem solving
>wisdom pure.
>
>you're not a sellout if you go to mgmt. with it. go to the first line
>immediately above you.
>if God forbid you are somehow harmed in this, first realize, email admins
>are still not walking around with will work for food signs: a company that
>burns me for being honest just lost valuable talent, and a large piece of
>their own credibility in the business community, because i'm very frank
>about my long history of personal failure in an interview. in my experience,
>documentable failure pays better than undocumentable success.
>i have to assume that they'll check my references. my amateur advice? what
>would i do? bang on the piano a while then pray or meditate, get some peace
>first.
>
>get some legal advice, pay for it if you have to upfront, your good name is
>priceless. if they hear you, you've gained your adversary's heart and mind.
>if they don't, they weren't worth having at any rate of pay. this is my
>last raving lunacy on this thread, it's becoming like kicking a dead whale
>down the beach. cumbersome and tiring. help yourself man, get a lawyer.
>i hope i don't ever find out what you're going through. it sounds rough.
>help yourself quick, then others will join in and help you.
>----- Original Message -----
>From: "Dan Evans" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Thursday, June 14, 2001 07:14 PM
>Subject: Re: [IMail Forum] A tricky moral problem
>
>
>|
>| ----- Original Message -----
>| From: "Patrick Mathews" <[EMAIL PROTECTED]>
>| To: <[EMAIL PROTECTED]>
>| Sent: Thursday, June 14, 2001 2:38 PM
>| Subject: RE: [IMail Forum] A tricky moral problem
>|
>|
>| > pray, call a lawyer, because 'coming across an email' may also raise
>cause
>| > for concern. if the mail was posted to a public forum. no problem.
>if
>| it
>| > was shown you by a recipient, no problem. an accidental viewing?
>| problem.
>| > accidents happen, but when they do, someone is always left holding the
>| > bag...
>|
>| Which is what we have here, and I have the bag at the moment :0(
>|
>| Dan
>|
>|
>| Please visit http://www.ipswitch.com/support/mailing-lists.html
>| to be removed from this list.
>|
>| An Archive of this list is available at:
>| http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>|
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
