Two employees have a heated exchange.
One describes the altercation in an e-mail- expletives and all – and intends to send it to a co-worker down the hall. Then, the employee cools down and erases the message before hitting “send.”
No harm, no foul, right?
Not necessarily, according to Andover, Mass. employment attorney William E. Hannum III, who notes that in some cases it doesn’t matter whether the employee actually sends the message since the damage may already be done.
Hannum says in one case an employee who, through her company’s computer and e-mail system, drafted an e-mail blasting her boss. After taking out her frustrations on her keyboard, however, the employee took a couple of deep breaths, erased the nasty note, and instead sent a toned-down version to a friend.
But thanks to something called “keystroke” software, her boss was able to intercept and read the original lashing – even though it was never sent.
Meanwhile, though a recent 1st Circuit case charging a company executive with violating the federal Wiretap Act for intercepting e-mail initially caused a stir in terms of limiting workplace electronic surveillance, lawyers say workers’ expectation of privacy should remain low.
“[An employer] can watch as much as it wants so long as it gives fair notice,” says Hannum.
John G. Palfrey Jr., executive director and law lecturer at the Berkman Center for Internet & Society at Harvard Law School, agrees.
However, Palfrey, notes that looking into the proverbial legal crystal ball, particularly when it comes to the constantly shifting world of technology and the Internet, is a futile effort.
“It’s tricky to know how something that is a general opinion will apply to future fact patterns,” Palfrey remarks.
He adds that superimposing one set of laws on another makes it hard to know exactly what the outcome will be.
But are there lines an employer can cross that might prompt a jury to find that an employee should have some level of privacy in what they write and send over the Internet, even if it’s done with an employer’s hardware and software?
“[Workplace] privacy is a balancing test – balancing the expectation of an employee for privacy to the needs of an employer to run a business,” explains Chestnut Hill, Mass. attorney Jonathan D. Canter, who has written articles on the subject.
Canter adds that it’s up to a jury to decide what is reasonable.
But other attorneys say that the “balance” will always weigh in the employer’s favor -even in those limited situations where employers have yet to draft policies pertaining to the use of company computer equipment for private use or even where they have not put their employees on notice that they are “watching.”
“Employees have no reasonable expectation to privacy when there’s an explicit policy saying that employees should expect no rights and the system belongs to the employer,” says Boston attorney Sharen Litwin, who typically represents employees. “It also seems to me that where employers do not disseminate written policies, even those employees lose for invasion of privacy.”
The ‘Councilman’ Case
In the recent 1st Circuit case, U.S. v. Councilman (Docket No. 03-1383), the federal government prosecuted Bradford Councilman, vice president of an Internet company that ran an online out-of-print and rare book listing service.
The company, Interloc, also provided an e-mail address to its book-dealer customers and acted as the e-mail provider, managing the e-mail service and the dealer subscription list.
The government alleged that Councilman, in violation of the Wiretap Act, used a software program to intercept, copy and store e-mail messages sent from Amazon.com to his customers, and that he read those messages in an effort to gain a commercial advantage over his competition.
Councilman argued that the messages were in electronic storage and therefore exempt from the scope of the Wiretap Act because the 1968 definition of “wire communication” was amended by the Electronic Communications Privacy Act to include “electronic storage” – but the definition of “electronic communication” was not.
The 1st Circuit rejected that argument, writing that “the purpose of the broad definition of electronic storage was to enlarge privacy protections for stored data under the Wiretap Act, not to exclude e-mail messages stored during transmission from those strong protections. Moreover, Congress’s sole purpose in adding electronic storage to the definition of ‘wire communication’ was to protect voice mail, and not to affect e-mail at all.”
The holding subjects Councilman to criminal prosecution.
Clearing up Confusion
At first blush, the Councilman ruling, which represented a split in authority in the federal circuit courts, seemed to implicate employers who regularly “intercept” electronic messages flowing to and from their employees’ desktops.
In fact, soon after the decision was handed down, Boston attorney Andrew Good, who represented the defendant, said implications from the ruling, particularly for workplace surveillance of e-mail, were “staggering.”
Good said “electronic communications providers, including workplace providers, have been monitoring electronic mail for many years relying on the test of [the Wiretap Act] and prior precedents. But for now, only in the 1st Circuit, these providers are exposed to criminal and civil liability.”
But as the dust settles, experts question whether Councilman has any affect at all on workplace privacy.
Marc Rotenberg, a Massachusetts attorney who works for the Electronic Privacy Information Center (EPIC) in Washington, D.C., says employee privacy advocates will have to look elsewhere to find protections.
“The federal Wiretap Act makes clear through the business use exception that employers are permitted to access the communications of their employees,” he says.
Rotenberg adds that his own view, “which isn’t exactly what the law requires, is that if you maintain a communications network you always have the right to intercept communications for maintaining the integrity of the network. But the law does not allow you to look for purposes of obtaining some kind of commercial advantage,” he explains, referring to the Councilman holding.
Canter notes that the exemption in the Wiretap Act “is for activity done in the ordinary course of business, so generally it doesn’t implicate [workplace communications] unless there is something extraordinary about what the employer is trying to do.”
But, say attorneys, employers have plenty of legitimate reasons to retrieve and review electronic employee communications that have nothing to do with gaining a competitive edge.
Employers can and should have every right to know how much time their employees spend surfing the ‘web, shopping online or e-mailing friends, lawyers agree.
And for more obvious reasons, employers need to know whether workers are accessing unsavory online content that could potentially get the employer in trouble.
Perhaps that is why it’s not at all uncommon for employers to pay close attention to what their employees do online. According to the 2005 Electronic Monitoring & Surveillance Survey conducted by the American Management Association, 36 percent of employers track content, keystrokes and time spent at the keyboard.
Fifty percent of employers, according to the study, store and review employees’ computer files, while 55 percent retain and review e-mails specifically.
And so long as employers either have an explicit policy in place or put their workforce on notice that they will be watching and reading e-mail communications sent through their systems, there is no foul on their part.
Crossing the Line?
But can employees have some expectation of privacy when it comes to the content of messages sent through their employer’s computer via their private e-mail accounts?
The short answer is “no,” though intercepting messages sent through private accounts, although possible, is somewhat more challenging than simply reviewing those sent through an employer-provided account, according to Hannum.
And while employees sign away their privacy rights to electronic messages sent at work, the balancing test Canter speaks of could begin to tip in favor of the employee if a jury gets involved.
“That’s where it gets sticky – where the employer gets overly concerned with matters that don’t seem to implicate or affect the business whatsoever,” Canter says.
And what about that keystroke software that can track deleted e-mails that were never actually sent?
Litwin says that, too, may be getting “closer to the line.”
But the circumstances where employers take the time and effort to read their employees’ Hotmail messages sent to friends and family or to track their employees’ every key stroke are rare, attorneys agree.
But management-side attorneys say companies should review their policies in light of the Councilman ruling.
“[The case] heightens the need for employers to adopt appropriate policies and disclosures to their employees about the possibility that their e-mails and other electronic communications can be intercepted,” says Hannum.
He adds that it also may be worth having employees sign consent forms or have dialogue boxes that workers must click, agreeing to or referencing the terms of use of the company’s computer equipment.
Litwin suggests that employers, instead of taking a Draconian approach to their policies about private use of company electronic communications, should build in some leeway so that employees don’t feel they are in violation of company policy any time they send a private e-mail.
“I usually tell employers to say that employees can use the Internet and e-mail occasionally, but that they can’t disseminate offensive materials,” says Litwin.
Hannum agrees.
“E-mailing a buddy through a Hotmail account is unproductive time at work, but some employers should take a kindler, gentler approach and say that during work hours minimal personal use is [permissible],” he advises.
Questions or comments can be directed to the writer at [email protected].