FOR EDUCATIONAL USE ONLY
Emory Law Journal
*1439 ALL BARK, NO BYTE: EMPLOYEE E-MAIL PRIVACY RIGHTS IN THE PRIVATE
Alexander I. Rodriguez [FNa1]
Copyright © 1998 Emory University School of Law; Alexander I. Rodriguez
Under the secrecy of night, the owner of a large
communications company meets with his special private investigators at the back
entrance of the company building. The owner opens the door and the three
quickly make their way to an employee's cubicle. The investigators, also known
as forensic computer analysts, "bag" the employee's computer by
copying the entire hard drive onto a high-density disk. The team then logs onto
the company's e-mail server and downloads every message in the employee's
account. After a final search, the owner concludes that every pertinent file
has been copied and they exit the building. With any luck, the owner will find
what he was looking for: documentation revealing the employee's secret
correspondence with an on-line job search service. [FN1]
Investigations of employee e-mail, such as the one described above, increased an average of thirty percent each year from 1994 to 1996. [FN2] For the tens of millions of employees who are provided e-mail accounts by their employers, [FN3] these types of investigations may constitute illegal invasions of privacy. Such claims often turn on the nature of the employer, chiefly because the constitutional right to privacy provides protection only against public employers and not private employers. [FN4] For the most part, the activities *1440 of private employers are subject to state law guidelines, but as the percentage of privately-owned companies providing e-mail accounts to employees continues to grow, [FN5] state law is similarly failing to provide acceptable levels of e-mail privacy protection for such employees.
The effects of technological innovation have made the lack of adequate privacy protection for employee e-mail even more troublesome. [FN6] People across the world are using e-mail at increasing rates. [FN7] Moreover, the ongoing shift from the use of "stand-alone" computers to networked systems, integrating hundreds of terminals, is leaving personal information dangerously vulnerable to interested parties. [FN8] Independent surveys confirm that workplace monitoring is common practice among employers. A 1992 study by the National Institute for Occupational Safety and Health concluded that nearly sixty-six percent of all employees who have access to a computer are *1441 electronically monitored. [FN9] Recently, from a survey of companies employing a total of approximately one million workers, Macworld estimated that twenty million employees were subject to some type of electronic monitoring while on the job. [FN10] The pervasiveness of e-mail monitoring combined with the ease with which private network providers can infiltrate employee accounts is alarming. But should private employers be allowed to have indiscriminate access to e-mail accounts on networks financed, installed, and maintained by corporate funds? Conversely, should, or do, employees have a right to privacy shielding them from this form of corporate espionage?
At best, the law provides ambiguous answers to these interdependent questions. At worst, the law favors the interests of private employers who are also network providers. Private employers are given great latitude in monitoring their own e-mail systems, but under certain ill-defined circumstances, employees may invoke a right to privacy barring corporate access to their e-mail. As a general rule, to win an invasion of privacy suit against any type of employer, an employee must first be able to prove an expectation of privacy that outweighs the employer's reasons for monitoring. [FN11] But because employees are, by definition, agents of the employer, workplace monitoring is considered by many to be immune to reasonable privacy expectations. [FN12] On the other hand, opponents of employer monitoring assert that employees consider e-mail a form of private property [FN13] and that unregulated employer monitoring retards the benefits e-mail offers. [FN14] Those who wish to strengthen employee e-mail privacy rights point out that most courts rule in favor of employers when employees are merely given advance notice that monitoring will occur. [FN15] Conflicts between employers and employees arise largely from these opposing concepts regarding the nature and use of e-mail. [FN16]
*1442 Suggestions as to how employee e-mail privacy can be improved must not only protect the remarkable benefits of e-mail use in the workplace, [FN17] but must also consider a future where e-mail may become the primary means for worldwide communication. As such, Part I of this Comment analyzes the various sources of the right to privacy as applied in the workplace environment, including the United States Constitution, state constitutions, federal legislation, state legislation, and state common law. [FN18] Part II reviews several proposals offered by legislators and legal scholars to strengthen employees' right to privacy over e-mail. [FN19] Expanding on these existing suggestions, Part II also presents a statutory presumption, whereby an employee would be presumed to have reserved her right to e-mail privacy unless expressly waived, as a possible means for strengthening the right to e-mail privacy in the private sector workplace. [FN20] Finally, to help those urgently in need of e-mail privacy protection, Part III offers two self-help solutions now available to interested employees: anonymous remailers and encryption software. [FN21]
I. Sources of the Right to Privacy
A. United States Constitution
The right to privacy is not expressly mentioned in the text of the United States Constitution. However, in the landmark case of Griswold v. Connecticut, [FN22] the Supreme Court determined that "specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance. Various guarantees create zones of privacy." [FN23] Specific guarantees in the Bill of Rights do not explicitly provide for *1443 a right to privacy, but in the employment context, the right is usually derived from the Fourth Amendment, which states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." [FN24]
United States Supreme Court case law has shaped the substantive limits of the Fourth Amendment right to privacy. In the seminal case of Katz v. United States, [FN25] Justice Harlan effectively established the "reasonableness" test, a standard which still serves as the method of analysis for claims invoking the constitutional right to privacy. This balancing test weighs relevant govern-ment interests against the individual's expectation of privacy. [FN26]
The first case to consider the application of Fourth Amendment privacy protections in the workplace context was O'Connor v. Ortega. [FN27] In this *1444 decision, the Supreme Court determined that the "reasonableness" test, rather than the express Fourth Amendment requirement of a warrant supported by probable cause, would apply to searches and seizures conducted by public employers. [FN28] The facts of Ortega were as follows: Dr. Magno Ortega, Chief of Professional Education at Napa State Hospital ("Hospital"), claimed that employees of the Hospital conducted an illegal search of his office. At the time of the search, Dr. Ortega was the subject of a Hospital investigation stemming from various allegations of professional misbehavior. [FN29] In balancing Dr. Ortega's reasonable expectation of privacy [FN30] against the Hospital's need for "super-vision, control, and . . . efficient operation of the workplace," [FN31] the Court rejected the notion "that public employees can never have a reasonable expectation of privacy in their place of work." [FN32] Yet, the Court asserted:
The operational realities of the workplace . . . may make some employees' expectations of privacy unreasonable when an intrusion is by a supervisor rather than a law enforcement official. Public *1445 employees' expectations of privacy in their offices, desks, and file cabinets, like similar expectations of employees in the private sector, may be reduced by virtue of actual office practices and procedures, or by legitimate regulation. [FN33]
Due to the procedural posture of the case, the Court refused to decide whether the search of Ortega's office was reasonable. [FN34] Instead, the Court simply reversed the summary judgment in favor of Ortega, stating that "the record was inadequate for a determination on motion for summary judgment of the reasonableness of the search and seizure." [FN35] Nevertheless, by asserting that employer activity or regulations could affect an employee's reasonable expectation of privacy, the Court provided an avenue for public employers to significantly reduce or eliminate an employee's expectation of privacy in the workplace.
Because the Constitution limits only state actors, the Fourth Amendment right to privacy may seem irrelevant to a discussion of employee e-mail privacy rights in the private sector. [FN36] However, constitutional privacy jurisprudence has tremendously influenced judges confronted with invasion of privacy claims derived from other legal sources, such as state constitutions, state common law, and state statutory law. For example, the Katz "reasonableness" test is essentially the same approach used by state courts to analyze the common-law tort of invasion of privacy. [FN37] Thus, knowledge of the Fourth Amendment standard and how it has been applied to workplace privacy disputes is fundamental to an understanding of how courts examine claims based on other sources of a right to privacy. [FN38]
*1446 B. State Constitutional Law
Like the United States Constitution, most state constitutions do not expressly provide a right to privacy but do offer protections against unreasonable searches and seizures. [FN39] Similarly, judicial interpretations of these state constitutional provisions have, for the most part, limited the privacy right to protect only against government intrusions. [FN40] However, ten state constitutions do explicitly grant a right to privacy. [FN41] In general, courts of these states have created zones of privacy broader than the privacy protections granted by the Fourth Amendment, [FN42] but nine of these states still maintain that *1447 their constitutional right to privacy applies only against governmental agencies. [FN43]
California is the only state to have ruled that its constitutional right to privacy provides a cause of action against public and private entities. [FN44] Until recently, most California courts required private employers to show a "compelling interest" in order to justify employee monitoring. [FN45] However, in the 1994 case of Hill v. National Collegiate Athletic Ass'n, [FN46] the California Supreme Court rejected the "compelling interest" requirement in favor of a "balancing test" in which the privacy interest at stake must "be specifically identified and carefully compared with competing or countervailing privacy and nonprivacy interests." [FN47] In practice, the California "balancing test" closely resembles the Fourth Amendment "reasonableness" test, though in California, the plaintiff may rebut the employer's justifications for an intrusion by showing that other actions could have been taken by the employer which would have had a lesser impact on the employee's privacy interests. [FN48]
In spite of state reluctance to extend constitutional privacy rights to the private sector, some commentators contend that employees could prevail by arguing that constitutional privacy provisions support a state public policy favoring regulation of intrusions in the private workplace. [FN49] This type of argument could support a constitutionally-based tort claim [FN50] and has achieved *1448 some degree of success in Alaska. In Luedtke v. Nabors Alaska Drilling, Inc., [FN51] the Alaska Supreme Court interpreted the privacy provision of the state constitution to reflect a public policy restricting specific types of intrusions by private employers. Nevertheless, no state court has yet ruled that public policy prohibits private employers from monitoring employee e-mail.
C. Federal Legislation
Although the Constitution sets search and seizure limitations on federal and state employers, Congress has enacted statutes that limit the monitoring activities of private employers. In 1986, Congress attempted to address the issue of e-mail privacy in the private sector by passing the Electronic Communications Privacy Act ("ECPA"). [FN52] While the Electronic Communica- tions Privacy Act added electronic communications to an existing list of protected communications, it took away many protections by retaining or adding several statutory exceptions which leave employee e-mail exposed to private employers.
1. The Electronic Communications Privacy Act of 1986
Drafted to amend the technologically outdated Title III of the Omnibus Crime Control and Safe Streets Act of 1968 ("Title III"), [FN53] the ECPA's goal was to respond to unforeseen privacy issues emerging from new communication technologies. [FN54] Of the changes implemented by the ECPA, perhaps the most significant was the insertion of the term "electronic communication" wherever Title III previously only protected wire and oral communications. [FN55] Substantively, the ECPA extended the coverage of Title III by (1) prohibiting unauthorized interceptions by all carriers, not just common *1449 carriers, of electronic communications; [FN56] and (2) by prohibiting the interception of electronic messages in transmission [FN57] and in storage. [FN58] These two changes were intended to address "the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the public." [FN59] Under the ECPA, liability may be imposed against any individual who "intentionally intercepts, endeavors to intercept, or procures any person to intercept or endeavor to intercept, any wire, oral, or electronic communication." [FN60] Because e- mail transmission is virtually instantaneous and many network providers back-up e-mail messages on company servers, the provision regarding "electronic storage" was added. [FN61] This passage declares that anyone who "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility . . . while it is in electronic storage" [FN62] may be subject to fines or imprisonment. [FN63] Although e-mail is not explicitly mentioned as a protected communication, subsequent judicial decisions have squarely placed e-mail within the protective zone created by the ECPA. [FN64]
*1450 2. Exceptions Within the ECPA
Difficult questions of law are implicated when courts attempt to apply the ECPA to cases involving e-mail intrusions by private network providers, [FN65] because the ECPA allows all network providers, under certain conditions, to monitor employee communications. [FN66] These statutory "loopholes" are (a) the provider exception; [FN67] (b) the business extension or ordinary course of business exception; [FN68] and (c) the consent exception. [FN69]
(a) The Provider Exception
Adding only the term "electronic communication" to
the list of protected communications, the ECPA adopted the original text of the
so-called "provider exception" from Title III. Section 2511(2)(a)(i)
It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service . . . .
*1451 In clearer terms, this exception allows network providers to intercept, disclose, or use employee e-mail if the privacy intrusion in question is made during the ordinary course of business and is either: (1) necessary to the rendition of service or (2) necessary to protect the rights or property of the company. Presumably, a private provider could always justify an intrusion into employee communications to protect against breaches of confidentiality, trade secret theft, or system maintenance. [FN70] In the case of stored communications, all providers are subject to similar justifications for accessing employee e-mail saved on a company server. [FN71]
A few cases, most of which were decided before the ECPA, have raised issues governed by the provider exception. [FN72] In Flanagan v. Epson America, [FN73] the court was confronted with the legality of an e-mail interception under the California wiretapping statute, but addressed the applicability of the ECPA to the dispute in a footnote, finding that the provider exception would have exempted the private network provider from liability. [FN74] The seemingly broad coverage of the provider exception has caused many commentators to caution private network providers against depending too heavily on its protection. [FN75] *1452 At a minimum, the provider exception should not be able to be utilized by employers who furnish networks through public providers. [FN76]
Some basic interpretive issues regarding the provider exception have yet to be determined. For example, when exactly does a company achieve "network provider" status? [FN77] Pre-ECPA cases do provide some support for the argument that employers can be "network providers" and therefore have a right to access employee e-mail for business-related reasons. [FN78] Certainly, these cases could also support the argument that employers who operate an internal e-mail system have the right to monitor use of the e-mail system for security reasons or to prevent excessive use of the system for personal or non- work related activities. [FN79] A second unresolved issue under the provider exception emerges when a private network provider allows a significant number of outsiders to utilize its system. In this situation, should the employer continue to exist as a private provider, potentially allowing the employer access to e-mail of non-employees? If not, should a court try to make a distinction between the e-mail privacy rights of employees vis-a-vis non- employees?
(b) The Business-Extension Exception
Rather than focusing on the entity providing the
communications system, the business-extension exception rests on the type of
equipment used to access a transmission. In order to maintain a claim under the
ECPA, a plaintiff must *1453 establish that the alleged violator
accessed a message with an "intercepting device"; [FN80] however, in defining such devices, 18 U.S.C. § 2510(5)(a)
(a) any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigation or law enforcement officer in the ordinary course of his duties.
In other words, this provision lawfully permits a network provider to access e-mail so long as (1) the intercepting device is part of the communications network and (2) the device is used in the ordinary course of business. To determine whether the intercepting device is used "within the ordinary course of business," courts have assessed whether an employer has a "legal interest" in monitoring communications. [FN81]
Although no court has directly applied this exception to e-mail communications, [FN82] related judicial decisions shed some light on how such a case may be determined. Courts faced with an argument incorporating the business-extension exception have either applied the "context approach," where the general circumstances surrounding the intrusion are scrutinized, or the more specific "content approach," where the court will first determine whether the communication at issue was "business" or "personal," and then use the result to decide whether the employer's business interest justifies the intrusion. [FN83]
(1) The Context Approach
The context approach relies more heavily upon the workplace
environment as opposed to the actual content of the electronic communication. Courts
consider factors such as whether employees were notified that the employer *1454
may intercept communications and whether the employer had a legitimate business
interest justifying the monitoring policy. [FN84] It is settled law that unlimited
monitoring is unlawful under the ECPA, that courts will explore the reasons for
employee monitoring, and that courts will limit the scope of monitoring if
necessary. [FN85] Under this type of scrutiny,
employers will usually escape liability if they satisfy a checklist of
objective notice requirements. [FN86] Some courts will require, at a
minimum, that employers give employees some notice of communications
monitoring. [FN87] However, because the context
approach makes no distinction among types of electronic messages, personal and
business e-mail are lumped together at an equal level of protection. [FN88]
One of the first cases to develop the context approach was United States v. Harpel. [FN89] An officer, convicted for unlawfully disclosing a taped telephone conversation between other police officers, [FN90] argued that because the recordings had been made through an extension telephone, the "business-extension" exemption cleared him of liability. [FN91] Affirming the conviction, the Tenth Circuit did not agree with this broad interpretation of the statutory exemption, stating that the officer failed to show that the recording was made in the ordinary course of business. [FN92] More importantly, the Tenth Circuit instituted a minimum standard for workplace monitoring, including proper employer authorization and adequate employee notice. [FN93]
*1455 Five years later, the Tenth Circuit applied the context approach in James v. Newspaper Agency Corp. [FN94] In this case, an employer attached a monitoring system to the phone lines of employees in the customer service department. After giving notice to its employees that such a system was going to be activated, and absent employee protest, the installation was completed. [FN95] An invasion of privacy lawsuit brought by an employee prompted the Tenth Circuit to look at the reasons why such a monitoring system was needed. The company extended two business justifications in support of the monitoring device: (1) to protect employees against abusive calls and (2) to enable supervisors to provide training and instruction to employees in the area of corporate public interaction. [FN96] Based on these justifications, the court validated the use of the monitoring system and distinguished it from Harpel by highlighting the advance notice given to employees and the asserted business justifications. [FN97]
Finally, the modern application of the context approach was articulated in Deal v. Spears. [FN98] In this case, the Eighth Circuit recast the context inquiry into a two-pronged approach, requiring (1) that the interception equipment be provided to the subscriber by the phone company or connected by the provider to the phone line, and (2) that the interception be in the ordinary course of business. [FN99] Deviating from other circuit court holdings, the court found that because the device used to monitor employee calls was purchased separately and not a part of the communications system, the interception was not covered by the exception. [FN100] In spite of such a finding, the court went on to investigate the second requirement as to whether the interception was in the ordinary course of business. [FN101] The employer reasoned that such monitoring was needed to catch store burglars and suppress theft in general. [FN102] The court agreed that this interest justified some monitoring, but not to the extent practiced by the employer. [FN103] Evidence revealed that the employer recorded twenty-two hours of calls by the plaintiff employee, most of which were *1456 personal and unrelated to any business interest. [FN104] Furthermore, not only were the business justifications clearly insufficient to substantiate such an intrusion, the court went on to cite notice and consent violations and concluded that the interception was clearly not in the "ordinary course of business." [FN105]
(2) The Content Approach
Unlike the context approach, the content approach focuses on
the subject matter of the intercepted conversation. Unequivocally, courts have
ruled that employers can lawfully intercept all "business"
communications, but have very limited rights to monitor "personal"
communications. [FN106] For instance, in Watkins v. L.M.
Berry & Co., [FN107] an employer exceeded its stated
monitoring policy by intercepting a personal call during which an employee
discussed a job interview with a prospective employer. [FN108] The court emphasized that the
phrase "in the ordinary course of business" should not be extended to
include communications about which the employer is merely curious. [FN109] Moreover, the court held that an
employer must show that the particular interception at issue was in the
ordinary course of business. [FN110] The court required a demonstrable
"business interest" in the subject matter of the intercepted call. [FN111] Personal calls are never "in
the ordinary course of business . . . except to the extent necessary to guard
against unauthorized use of the telephone or to determine whether a call is
personal or not." [FN112] The court added that, in practice,
a manager must stop listening to an intercepted call as soon as it is
determined that the call is personal. [FN113]
*1457 In contrast, two cases exist in which courts liberally construed the principles of the content approach. First, in Briggs v. American Air Filter Co., [FN114] the Fifth Circuit explicitly rejected the notion that a non-consensual interception is never allowed within the confines of the business-extension exception. [FN115] The court stressed that under circumstances such as those in Briggs, if an employer has suspicions that confidential business information is being disclosed to competitors by employees, "it is within the ordinary course of business to listen in on an extension phone for at least so long as the call involves the type of information [the employer] fears is being disclosed." [FN116] Had the employer in Briggs monitored any personal portion of the call or engaged in a general practice of unauthorized monitoring, the case might have been decided differently. [FN117] Similarly, in Epps v. St. Mary's Hospital of Athens, Inc., [FN118] the court ruled lawful an employer's recording of a telephone conversation between two employees in which one employee criticized company supervisors. [FN119] As the facts may have produced a defense for the employer under the content approach, the employees urged the court to use the context approach. [FN120] Rejecting the plaintiffs' argument, the court utilized the content approach and found the communication to be a "business" call protected by the business-extension exception because (1) it occurred during office hours and involved remarks about a fellow employee and (2) because the employer had a legal interest in potential contamination of the work environment. [FN121]
In regard to e-mail monitoring, the context and content approaches of the business-extension exception indicate two things: (1) an employer who notifies employees of monitoring is highly insulated from invasion of privacy claims, and (2) an employer can lawfully intercept an e-mail transmission to the extent needed to determine whether the message is business-related or personal. However, the context and content approaches become problematic in the realm of e-mail, because unlike voice communications, the intruder would likely have access to the entire message. How far into an e-mail message can a person read before the "business or private" distinction must be *1458 made? One sentence? One paragraph? Even if courts set a preordained limit on how far a monitor could read, what happens when business and personal matters are commingled in one message? As for disclosure of monitoring activity, one commentator points out that limitations integrated into a monitoring policy serve only as a form of "damage control." [FN122] He argues that "[a]n employer who publishes such a policy is thus only limited in that the scope of its intrusion must match the legitimate business interest justifying the invasion, and employers can expand the permissible scope simply by offering legitimate interests justifying broad monitoring policies." [FN123]
(c) The Consent Exception
The consent exception is applicable when one party to a
communication has given prior consent to an interception by a third party. [FN124] This provision represents the most
unambiguous of the ECPA exceptions, but has garnered a considerable amount of
attention in the courtroom. [FN125] Statutorily, the consent exception
will not apply if the communication is intercepted "for the purpose of
committing any criminal or tortious act in violation of the Constitution or
laws of the United States or any State." [FN126] Although the consent exception has
not yet been applied to stored communications, most courts have adopted a
narrow interpretation by holding that consent to intercept a live transmission
may not be implied. [FN127]
As the consent exception was originally included within the language of Title III, [FN128] judicial treatment of this exception can be traced back to Campiti v. Walonis. [FN129] In Campiti, the court found that the use of an extension telephone by the defendant police officer to intercept telephone conversations between plaintiffs while they were inmates at a state correctional facility was illegal *1459 under Title III. [FN130] Absent actual consent, the police officer argued that, under the circumstances, the inmates gave implied consent to monitoring. [FN131] The court rejected the officer's argument, explaining that "[t]o accept [the officer's] theory of implied consent here would completely distort the plain words of section 2511(2)(c), legalizing an interception where 'one of the parties . . . has given prior consent to such interception."' [FN132]
In another case involving implied consent, Watkins v. L.M. Berry & Co., [FN133] the employer had an established monitoring policy in which all business calls would be monitored and personal calls would be monitored only to the extent necessary to determine whether the call was business or personal. [FN134] An employee brought suit claiming that the employer had illegally intercepted one of her personal calls. The employee argued that the monitoring policy constituted consent for the monitoring of business calls only and did not allow for monitoring of the full content of personal calls. [FN135] On the other hand, the employer argued that consent to monitor all types of calls could be implied from the circumstances of employment. [FN136] Holding in favor of the employee, the court reasoned that the purpose of the ECPA would be defeated "if consent could be routinely implied from the circumstances." [FN137] Furthermore, the court drew a distinction between two similar situations in which implied consent may be arguably invoked. In the first scenario, exemplified by the facts in Watkins, knowledge of the capability of employer monitoring cannot alone serve to implicate consent by an employee. [FN138] However, in the second scenario, courts could imply consent when an employee knew or should have known of an employee monitoring policy or if the employee placed personal calls on lines reserved for business communications only and which the employee knew were regularly monitored. [FN139]
*1460 Accepting the reasoning of Watkins, the Eighth Circuit in Deal v. Spears [FN140] declined to enlarge the parameters of the consent exception. In this case, the employer argued that the employee's consent should be implied from the fact that the employer had advised all employees that monitoring might be necessary to curtail the increasing number of personal calls on business lines. [FN141] In flatly rejecting the employer's argument, the court asserted that an announced possibility of monitoring was insufficient to establish any form of consent. [FN142] In addition, the court explained that even though an extension to the business line had been connected in the employer's home, this did not establish consent because the clicking noise associated with someone picking up another extension was not triggered by the monitoring device. [FN143]
Cases implicating the consent exception indicate that although an employer is at risk for liability if it engages in unrestrained monitoring, courts will usually rule in favor of an employer who has announced a monitoring policy to its employees and adhered to its limits. [FN144] With respect to e-mail communications, the rulings of Campiti, Watkins, and Deal bespeak the idea that such electronic communications could be accessed under the authority of a published monitoring policy. Consequently, a private employer who issues a policy to its employees is presumably only limited by the terms of the policy itself.
D. State Statutory Law
States are free to enact legislation that is more protective than the ECPA and courts have held that the ECPA will only preempt state law if the state law is less protective. [FN145] Some states have enacted legislation giving broader protection to employees. [FN146] Other states have yet to even include electronic messages as protected communications. [FN147] In fact, in Nebraska, employers are *1461 specifically exempted from wiretapping restrictions. [FN148] A number of states have used the ECPA as a model for legislation, incorporating provisions such as the prior consent and business- extension exemptions. [FN149]
Several commentators hoped that the California Penal Code would serve as a model for other states interested in expanding statutory privacy protections to e-mail. [FN150] However, the Shoars v. Epson America [FN151] ruling by a California superior court indicated that California statutory law will not protect e-mail in the private-sector workplace. [FN152] As a result, a California plaintiff bringing an invasion of e-mail privacy lawsuit will either have to base such a claim on constitutional or common law theories.
The lack of uniformity in state e-mail privacy legislation is a mixed blessing. In states with more protective statutes, such as those where the consent of "all parties" is required, employers could face severe limitations in monitoring employee communications. ECPA-styled legislation has resulted in little progress in the area of online privacy rights, as state courts are now dealing with many of the same interpretive problems faced by federal courts. Presently, privacy rights differ greatly from state to state and no state has enacted legislation specifically targeted at employee e-mail privacy rights in the private sector workplace. Consequently, many plaintiffs have turned to state common law as a basis for "invasion of privacy" claims.
*1462 E. State Common Law
Samuel Warren and Louis Brandeis first recognized and introduced the right to privacy into the sphere of American legal ideology through an article published in the Harvard Law Review in 1890. [FN153] The Warren and Brandeis notion of a privacy right was based upon a combination of property law, tort law, copyright law, and damage principles. [FN154] As a result, the modern understanding of the right to privacy and its individual cause of action, known as "invasion of privacy," protects a variety of privacy interests. Traditionally, four activities give rise to liability for an "invasion of privacy" under common law: [FN155] (1) unreasonable intrusion upon the seclusion of another, [FN156] (2) misappropriation of another's name or likeness, [FN157] (3) unreasonable publicity given to another's private life, [FN158] and (4) publicity that unreasonably places another in a false light before the public. [FN159] Every state does not recognize all four claims, [FN160] yet some states offer even greater protections than those mentioned above. [FN161] The tort most relevant to the interception of electronic communications is "unreasonable intrusion upon the seclusion of another." [FN162] One is liable for invasion of privacy by reason of "intrusion upon seclusion" where he or she "intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his [or her] private affairs or concerns, if *1463 the intrusion would be highly offensive to a reasonable person." [FN163] The parameters of this tort include the right to be free from certain kinds of employer activity, such as communications monitoring. [FN164]
Similar to the standard applied to Fourth Amendment search and seizure cases, [FN165] the four elements of an "intrusion upon seclusion" claim are (1) whether the intrusion was intentional, [FN166] (2) whether the act in question is highly offensive to the reasonable person, [FN167] (3) whether the plaintiff's activity was subjectively and objectively private, [FN168] and (4) whether the intruder has a legitimate purpose justifying the invasion. [FN169]
In the context of e-mail monitoring, an employee bringing an "intrusion upon seclusion" claim should have little difficulty showing that the intrusion was intentional. [FN170] Likewise, employees should have little problem demon- strating a subjective expectation of privacy, especially if the e-mail account in question was password-protected. [FN171] However, an employee may face serious obstacles proving the remaining elements. For example, if an employer notified employees that e-mail monitoring could occur, a court may conclude that the employer's acts were not highly offensive and that an objective *1464 expectation of privacy was unreasonable at the time. [FN172] Furthermore, courts have held that business interests can justify even extremely invasive activities. [FN173] Several commentators agree that too much weight is given to "business interests" and that such treatment marginalizes workplace privacy interests. [FN174] In the end, though state tort law can directly serve to uphold employee privacy rights in the private sector workplace, the combination of requirements needed to win an "intrusion upon seclusion" claim does not favor the employee. [FN175]
II. Improving Employee E-Mail Privacy in the Private Sector Workplace
A. Existing Proposals
Both lawmakers and legal scholars have offered means of increasing employee e-mail privacy rights in the private sector. At the federal level, the Privacy for Consumers and Workers Act ("PCWA") was presented to both the Senate and the House of Representatives in 1993, but ultimately failed to gain congressional approval. [FN176] Essentially, the PCWA would have required employers to give advance notice to employees before electronic monitoring commenced. The type of the advance notice would vary, depending on the monitored employee's length of service. New employees would have been subject to random and periodic monitoring during the first sixty days of employment. Employees with more than sixty days but less than five years of service would have been subject to monitoring only if the employer supplied a twenty-four hour written notice and monitored for not more than twenty-four hours a week. Finally, employees with over five years of experience would have been shielded from employer monitoring unless the employer could *1465 show a "reasonable suspicion" that the employee was engaged in criminal behavior or behavior having a substantive adverse economic effect on the employer. [FN177] The PCWA did offer a greater degree of privacy protection to employees, but its specificity rendered many of the provisions unacceptable to many employers, especially those with experienced employees. More importantly, though the House bill included e-mail within the purview of its provisions, the bill introduced to the Senate excluded "the interception of wire, electronic, or oral communications as described in [the ECPA]," and thus e-mail, from its definition of electronic monitoring. [FN178]
The "tiered" advance notice scheme proposed by the PCWA was perhaps its most controversial aspect. One critic stated that "[t]he specific restrictions that limit[ed] monitoring to only new employees and to specified amounts of time or observations [we]re too inflexible and d[id] not take into account the type of business operation." [FN179] As a result, the needs of both employees and employers failed to be adequately addressed by the PCWA. For example, the PCWA unsatisfactorily balanced workplace interests by allowing unrestricted monitoring of new employees despite their special needs (or established privacy rights) and by creating an unreasonably strict standard for employers to justify the monitoring of experienced employees, regardless of the type of work with which an older worker may be involved. [FN180]
The defeat of the PCWA in Congress has prompted many observers to offer their own proposals for consideration. One commentator's proposal focuses on the inadequacy of the ECPA and the inflexibility of the PCWA. [FN181] Keeping in mind the need to balance employee privacy with employer management needs, Dr. Lee suggests adoption of a "flexible" federal policy "aimed at preventing unreasonable intrusions relative to varying types of business operations, organizational needs, and employee privacy needs." [FN182] *1466 Such a policy would demand that electronic monitoring be "reasonable," requiring employers to (1) have a "legitimate" business purpose for engaging in monitoring; (2) use the least intrusive means possible to satisfy the business purpose; (3) limit the access, use, and disclosure to information reasonably meeting that objective; and (4) provide reasonable notification of the monitoring and its use. [FN183] Of equal importance, federal policy requiring monitoring to be "reasonable" could successfully serve as the foundation for new legislation which "meet[s] the needs of employee privacy while preserving employer management needs." [FN184] New legislation should require employers to "publish and post a policy defining the intended business uses of e-mail and voice mail systems, and indicate that these systems may be accessed by the employer without notice to the employees," [FN185] ensuring that employees have some knowledge of monitoring activity. Additionally, provisions promoting "the education of employers and employees on the issue and mandat[ing] the development of company monitoring policies . . . could then provide the particular specificity that may be needed, within the federal guidelines o[f] reasonableness." [FN186] New provisions would also require disclosure of business purposes for adopting an electronic monitoring policy. [FN187] Ultimately, the "reasonableness" of an employer's e-mail monitoring would be analyzed by considering the specific work environment and the interests of both the employees and the employer.
A second commentator suggests new federal legislation explicitly requiring that a "compelling business interest" be shown by employers to justify e-mail monitoring. [FN188] Under "such explicit statutory language, employers will not be able to continue abusive privacy intrusions simply by minimizing employee privacy expectations to the point where courts might consider no privacy interest as having been invaded in the first place." [FN189] Moreover, in each *1467 instance of e-mail interception, the "compelling business interest" would have to be fulfilled. [FN190] No prior notification provisions would be required because "any legislation relying on employee notice to safeguard employee privacy is sorely deficient because notification alone ultimately serves to institutionalize a marginal view of privacy and legitimize practices that infringe upon human dignity." [FN191] In other words, judicial reliance on employee expectations would be eliminated and employers would be barred from manipulating employee expectations through notification. The implementation of a "compelling business interest" standard in this area would serve to tangibly reaffirm the "fundamental" nature of privacy during a period where privacy rights have dramatically eroded and "emphasi[ze] the importance of privacy." [FN192]
B. Negotiating Privacy
Individual rights should not disappear upon entering the private-sector workplace environment. Because the employer-employee relationship is fundamentally contract-based, [FN193] both parties should be treated as equals at the bargaining table and in the eye of the law. Proposals which attempt to place limits on employer monitoring by forcing the employer to disclose monitoring activity would alert employees to unexpected forms of monitoring, but would also serve as an announcement to all private employers that monitoring can be unilaterally instituted. Likewise, a new federal policy embracing the idea of "reasonableness" would be commendable, but without statutory mechanisms requiring more than notice, it would do nothing to stop employers from instituting monitoring policies at their own convenience and without considering employee privacy.
To be clear, employers should and do have a right to monitor their own communication networks. However, such a right should be evenly balanced with the privacy expectations of employees. Courts should recognize that employees deserve higher levels of privacy protection over e-mail because e-mail is used for a variety of purposes in the workplace, all of which are not *1468 work- related. Furthermore, e-mail is in many ways similar to traditional mail. Although e-mail is processed electronically, pressing the "send" button is much like handing an envelope to the postmaster. Many software interfaces even display a design resembling a postmark once an e-mail message has been sent. It is ironic that as more and more e-mail applications attempt to emulate the procedure of postal carriers, courts refuse to give e-mail the same type of privacy protection that is given to traditional mail.
In order to equalize employee e-mail privacy rights with employer monitoring rights, new legislation may offer the most promising avenue for strengthening employee privacy rights. The Constitution provides no protection against private employers, a concept supported by a long series of Supreme Court cases. Though the right to privacy in some state constitutions has been interpreted to limit actions of private employers, judicial trends indicate that these protections will not apply to e-mail. Likewise, state court's common-law offers employees several causes of action which could form the basis for a successful lawsuit, but the Supreme Court's ruling in Ortega supports the viewpoint that employee expectations of privacy in the private-sector workplace are minimal at best. Because common-law formulations essentially weigh employee privacy interests against employer business interests, the Ortega ruling would serve as strong precedent against any proposal attempting to increase employee expectations of privacy. As a result, a common-law proposal strengthening employee privacy rights would have to limit the scope of acceptable business interests, such as requiring employers to present a "compelling business interest" for monitoring.
Legislation, at the state or federal levels, provides a more flexible means for strengthening employee e-mail privacy in the private sector. Rather than drafting statutes requiring notice or allowing only specifically tailored monitoring activity, legislation could be enacted changing the procedure for an invasion of privacy claim. The statute itself would not provide a cause of action, but instead, would force courts to presume that employees retain their right to privacy over e-mail, unless expressly waived. Such legislation could cover all forms of electronic communications over private networks and would necessarily become an issue for negotiation at the pre-employment bargaining table. In other words, instead of employers publishing a generic company wide monitoring policy, a presumption of non-waiver would force employers to address privacy rights at an individual level. Moreover, a pre-sumption of non-waiver would cause the scope of the right to privacy to be negotiated by the employer and the employee at the beginning of the *1469 employment relationship rather than later by a court. Such a presumption would also provide both the employer and employee with a guideline for acceptable monitoring activities much earlier than a lawsuit. In the end, by making privacy an issue bargained for and included within the employment contract, privacy rights would become part of the traditional employer-employee relationship.
A statute incorporating such a presumption would have to include language which accommodates employer monitoring. Due to many factors, such as employee experience or access to sensitive information, employers have interests in monitoring certain employment positions. Of course, express waiver of all privacy rights by an employee would destroy the presumption. In this scenario, the employee would then carry the burden of proving how the alleged privacy intrusion violated the terms of the waiver agreement, if such a document was created. However, a more difficult situation could arise if an employee refused to accept an employer's monitoring proposal and consequently refused to waive the right to privacy. In this scenario, the statute could provide further language describing alternative methods in which the presumption could be defeated. For example, the employer could be allowed to override the presumption of non-waiver through demonstration of a "compelling business interest." The statute could further specify that the monitoring activities be specifically tailored to the "compelling business interest." These provisions would provide the employer with an argument to defeat the presumption in cases where an employee refused to waive any privacy rights to e-mail.
Because procedural presumptions are often based on public policy and fairness considerations, [FN194] a public policy favoring privacy regulation in the private-sector workplace could be endorsed to support a judicial presumption of non-waiver. Some states, such as Alaska, [FN195] have already considered such an approach and at least one commentator has advocated a public policy of "reasonableness" in support of new privacy legislation. [FN196] Though limited, the success public policy arguments have had in state courts suggests that a bill proposing a presumption of non-waiver may have a better chance of being made into law if first introduced to state legislatures. Ultimately, a public policy favoring regulation in the private workplace, paired with a heightened *1470 regard for the contractual nature of the employer-employee relationship, could serve to justify an adjustment of the burden of proof between the employer and employee in privacy disputes.
III. Self-Help Remedies To Protect Workplace Privacy Rights
In light of the difficulties prior statutory proposals have
encountered, it would be imprudent for an employee seeking to safeguard e-mail
communica-tions to rely on the passage of new legislation. However, two
self-help options are currently available to employees desiring privacy
protection, namely, anonymous remailers and encryption.
A. Anonymous Remailers
Perhaps the easiest way for e-mail users to protect communications is to send messages anonymously. In most situations, the identity of each party to a communication is as valuable as the content of the communication itself. [FN197] For example, an employer may desire the names of all employees responding to a message calling for a change in management or, of greater invasiveness, may desire the names of workers posting messages to an Alcoholics Anonymous online chatroom. [FN198]
According to the Supreme Court, the right to speak anonymously is protected by the First Amendment and serves many important functions, such as promoting literature and arts, protecting authors fearing economic or political retaliation, and protecting those concerned about social ostracism. [FN199] In cyberspace, an author may remain anonymous by using a variety of mechanisms, but some of the more popular methods include adopting a pseudonym or using what is known as an "anonymous remailer"--a service to which a message is initially sent that strips away all identifying information before forwarding the message to the intended recipient. Individuals using anonymous remailers should be aware that it can create online problems such as fraudulent electronic commerce, harassment, and defamation. [FN200] In light of these concerns, some commentators have proposed legislation which would eliminate liability for network providers if they are willing to disclose the *1471 identities of anonymous users who utilize the network to coordinate or conduct illegal activities. [FN201] Yet, despite these problems, user anonymity remains a viable option for individuals interested in preserving e-mail privacy.
For those desiring stronger electronic privacy protection, encryption programs have become very popular among sophisticated users. Encryption software allows users to transmit secure e-mail messages which only the intended recipient can decode by use of a "decryption key." The most common form of encryption is public-key cryptography. [FN202] In this procedure, both parties to a communication utilize a cryptography program to generate two strings of arbitrary characters as passwords, or "keys." One password is kept as the user's private key, while the other is used as a "public" key, distributed to anyone to whom the user wishes to send encrypted messages. Only the private key can decrypt messages encoded with the public key. To illustrate how public key cryptography would actually work, imagine a situation where X wishes to send a secure message to Z. X would encrypt, or password- protect, the message with Z's "public" key and upon receiving X's transmission, Z would decode the message with her own private key. Only Z would be able to view X's message because Z's public key can only be decrypted by her private key.
Public key cryptography can be viewed as a valuable scheme to privatize e- mail, but one major problem lurks at the foundation of this technique--senders must be sure that they have the public key of the person to whom they are sending the message. [FN203] At first glance, this may seem an inconsequential problem, but the amount of valuable information contained on private or corporate networks has drawn the attention of computer hackers who can send messages impersonating fellow employees. A fraudulent message of this type, indistinguishable from authentic messages, may prompt the recipient to encrypt subsequent messages with a public key which is in fact not the public key of the impersonated employee. As a result, messages intended for the *1472 impersonated employee could end up being sent to the hacker who has exclusive access to the message by holding the proper private key. [FN204]
As far as employer-providers are concerned, encryption poses several conflicting consequences. First, encryption obviously implies some degree of distrust in network security by the participating employees. One reaction by system administrators to this predicament is to allow employees to transmit unlimited amounts of encrypted messages or files over the company network. [FN205] Attaching liability to an employer for the criminal acts of its employees often requires "knowledge" on the part of the employer. Thus, allowing encrypted messages on a company network can actually serve to insulate the employer from liability. On the other hand, a certain amount of control is lost if the employer ignores and allows the transmission of encrypted messages over the network. This control issue is not one of superficial interest to most employers, especially because an entire network may be confiscated if law enforcement learns of encrypted criminal activity on a private network. [FN206]
During the First Conference on Computers, Freedom, and
Privacy in 1991, distinguished constitutional scholar Professor Lawrence Tribe proposed
a Twenty-Seventh Amendment to the United States Constitution protecting
individual privacy rights, especially in the area of computer technology. [FN207] Highlighting the desperate need for
privacy protection in cyberspace, it is regrettable that Tribe's proposition
fell on deaf ears. American courts now find themselves in the unenviable
position of having to adjudicate novel privacy complaints, brought by employees
against employers, without precise constitutional or statutory guidance.
Additionally, as is the case in most areas of law where technological
innovation has outpaced legislative reform, courts must realize that the ECPA
was never intended to be suitable as controlling law in cases involving e-mail
monitoring by private employers. Although the limited success of codifying
privacy protection provisions in state constitutions is laudable, federal
courts are forced to rely on precedent. Precedent reveals that the right to
privacy in the workplace is to be judged by a "reasonableness"
standard, which in practice, has failed to adequately *1473
safeguard employee privacy interests over e- mail. However, by reinforcing the
existing "reasonableness" test, which plots employee expectations
against employer business interests, with a statutory presumption of
non-waiver, employee privacy rights would be strengthened by procedural, as
opposed to substantive, modifications. In order to defeat the statutory presumption,
an employer would be required to show either employee waiver or, in certain
cases, a compelling business interest.
It would be expected that most employers would oppose a statutory presumption of non-waiver on the grounds that it would unduly burden monitoring needs and that it would create an impenetrable barrier for e-mail monitoring. It is true that a presumption of non-waiver would strengthen employee privacy rights, but existing law unjustifiably values employer business interests over employee privacy interests. Additionally, a pre-sumption of non-waiver would still allow private employers to implement an all-access monitoring policy, so long as employees explicitly agree to such a program or if the employer can provide a compelling business interest. Finally, by instituting a presumption of non- waiver, publication of a monitoring policy would become unnecessary as employees would have knowledge of the extent of employer monitoring activities through provisions in their employment contract.
Currently, there exists a significant misunderstanding of how employee privacy rights should relate to employer monitoring interests. Because of the rapid growth of e-mail use and the expected increase through workplace networking, it is imperative that employee privacy rights be strengthened before "private information" becomes a term of the past. As technology continues to move forward and the incredible potential of electronic communication is fully developed, lawmakers will be forced to take corrective measures ensuring the right to privacy. In the meantime, employees should be aware of the vulnerability of their communications, pay particular attention to their employer's monitoring policy, and consider alternative methods for ensuring communications privacy.
[FNa1]. J.D., Emory University School of
Law, Atlanta, Georgia (1999); B.A., University of Michigan, Ann Arbor, Michigan
(1996). I would like to thank Professor Marc L. Miller whose guidance was
invaluable to the completion of this Comment. My deepest gratitude to Leslie
Rubenstein, Richard Gardner, Shari Goldsmith, Demetria Hannah, and D. Forest
Wolfe for their outstanding efforts in the normally thankless tasks of editing
and spading. Above all, I would also like to thank my mother and father for
their unconditional love and support.
[FN1]. Adapted from Dana Hawkins, Who's Watching Now?, U.S. News & World Report, Sept. 5, 1997, at 56. Statistics show that more than one-third of the members of the American Management Association, the nation's largest organization of its kind, regularly review employee voice-mail, computer files, and e-mail transmissions. Id.
[FN2]. Id. at 58. Although base figures were not provided, such significant increases suggest that investigations of employee e-mail are fast becoming a part of employer monitoring tactics.
[FN3]. While the exact number of employees is constantly increasing, two years ago one study indicated that approximately twenty million employees were provided e-mail accounts by their employer. See Holland & Hart LLP, E-Mail and Voice Mail: Liability Waiting to Happen?, Idaho Employment L. Letter, July 1996, at 1. At the time, this figure represented nearly 20% of the total labor force in the United States. See Karen Brune Mathis, Eyes on Your E-Mail; Messages Sent on Company Computers Are Often Monitored, Florida Times-Union, July 15, 1996, at 10. By the year 2000, it is expected that approximately sixty million electronic mail users will be sending nearly sixty billion messages per year. See Scott Dean, E-Mail Forces Companies to Grapple With Privacy Issues, Corp. Legal Times, Sept. 1993, at 11.
[FN4]. See, e.g., O'Connor v. Ortega, 480 U.S. 709, 724-25 (1987); United States v. Jacobsen, 466 U.S. 109, 113-14 (1984); Jackson v. Metropolitan Edison Co., 419 U.S. 345, 349 (1974); see also Julie A. Flanagan, Note, Restricting Electronic Monitoring in the Private Workplace, 43 Duke L.J. 1256, 1264-65 (1994) ("[T]he protection of the Constitution extends only to public employees; private employer behavior towards employees is not restricted.").
[FN5]. Research shows that nearly 90% of companies with more than 1,000 employees utilize e-mail systems. See Mathis, supra note 3, at 10. E-mail use in private companies is also growing at an extraordinary rate--one study revealed that among Fortune 2000 firms, corporate e-mail use grew 83% between the years of 1991 and 1993. See John Thackery, Electronic-Mail Boxes a Dumping Ground for Meaningless Data, Ottawa Citizen, May 28, 1994, at B4 (citing projections by the Electronic Messaging Association).
[FN6]. Some commentators argue that the development of communications technology has consistently outpaced the evolution of privacy jurisprudence, leaving employees subject to unexpected types of monitoring by employers. See David F. Linowes & Ray C. Spencer, Privacy: The Workplace Issue of the 90's, 23 J. Marshall L. Rev. 591, 598 (1990) (citing David H. Flaherty, Protecting Privacy in Surveillance Societies 4 (1989)); Steven B. Winters, Do Not Fold, Spindle or Mutilate: An Examination of Workplace Privacy in Electronic Mail, 1 S. Cal. Interdisciplinary L.J. 85, 86-87 (1992). Another observer argues that existing technology gives the employer too much control over the workplace and upsets the desired balance of power between employees and employers. See Fred W. Weingarten, Communications Technology: New Challenges To Privacy, 21 J. Marshall L. Rev. 735, 746 (1988).
[FN7]. More than half of all e-mail users first went on-line between 1991- 93. See Mathis, supra note 3, at 10. Similar research predicts that e-mail use in the United States will increase from 15% to 50% of the total population by 2002. See Vanessa Houlder, Failing to Get the Message: E-Mail's Advantages Could Be Lost By Staff Misusing It, Financial Times (London), Mar. 17, 1997, at 14.
[FN8]. Through networks, activities and communications can be easily tracked by use of special software like SurfWatch Professional Edition, Web Sense, LittleBrother and Elron Internet Manager. One commentator states:
[These products] enable companies to follow virtually every mouse click a worker makes across the Internet. They can track access to specific Web sites and, with some programs, calculate the cost of Web-surfing slackers. Bosses can even retrieve the results of an employee's search through Internet directories such as Yahoo! and Excite.
Deborah Branscum, Bigbrother theoffice.com, Newsweek, Apr. 27, 1998, at 78.
[FN9]. See Robert B. Fitzpatrick, Privacy Issues in the Electronic Monitoring and Surveillance of Em-ployees, C742 A.L.I.-A.B.A. Course Study 1165, 1169 (1992) available in WESTLAW, ALI-ABA database (citing Office of Technology Assessment, Electronic Supervisor: New Technology, New Tensions 124- 25 (1987)).
[FN10]. See Charles Piller, Bosses With X-Rays, Macworld, July 1993, at 118, 120.
[FN11]. See, e.g., O'Connor v. Ortega, 480 U.S. 709, 714-26 (1987).
[FN12]. See Linowes & Spencer, supra note 6, at 598.
[FN13]. See Note, Addressing the New Hazards of the High Technology Workplace, 104 Harv. L. Rev. 1898, 1909-10 (1991).
[FN14]. See Jennifer J. Griffin, The Monitoring of Electronic Mail in the Private Sector Workplace: An Electronic Assault on Employee Privacy Rights, 4 Software L.J. 493, 500-01 (1991).
[FN15]. See Linowes & Spencer, supra note 6, at 592-93.
[FN16]. See Note, supra note 13, at 1909.
[FN17]. Improved employee efficiency and workplace flexibility have been cited as two major effects of e-mail use. See James J. Cappel, Closing the E- Mail Privacy Gap; Employer Monitoring of Employee E-Mail, J. Sys. Mgmt., Dec. 1993, at 6 (noting e-mail had circumvented problems of "telephone tag" and rising costs of paper and postage use); see also Griffin, supra note 14, at 498-99 (arguing that e-mail use had increased employee productivity by facilitating more concise communication among employees).
[FN18]. For a discussion of the sources to the right to privacy, see infra notes 22-175 and accompanying text.
[FN19]. For a discussion of congressional bills and relevant proposals, see infra notes 176-92 and accompanying text.
[FN20]. For a discussion regarding the procedural presumption and its implications, see infra notes 193-96 and accompanying text.
[FN21]. For a discussion of employee self-help remedies, see infra notes 197-206 and accompanying text.
[FN22]. 381 U.S. 479 (1965).
[FN23]. Id. at 484.
[FN24]. U.S. Const. amend. IV (emphasis added).
[FN25]. 389 U.S. 347 (1967) (holding unconstitutional a warrantless government recording of defendant's conversation in enclosed public phone booth).
[FN26]. Id. at 361 (Harlan, J., concurring). The most critical part of this test involves a determination of the individual's reasonable expectation of privacy. In performing this task, Justice Harlan suggested that the first inquiry should be whether the individual, by his or her conduct, "exhibited an actual (subjective) expectation of privacy." Id. Secondly, the court should ask whether the individual's subjective expectation of privacy is "one that society is prepared to recognize as 'reasonable."' Id. Most Fourth Amendment decisions turn on the court's assessment of the individual's expectation of privacy. See Anthony G. Amsterdam, Perspectives on the Fourth Amendment, 58 Minn. L. Rev. 349 (1974). For a recent case in which the "reasonableness" standard was used, see Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996) (holding that police officers had no subjective expectation of privacy over communications left over precinct messaging system).
In analyzing government interests, courts will consider criteria such as whether there was a legitimate or compelling government interest prompting the privacy intrusion; whether readily available alternatives were considered; whether property rights were at stake; and whether precautions against the privacy intrusion were taken. For an analysis of these criteria, see Laura Thomas Lee, Constitutional and Common Law Informational Privacy: Proposing a "Reasonable Needs" Approach to New Technologies, Paper Presented to the AEJMC Annual Convention, Kansas City (Aug. 1993) (unpublished manuscript on file with The John Marshall Law Review).
[FN27]. 480 U.S. 709 (1987). The Ortega holding has been applied in numerous cases and is controlling precedent in most workplace Fourth Amendment search and seizure cases. See, e.g., Leckelt v. Board of Comm'rs, 909 F.2d 820 (5th Cir. 1990) (holding that hospital's requirement for employees to be tested for infectious diseases was reasonable and did not constitute impermissible invasion of privacy); Shields v. Burge, 874 F.2d 1201 (7th Cir. 1989) (finding government search of desk, automobile, and briefcase of allegedly corrupt police officer permissible under Ortega analysis); Schowengerdt v. General Dynamics Corp., 823 F.2d 1328 (9th Cir. 1987) (holding unreasonable employer's search of employee's office because search was unrelated to business activities); American Fed'n of Gov't Employees, Local 1616 v. Thornburgh, 713 F. Supp. 359 (N.D. Cal. 1989) (holding that employer's mandatory urinalysis tests were unreasonable under Ortega analysis). For further information on Ortega, see Steven Winters, The New Privacy Interest: Electronic Mail in the Workplace, 8 High Tech. L.J. 197 (1993); Keith P. Larson, Comment, Government Intrusion into the Public Employee Workplace-- O'Connor v. Ortega, 21 Creighton L. Rev. 409, 419-420 (1987); Note, Fourth Amendment--Work-Related Searches By Government Employers Valid on "Reason-able" Grounds, 78 Crim. L. & Criminology 792 (1986).
[FN28]. Ortega, 480 U.S. at 722.
In our view, requiring an employer to obtain a warrant whenever the employer wished to enter an employee's office, desk, or file cabinets for a work- related purpose would seriously disrupt the routine of conduct of business and would be unduly burdensome. Imposing unwieldy warrant procedures in such cases upon supervisors, who would otherwise have no reason to be familiar with such procedures, is simply unreasonable.
Id. Dissenting, Justice Blackmun noted that the Court seemed to be suggesting that government employees have little, if any, privacy in the workplace so long as searches are reasonably work-related. See id. at 734-36 (Blackmun, J., dissenting). In respect to electronic communications, one commentator opined that the analytical shift represented by Ortega foretold the notion that "courts [should] fashion case law so as to provide public employers with unbridled discretion to monitor E-mail transmissions." Winters, supra note 27, at 209.
[FN29]. See Ortega, 480 U.S. at 713.
[FN30]. In addressing Dr. Ortega's expectation of privacy, the Court stated:
[His] expectation of privacy must be assessed in the context of the employment relation. An office is seldom a private enclave free from entry by supervisors, other employees, and business and personal invitees. In many cases, offices are continually entered by fellow employees and other visitors during the workday for conferences, consultations and other work-related visits. Simply put, it is the nature of government offices that others--such as fellow employees, supervisors, consensual visitors, and the general public--may have frequent access to an individual's office. ... [S]ome government offices may be so open to fellow employees or to the public that no expectation of privacy is reasonable.
Id. at 717-18.
[FN31]. Id. at 720.
[FN32]. Id. at 717.
[FN34]. See id. at 726 (holding that district court and court of appeals were in error for considering hospital policy in determining reasonableness because search was reasonable at its inception).
[FN35]. Id. at 727.
[FN36]. Under most circumstances, Fourth Amendment jurisprudence does not apply to monitoring conducted by private employers because such behavior does not constitute state action. See Simmons v. Southwestern Bell Tel. Co., 452 F. Supp. 392, 395 (W.D. Okla 1978), aff'd, 611 F.2d 342 (10th Cir. 1979). However, in some cases, courts have found Fourth Amendment privacy protections applicable to the private sector. For instance, "the Amendment protects against [private party] intrusions if the private party acted as an instrument or agent of the Government." Skinner v. Railway Labor Executives' Ass'n, 489 U.S. 602, 614 (1989). Additionally, if a private entity, such as an incorporated municipality, undertakes functions normally ascribed to the public trust, constitutional limitations may apply. See Marsh v. Alabama, 326 U.S. 501 (1946).
[FN37]. See Julia T. Baumhart, The Employer's Right to Read Employee E-Mail: Protecting Privacy or Personal Prying, 8 Lab. Law. 923, 937-38 (1992). For an analysis of "invasion of privacy" claims and their application in the context of e-mail monitoring, see infra notes 153-75 and accompanying text.
[FN38]. "Fourth Amendment law as decided by the Supreme Court heavily influences both state and federal court interpretations of non-public employee's privacy rights in the workplace." Winters, supra note 27, at 200- 01. "[A]lthough the Fourth Amendment does not protect private employees against privacy invasions by their employers, cases from the Fourth Amendment context are critical to discussing how the balancing would apply to private employers' interceptions of employee E-mail." Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 Harv. J.L. & Tech. 345, 380 (1995) (footnote omitted).
[FN39]. See Flanagan, supra note 4, at 1265; see also Kenneth A. Jenero & Lynne D. Mapes-Riordan, Electronic Monitoring of Employees and the Elusive "Right to Privacy," 18 Employee Rel. L.J. 71, 80 (1992).
[FN40]. See, e.g., Bianco v. American Broad. Co., 470 F. Supp. 182, 186 (N.D. Ill. 1979) (holding that private employer's electronic monitoring of employees did not violate the employee's privacy rights because the Illinois constitutional provision prohibiting "unreasonable ... interceptions of communications by eaves-dropping devices" limits only government intrusions).
[FN41]. See Alaska Const. art. I, § 22 ("The right of the people to privacy is recognized and shall not be infringed."); Ariz. Const. art. II, § 8 ("No person shall be disturbed in his private affairs, or his home invaded, without authority of law."); Cal. Const. art. I, § 1 ("All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring ... safety, happiness, and privacy."); Fla. Const. art. I, § 23 ("Every natural person has the right to be ... free from governmental intrusion into his private life except as otherwise provided herein."); Haw. Const. art I, § 6 ("The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right."); Ill. Const. art. I, § 6 ("The people shall have the right to be secure in their persons, houses, papers and other possessions against unreasonable searches, seizures, invasions of privacy or interceptions of communications eavesdropping devices or other means."); La. Const. art. I, § 5 ("Every person shall be secure in his person, property, communications, houses, papers, and effects against unreasonable searches, seizures, or invasions of privacy."); Mont. Const. art. II, § 10 ("The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest."); S.C. Const. art. I, § 10 ("The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures and unreasonable invasions of privacy shall not be violated ...."); Wash. Const. art. I, § 7 ("No person shall be disturbed in his private affairs, or his home invaded, without authority of law.").
[FN42]. See, e.g., Immuno A.G. v. J. Moor-Jankowski, 567 N.E.2d 1270, 1278 (N.Y. 1991) (holding free speech and press provisions of state constitution are limited by greater privacy protections than those supplied by U.S. Constitution), cert. denied, 500 U.S. 954 (1991); Hope v. Perales, 571 N.Y.S.2d 972, 978 (Sup. Ct. 1991) (finding state due process clause provides greater privacy protection than federal due process clause), aff'd, 189 A.D.2d 287 (N.Y. App. Div. 1993); see also Hannibal F. Heredia, Comment, Is There Privacy in the Workplace?: Guaranteeing a Broader Privacy Right for Workers Under California Law, 22 Sw. U.L. Rev. 307, 313 (1992).
[FN43]. See Flanagan, supra note 4, at 1265; see also Laura Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Law in the Age of the Electronic Sweatshop, 28 J. Marshall L. Rev. 139, 150 (1994).
[FN44]. See, e.g., Valley Bank of Nevada v. Superior Court, 542 P.2d 977 (Cal. 1975); Luck v. Southern Pac. Transp. Co., 267 Cal. Rptr. 618, 627-29 (Cal. Ct. App. 1990) (holding private employers bound by California constitutional privacy provision, but not defining scope of circumstances under which private action would violate constitution), cert. denied, 498 U.S. 939 (1990); Semore v. Pool, 266 Cal. Rptr. 280 (Cal. Ct. App. 1990) (holding unconstitutional private employer's random substance abuse testing of employees); Wilkinson v. Times Mirror Corp., 264 Cal. Rptr. 194, 198-200 (Cal. Ct. App. 1989); Porten v. University of San Francisco, 134 Cal. Rptr. 839 (Cal. Ct. App. 1976) (holding private university liable for improperly disclosing a student's grades from another university to State Scholarship and Loan Commission).
[FN45]. See, e.g., Soroka v. Dayton Hudson Corp., 1 Cal. Rptr. 2d 77, 86 (Cal. Ct. App. 1991); Luck, 267 Cal. Rptr. at 631-32; Porten, 134 Cal. Rptr. at 843.
[FN46]. 865 P.2d 633 (Cal. 1994).
[FN47]. Id. at 655. The California Supreme Court decided that the "compelling interest" standard would still be applicable against private employers if the privacy interest at issue was "fundamental to personal autonomy," such as the "freedom from involuntary sterilization or the freedom to pursue consensual familial relationships." Id. at 653.
[FN48]. Id. at 657.
[FN49]. See Baumhart, supra note 37, at 938; Heredia, supra note 42, at 329. For further analysis, see Gantt, supra note 38, at 392-94.
[FN50]. See Baumhart, supra note 37, at 943.
[FN51]. 768 P.2d 1123 (Alaska 1989). Accord Cordle v. General Hugh Mercer Corp., 325 S.E.2d 111 (W. Va. 1984) (finding private employer's requirement that employees submit to random polygraph tests in contravention of state public policy); but see Barr v. Kelso-Burnett Co., 478 N.E.2d 1354 (Ill. 1985) (rejecting notion that public policy supports constitutional right to privacy).
[FN52]. Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified as amended in scattered sections of 18 U.S.C.). Though applied to cases implicating employee e-mail privacy, the Electronic Communications Privacy Act does not explicitly mention e-mail as a protected communication. See Griffin, supra note 14, at 512-13.
[FN53]. See 18 U.S.C. §§ 2510-20 (1994); see also S. Rep. No. 99- 541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.
[FN54]. See S. Rep. No. 99-541, at 1-2 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555-56.
[FN55]. See 18 U.S.C. § 2511(1)(a) (adding "electronic" communications, in addition to "wire" and "oral," to base offense).
[FN56]. See 18 U.S.C. § 2511(2)(a)(i) (substituting "any communication common carrier" with "a provider of wire or electronic communication service"). Legislative history also reveals that Congress intended the ECPA to extend protections to private telephone networks, not just common carriers. See S. Rep. No. 99-541, at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3556-57 ("It does not make sense to say that a phone call transmitted via common carrier is protected by the current federal wiretap statute, while the same phone call transmitted via a private telephone network such as those used by many major U.S. corporations today, would not be covered by the statute.").
[FN57]. See 18 U.S.C. § 2511.
[FN58]. See id. § 2701. "Electronic storage" is defined as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic communication thereof; and ... any storage of such communication by an electronic communication service for purposes of backup protection of such communication." Id. § 2510(17)(A)-(B).
[FN59]. S. Rep. No. 99-541, at 35 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3589.
[FN60]. 18 U.S.C. § 2511(1)(a) (emphasis added). The ECPA defines an "interception" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4). An "electronic communication" is described as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric, or photo-optical system that affects interstate ... commerce." 18 U.S.C. § 2510(12).
[FN61]. Id. § 2701.
[FN62]. Id. § 2701(a).
[FN63]. See id. § 2701(b).
[FN64]. See Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457 (5th Cir. 1994); Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997).
[FN65]. See Russell S. Burnside, The Electronic Communications Privacy Act of 1986: The Challenge of Applying Ambiguous Statutory Language to Intricate Telecommunications Technologies, 13 Rutgers Com-puter & Tech. L.J. 451 (1987); see also Robert I. Webber, Note, The Privacy of Electronic Communication: A First Step in the Right Direction, 1 J.L. & Tech. 115 (1985). To be clear, network providers, or "carriers," can come in two forms: public (common) or private. Public providers, such as BellSouth, Mindspring, or America Online, offer network services as a product. On the other hand, many businesses have found such outsourcing unnecessarily expensive and have elected to construct their own networks for internal communications. These businesses are classified as private network providers.
[FN66]. "While the post-ECPA Title III does protect many forms of communication that previously lacked a legal shield, the ECPA retained or redefined many of the statutory provisions existing prior to the 1986 amendments, which provided employers with broad authority to monitor employee communications." Thomas R. Greenberg, E-Mail and Voice Mail: Employee Privacy and the Federal Wiretap Statute, 44 Am. U. L. Rev. 219, 234-35 (1994). Nevertheless, in analyzing the legislative history of the ECPA, congressional intent does not indicate that the Act should not be read to include private employer monitoring of employee e-mail transmissions. See Winters, supra note 6, at 119.
[FN67]. See 18 U.S.C. § 2511(2)(a)(i).
[FN68]. See id. § 2510(5)(a).
[FN69]. See id. § 2511(2)(d).
[FN70]. See Mark S. Dichter & Michael S. Burkhardt, Electronic Interaction in the Workplace: Monitoring, Retrieving and Storing Employee Communications in the Internet Age, (visited December 19, 1998) <http: // www.mlb.com/speech1.htm>. In fact, some commentators interpret this exception to mean that private network providers are excluded from liability for perusing and disclosing employee e-mail transmissions. See Michele C. Kane, Electronic Mail and Privacy, in 15th Annual Computer Law Institute, at 419, 430 (PLI Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series No. 369, 1993); see also Baumhart, supra note 37, at 925; Ruel Torres Hernandez, ECPA and Online Computer Privacy, 41 Fed. Comm. L.J. 17, 39-40 (1988); Alice LaPlante, Is Big Brother Watching?, Infoworld, Jan. 14, 1991, at 68.
[FN71]. See 18 U.S.C. § 2701(c)(1). The ECPA authorizes a provider to disclose stored communications, inter alia, "to a person employed or authorized or whose facilities are used to forward such communication to its destination" or "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service." 18 U.S.C. § 2702(b)(4)-(5).
[FN72]. See, e.g., Simmons v. Southwestern Bell Tel. Co., 452 F. Supp. 392 (W.D. Okla. 1978), aff'd, 611 F.2d 342 (10th Cir. 1979); United States v. Clegg, 509 F.2d 605 (5th Cir. 1975); United States v. Beckley, 259 F. Supp. 567 (N.D. Ga. 1965).
[FN73]. No. BC007036, slip op. (Cal. Super. Ct. Jan. 4, 1991).
[FN74]. Id. at 5-6 n.1. The court asserted that an employer-provider who intentionally examines everything on the system is not in violation of the ECPA. See id.
[FN75]. See Baumhart, supra note 37, at 925. One commentator argues that the provider exception should not apply to private network providers. This conclusion was reached through an analysis of the text of the exception, where the term "service" seems to indicate an external entity providing a network and "the term 'user' is defined as a 'person or entity ... who uses an electronic mail service."' Michael W. Droke, Private, Legislative, and Judicial Options for Clarification of Employee Rights to the Contents of Their Electronic Mail Systems, 32 Santa Clara L. Rev. 167, 182 (analyzing 18 U.S.C. §§ 2510(13), (15) (1988)). Another commentator has contested this interpretation by arguing that the ECPA does not strictly limit the term "provider" to public entities and because some companies may be considered public providers while others may properly be deemed users of networks provided by these public providers. See Gantt, supra note 38, at 360 n.101. Conversely, one commentator concludes that the expansive coverage of the provider exception is justified by the fact that communications on a company- owned network are property of the employer. See James Baird et al., Public Employee Privacy: A Legal and Practical Guide to Issues Affecting the Workplace 60 (1995).
[FN76]. See Baumhart, supra note 37, at 927.
[FN77]. When an employer contracts with an outside service, such as Prodigy, Compuserve, or MCI Mail, to provide e-mail services to its employees, the employer is not considered a "provider." Alternatively, if the employer has its own internal e-mail system, maintained by an in-house information technology department, the employer will probably be considered a provider. However, does the installation of one private telephone wire transform a company into a private network provider? Or, does an actual interconnected network need to exist before "provider" status can be achieved?
[FN78]. See United States v. Mullins, 992 F.2d 1472 (9th Cir. 1992) (holding American Airlines employee's search of computerized travel reservations system for reservation discrepancies and subsequent discovery of fraudulent reservations legal because employee was acting to protect the rights and property of airline within the meaning of provider exception), aff'd, 611 F.2d 342 (10th Cir. 1979); Simmons v. Southwestern Bell Tel. Co. 452 F. Supp. 392 (W.D. Okla. 1978) (holding that the company's interests in monitoring calls for service quality control checks and to prevent persistent use of telephone lines for personal use were valid and legitimate reasons to invoke the § 2511(2)(a)(i) exception).
[FN79]. See Dichter & Burkhardt, supra note 70.
[FN80]. See 18 U.S.C. § 2510(5)(a).
[FN81]. See Jenero & Mapes-Riordan, supra note 39, at 90.
[FN82]. See Gantt, supra note 38, at 365 (citing Steven B. Winters, Do Not Fold, Spindle or Mutilate: An Examination of Workplace Privacy in Electronic Mail, 1 S. Cal. Interdisciplinary L.J. 85, 118 (1992)).
[FN83]. See Gantt, supra note 38, at 365-69. Other commentators have substituted the "context" and "content" terminology with the terms "legitimate business purpose" and "subject of call," respectively. See Greenberg, supra note 66, at 239-46.
[FN84]. See Martha W. Barnett & Scott D. Makar, "In the Ordinary Course of Business": The Legal Limits of Workplace Wiretapping, 10 Hastings Comm. & Ent. L.J. 715, 727-28 (1988).
[FN85]. See Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994) (holding that employer's 24-hour recording of employee telephone conversations was unlawful even though proffered reason for conducting interceptions was investigation of bomb threat); see also Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1992) (holding that employer's interest in catching thief did not justify recording of 22 hours of primarily personal phone calls).
[FN86]. See Barnett & Makar, supra note 84, at 728.
[FN87]. See James v. Newspaper Agency Corp., 591 F.2d 579, 581 (10th Cir. 1979) (upholding interceptions based on facts that employer provided full notice and that interceptions were for legitimate business purposes of providing training, instruction, and protection against abusive calls); United States v. Harpel, 493 F.2d 346 (10th Cir. 1974) (holding unlawful employer's interception of telephone conversations, partially because employer did not provide any notice of monitoring).
[FN88]. See Gantt, supra note 38, at 370.
[FN89]. 493 F.2d 346 (10th Cir. 1974).
[FN90]. See id. at 348.
[FN91]. See id. at 350.
[FN92]. See id. at 351.
[FN93]. See id.; see also Barnett & Makar, supra note 84, at 728.
[FN94]. 591 F.2d 579, 581 (10th Cir. 1979).
[FN95]. See id. at 581.
[FN96]. See id.
[FN97]. See id. at 582.
[FN98]. 980 F.2d 1153 (8th Cir. 1992).
[FN99]. See id. at 1157. The two-pronged context approach was used by the Fourth Circuit in Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994).
[FN100]. Deal, 980 F.2d at 1158.
[FN101]. See id.
[FN102]. See id.
[FN103]. See id.
[FN104]. See id.
[FN105]. Id.; see also People v. Otto, 831 P.2d 1178, 1189-90 n.14 (Cal. 1992) (indicating that employer monitoring must be limited to particular purpose, time, and place to be shielded by business-extension exception, and that exception does not cover general practice of unauthorized eavesdropping).
[FN106]. See Briggs v. American Air Filter Co., 630 F.2d 414, 420 (5th Cir. 1980) (holding employer not liable for communications interception where employer limited time and scope necessary to intercept portion of call in which employee discussed his employer's business with competitor).
[FN107]. 704 F.2d 577 (11th Cir. 1983).
[FN108]. Id. at 581.
[FN109]. Id. at 582-83.
[FN110]. See id.
[FN112]. Id. at 583.
[FN113]. See id. at 584. The court cited one case where an interception of a personal call for 10 to 15 seconds was reasonable, but viewed the result of another case, in which an interception of 3 to 5 minutes occurred, as problematic. See id. at 584-85.
[FN114]. 630 F.2d 414 (5th Cir. 1980).
[FN115]. Id. at 419.
[FN116]. Id. at 420.
[FN118]. 802 F.2d 412 (11th Cir. 1986).
[FN119]. Id. at 417.
[FN120]. See id. at 416.
[FN121]. See id. at 416-17.
[FN122]. See Gantt, supra note 38, at 358.
[FN124]. See 18 U.S.C. § 2511(2)(d) (1988) (interception); 18 U.S.C. § 2702(b)(3) (access to stored communi-cations).
[FN125]. See infra notes 129-44 and accompanying text.
[FN126]. 18 U.S.C. § 2511(2)(d) (1988).
[FN127]. See Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir. 1992); see also Griggs-Ryan v. Connelly, 904 F.2d 112, 116 (1st Cir. 1990); but see Jandak v. Village of Brookfield, 520 F. Supp. 815, 820 (N.D. Ill. 1981) (indicating that implied consent existed where police officer should have known that police department regularly monitored employee telephone calls).
[FN128]. See 18 U.S.C. § 2511(2)(d) (1982).
[FN129]. 611 F.2d 387 (1st Cir. 1979).
[FN130]. Id. at 394.
[FN131]. See id. at 393-94. The police officer argued that the circumstances implying consent were "that [the plaintiff] was in restricted custody, that the call was placed for him by a staff officer, that the common practice at Walpole was to monitor such calls, that the expectation of inmates was that calls would be monitored and that [the plaintiff] kept the call short and the conversation innocuous." Id. at 393.
[FN132]. Id. at 394.
[FN133]. 704 F.2d 577 (11th Cir. 1983).
[FN134]. Id. at 579.
[FN135]. See id. at 580.
[FN136]. See id. at 581.
[FN139]. See id. at 581-82.
[FN140]. 980 F.2d 1153 (8th Cir. 1992).
[FN141]. See id. at 1156-57.
[FN142]. See id. at 1157.
[FN143]. See id.
[FN144]. See Baumhart, supra note 37, at 935; see also Barnett & Makar, supra note 84, at 737; John P. Farfuro & Maury B. Josephson, Electronic Monitoring in the Workplace, N.Y.L.J., July 6, 1990, at 32.
[FN145]. See, e.g., United States v. McKinnon, 721 F.2d 19, 21 n.1 (1st Cir. 1983); Evans v. State, 314 S.E.2d 421, 425 (Ga. 1984), cert. denied, 469 U.S. 826 (1984).
[FN146]. For example, legislation in California, Delaware, Florida, Illinois, Louisiana, Maryland, Massachusetts, Michigan, Montana, Oregon, Pennsylvania, and Washington requires prior consent by all parties before a communication may be intercepted. Jenero & Mapes-Riordan, supra note 39, at 94 n.36.
[FN147]. See Robert Ellis Smith, Compilation of State & Federal Privacy Laws 60-63 (1992).
[FN148]. See Neb. Rev. Stat. § 86-702(2)(a) (1992).
[FN149]. See Ariz. Rev. Stat. Ann § 13-3012 (West 1989); Colo. Rev. Stat. § 18-9-305 (West 1990); Del. Code Ann. tit. 11, § 1336 (1995); Fla. Stat. ch. 934.03 (1996); Ga. Code Ann. § 16-11-66 (1996); Haw. Rev. Stat. § 803-42 (1993); Idaho Code §§ 18-6702; 18-6720 (1997); Iowa Code Ann. § 8082.B (1993); Kan. Stat. Ann. §§ 21-4001; 22-2514 (1995); La. Rev. Stat. Ann. § 15:1303 (West 1992); Md. Code Ann. Cts. & Jud. Proc. § 10-402 (1995); Minn. Stat. Ann. § 626A.02 (West 1998); Miss. Code Ann. § 41-29- 531 (1993); Mo. Ann. Stat. § 542.402 (West 1998); Neb. Rev. Stat. § 86- 702 (1994); Nev. Rev. Stat. Ann. § 200.620 (Michie 1997); N.H. Rev. Stat. Ann. §§ 570-B (1997); N.J. Rev. Stat. § 2A:156A-24 (1985); N.M. Stat. Ann. § 30-12-1 (Michie 1998); N.D. Cent. Code § 12.1-15-02 (1997); Ohio Rev. Code Ann. § 2933.52 (Anderson 1996); Okla. Stat. Ann. tit. 13, § 176.4 (West 1994); Or. Rev. Stat. § 165.543 (1991); 18 Pa. Cons. Stat. Ann. § 5704 (West 1983); R.I. Gen. Laws. § 11-35-21 (1994); Tex. Penal Code § 16.02 (West 1994); Utah Code Ann. § 77-23a-4 (1995); Va. Code Ann. § 19.2-62 (Michie 1995); W. Va. Code § 62-1D-3 (1997); Wis. Stat. § 968.31 (1985); Wyo. Stat. Ann. § 7-3-602 (Michie 1996). For further information on these statutes, see Lee, supra note 43, at 175-77.
[FN150]. See, e.g., Victoria Slind-Flor, What is E-Mail Exactly?, Nat'l. L.J., Nov. 25, 1991, at 22; Michael Traynor, Computer E-Mail Privacy Issues Unresolved, Nat'l. L.J., Jan. 31, 1994, at S3.
[FN151]. Ruling on Submitted Matter, Flanagan v. Epson Am., Inc., No. BC007036 (Cal. Super. Ct. Jan. 4, 1991).
[FN152]. See Frank C. Morris et al., Issues from the Electronic Workplace and E-Mail Communication: The Developing Employment Law Nightmare, SB07 A.L.I.- A.B.A. 335, 343 (noting courts desire to defer such matter to California legislature). For an excellent analysis of Flanagan v. Epson, see Winters, supra note 6, at 222-32.
[FN153]. See Samuel Warren & Louis Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).
[FN154]. See id.
[FN155]. See Restatement (Second) of Torts §§ 652B-652E (1965).
[FN156]. See, e.g., Dietemann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971); Nader v. General Motors Corp., 255 N.E.2d 765, 770-771 (N.Y. 1970).
[FN157]. See, e.g., Douglass v. Hustler Magazine, Inc., 769 F.2d 1128, 1138-39 (7th Cir. 1985); Carson v. Here's Johnny Portable Toilets, Inc., 698 F.2d 831 (6th Cir. 1983).
[FN158]. See, e.g., Haynes v. Alfred A. Knopf, Inc., 8 F.3d 1222, 1229- 35 (7th Cir. 1993); Diaz v. Oakland Tribune, Inc., 139 Cal. App. 3d 118 (1st Dist. 1983).
[FN159]. See, e.g., Time, Inc. v. Hill, 385 U.S. 374, 391-94 (1967).
[FN160]. See Howell v. New York Post Co., 612 N.E.2d 699 (N.Y. 1993) (refusing to recognize common law tort invasion of privacy).
[FN161]. For example, private persons and celebrities are protected against misappropriation of name or likeness in California and New York. See Jonathan Rosenoer, Cyberlaw: the Law of the Internet 129 (1997).
[FN162]. Griffin, supra note 14, at 503-04. Another tort which could give rise to a cause of action in the context of e-mail monitoring is "intentional infliction of emotional distress." See Kevin J. Baum, E-Mail in the Workplace and the Right to Privacy, 42 Vill. L. Rev. 1011, 1020 (1997). Liability for "intentional infliction of emotional distress" arises when "[o]ne who by extreme and outrageous conduct intentionally or recklessly causes severe emotional distress to another." Restatement (Second) of Torts § 46 (1965). For a recent case in which an "intentional infliction of emotional distress" theory was used against an employer for accessing an employee's e-mail, see Restuccia v. Burk Technology, No. 95-2125, 1996 Mass. Super. LEXIS 367 (Mass. Super. Ct. August 12, 1996).
[FN163]. Restatement (Second) of Torts § 652B (1965). For a recent case in which an "intrusion upon seclusion" theory was used against an employer for accessing an employee's e-mail, see Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996).
[FN164]. E-mail is protected because the invasion may be non-physical. Restatement (Second) of Torts § 652B cmt. b (1965); see also 2 Privacy Law and Practice P 9.02 (George B. Trubow, ed., 1987).
[FN165]. See supra notes 22-38 and accompanying text. The Fourth Amendment standard balances the employee's subjective and objective expectations of privacy against the employer's justification for monitoring.
[FN166]. See Marks v. Bell Tel. Co., 331 A.2d 424 (Pa. 1975). Courts have considered electronic surveillance, such as telephone "tapping," sufficient to establish this element of the tort. See Dietemann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971); Nader v. General Motors Corp., 255 N.E.2d 765 (N.Y. 1970); Billings v. Atkinson, 489 S.W.2d 858 (Tex. 1973).
[FN167]. See Restatement (Second) of Torts §652B cmt. d (1965).
[FN168]. See Michael W. Droke, Private, Legislative and Judicial Options for Clarification of Employee Rights to the Contents of Their Electronic Mail Systems, 32 Santa Clara L. Rev. 167, 184-86 (1992). In most cases, it is easier for a plaintiff to show a subjective expectation of privacy in regard to a certain activity. However, a plaintiff must also show that the expectation of privacy is objectively reasonable, a difficult burden to meet if the employer has published a monitoring policy. See Simmons v. Southwestern Bell Tel. Co., 452 F. Supp. 392 (W.D. Okla. 1978).
[FN169]. See Miller v. NBC, 232 Cal. Rptr. 668 (Cal. Ct. App. 1986); Horstman v. Newman, 291 S.W.2d 567 (Ky. Ct. App. 1956); Engman v. Southwestern Bell Tel. Co., 631 S.W.2d 98 (Mo. Ct. App. 1982).
[FN170]. It is safe to assume that e-mail monitoring constitutes an intentional act. Yet, an employer could attempt to show that the invasion was incidental to system maintenance and therefore unintentional. See Lee, supra note 43, at 163.
[FN171]. See Lois R. Witt, Terminally Nosy: Are Employers Free to Access Our Electronic Mail?, 96 Dick. L. Rev. 545, 555, 561 (1992).
[FN172]. "[E]mployee notification is important because, as under the ECPA analysis, courts may imply consent to E-mail monitoring when employers provide notice or when the employees are aware that monitoring can occur." Gantt, supra note 38, at 377. An employee may also have trouble proving that e-mail was actually read. See, e.g., Marks v. Bell Tel. Co., 331 A.2d 424 (Pa. 1975) (plaintiff failed to prove that certain telephone conversations were actually heard by third party).
[FN173]. See, e.g., Saldana v. Kelsey-Hayes Co., 443 N.W.2d 382 (Mich. Ct. App. 1989) (holding that business interests justified home monitoring of employee who claimed to have work-related injuries).
[FN174]. See Gantt, supra note 38, at 377; Griffin, supra note 14, at 509.
[FN175]. See Julie A. Flanagan, Note, Restricting Electronic Monitoring in the Private Workplace, 43 Duke L.J. 1256, 1267 (1994).
[FN176]. The PCWA was introduced in the House of Representatives by Rep. Pat Williams (D-Mont), H.R. 1900, 103rd Cong. (1993), and introduced in the Senate by Senator Paul Simon, S. 984, 103rd Cong. (1993).
[FN177]. See S. 984, 103rd Cong. § 5(B) (1993).
[FN178]. See Gantt, supra note 38, at 409 (referring to S. 984, 103d Cong. § 2(2)(c) (1993)). Furthermore, the PCWA's advance notice scheme did not limit the scope of monitoring nor the potential for abuse that often occurs. In effect, instead of restricting employer monitoring, the PCWA did the exact opposite by allowing monitoring during specified periods of time. See Gantt, supra note 38, at 409-10; see also Jeffrey S. Kingston & Gregory L. Lippetz, E- Mail Privacy Rights Can Be Tricky, So Firms Need To Study Up, Bus. J., Feb. 1, 1993, at 21.
[FN179]. See Lee, supra note 43, at 171.
[FN181]. See Lee, supra note 43, at 170-74. For similar proposals, see Kevin J. Baum, E-Mail in the Workplace and the Right to Privacy, 42 Vill. L. Rev. 1011, 1035-40 (1997); Greenberg, supra note 66, at 219.
[FN182]. Lee, supra note 43, at 172.
[FN185]. See Greenberg, supra note 66, at 249-50.
[FN186]. See Lee, supra note 43, at 172-73. "It is imperative that employers create a company policy that clearly spells out monitoring practices and employee privacy specific to that company's operation." Id.
[FN187]. See id. The author does provide a comprehensive list of possible objectives a monitoring policy could achieve, including: (1) to identify the reasons for surveillance and business purpose to be achieved; (2) to explain the monitoring procedures which may or may not be used; (3) to contain limitations on what is collected and the use of information obtained, restricting it to its stated purpose and ensuring confidentiality; and (4) to establish employee usage guidelines, such as whether, when, and to what extent the system may be used for non-business communications. See id. at 173.
[FN188]. See Gantt, supra note 38, at 416.
[FN191]. Id at 417.
[FN192]. Id. at 416-17. The European Union's Directive on the Protection of Individuals with Regard to the Personal Data and on the Free Movement of Such Data incorporates a similar standard--subjects have a right to object to the processing of personal data on the basis of "compelling and legitimate grounds." See Thomas J. Smedinghoff et al., Online Law: The SPA's Legal Guide to Doing Business On the Internet 276-77 (Thomas J. Smedinghoff ed., 1996).
[FN193]. See Mark A. Rothstein et al., Employment Law § 2.27 (West 1994).
[FN194]. See Irving Younger et al., Principles of Evidence 879 (3d ed. 1997).
[FN195]. See supra notes 49-51 and accompanying text.
[FN196]. See supra notes 181-87 and accompanying text.
[FN197]. See Rosenoer, supra note 161, at 139.
[FN198]. See supra note 1 and accompanying text for another example.
[FN199]. See McIntyre v. Ohio Elections Commission, 514 U.S. 334, 342-43 (1995).
[FN200]. See Smedinghoff, supra note 192, at 279.
[FN201]. See David R. Johnson & Kevin A. Marks, Mapping Electronic Data Communications Onto Existing Legal Metaphors: Should We Let Our Conscience (And Our Contracts) Be Our Guide?, 38 Vill. L. Rev. 487 (1993) (proposing Electronic Communications Forwarding Act).
[FN202]. For a detailed analysis of public-key cryptography, see Daniel J. Greenwood & Ray A. Campbell, Electronic Commerce Legislation: From Written on Paper and Signed in Ink to Electronic Records and Online Authentication, 53 Bus. Law. 307, 310-16 (1997); see also Lance Rose, NetLaw: Your Rights in the Online World 181 (1995).
[FN203]. See Greenwood & Campbell, supra note 202, at 315.
[FN204]. See id.
[FN205]. See Rose, supra note 202, at 182.
[FN206]. See Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457 (5th Cir. 1994).
[FN207]. See Henry Weinstein, Amendment on Computer Privacy Urged, L.A. Times, Mar. 27, 1991, at A3.