University of Florida Journal of Law and Public Policy
PRIVACY AND THE INTERNET: WELCOME TO THE ORWELLIAN WORLD
Allegra Knopf [FNa1]
Copyright © 1999 University of Florida Journal of Law and Public Policy;
I. CONSTITUTIONAL PROTECTION .... 81
A. Traditional Analysis .... 81
B. Katz in Cyberspace ...... 83
C. Technological Analysis .. 86
A. Interception ............ 89
B. Stored Communications ... 91
C. Provider Exceptions ..... 93
III. RECOMMENDATIONS .............. 95
A. Encryption .............. 95
B. Passwords ............... 98
A recent Federal Trade Commission report found 87% to 97% of Internet Web sites collected personal information from those who accessed those sites, [FN1] but very few had any policy concerning disclosure of the information collected. [FN2] Intel's new Pentium III chip, which contains a Processor Serial Number capable of disclosing a browser's identification, will ease the ability of Internet providers to compile information regarding users and may enable tracking of a browser's activity. [FN3] Even users of closed networks are subject to scrutiny. The National Institute for Occupational Safety and Health found twenty-six million workers were subject to computer surveillance. [FN4] Not surprisingly, members of Congress and privacy groups have called for legislation to protect activity on a computer network from unwarranted monitoring. [FN5] Nevertheless, federal law lacks comprehensive protection. Courts have been left to rely on common law interpretation of the Fourth Amendment [FN6] and interpretation of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended by The Electronic Communications Privacy Act of 1986; collectively referred to as The Federal Wiretap Statute. [FN7]
The malleability of the Fourth Amendment and the limitations of the federal wiretap statute have led to inconsistent results regarding similar claims. The lack of comprehensive law also has resulted in technologically driven outcomes to legal disputes. Thus, as computer technology improves the ability to monitor other users' activity, the privacy that courts award those users diminishes. This decrease in privacy has favorable results when monitoring leads to locating and prosecuting criminal activity, but has potentially detrimental effects when monitoring leads to divulgence of an innocent user's private communications.
This Note explores the current state of federal law applicable to computer communication privacy. [FN8] Part I discusses the application of the Fourth Amendment to computer privacy concerns. Part II explores the federal wiretap statute and its limitations. Part III concludes with a discussion of how legislation may enhance computer privacy.
I. CONSTITUTIONAL PROTECTION
The Fourth Amendment protects individuals against unreasonable searches and seizures. [FN9] The extent of the Amendment's protection has changed as American society's values have evolved. Whether technology alters society's values and thereby alters Fourth Amendment protection is not clear. [FN10]
A. Traditional Analysis
In Katz v. United States, [FN11] the United States Supreme Court considered whether the government's eavesdropping and recording of a criminal defendant's conversations from a telephone booth violated any right to privacy the defendant possessed with regard to those conversations. [FN12] The Court found the defendant did have a right to private telephone conversations and the government violated his right. [FN13] According to the Court the wiretap was, in effect, a search and seizure subject to the restrictions of the Fourth Amendment. [FN14] The Court held the Fourth Amendment prohibition against unreasonable searches and seizures protected a person's privacy where that person had a reasonable expectation of privacy. [FN15] Justice Harlan's concurring opinion introduced the two-fold test later used to determine when a reasonable expectation of privacy existed: First, did the person have a subjective expectation of privacy; and, second, was that expectation objectively reasonable? [FN16]
Where a defendant had a reasonable expectation of privacy, government intrusion constituted a search and seizure under the Fourth Amendment. [FN17] A search and seizure triggered the Fourth Amendment requirement that the search be "reasonable." [FN18] (If the search was not reasonable, the evidence obtained from the search was excluded under the Fourth Amendment.) [FN19] Reasonableness, in turn, required probable cause as expressed in a warrant, or circumstances permitting an exception to the warrant, prior to a government search. [FN20] Katz held that a reasonable expectation of privacy did not attach to that which a person knew was susceptible to public exposure. [FN21] As a result, an examination of anything to which a defendant could not attach a reasonable expectation of privacy did not offend the Constitution because it did not constitute an unreasonable search under the Fourth Amendment. [FN22]
In O'Connor v. Ortega, [FN23] the United States Supreme Court applied Katz to determine the extent of privacy an employee reasonably could expect. [FN24] In that case, a state employer conducted a search of an employee's office as part of an investigation of alleged employee misconduct. [FN25] The Court distinguished those areas and materials to which many people had access from the employee's office, where only the employee's invitees may have had access, and where the employee retained materials that were unrelated to the employer's business. [FN26] The Court held that materials the employee retained in his office which he did not share with other employees or the employer were private. [FN27] As a result, the employer was not entitled to examine those materials and violated the Fourth Amendment when it did so. [FN28] The Court included the employee's personal correspondence in the materials to which the employee had a reasonable expectation of privacy. [FN29]
The Katz analysis worked well in those cases where society established agreed upon parameters. Such parameters distinguished, for example, an employee bulletin board which was not private, even if private material was posted on it, from an employee's handbag, the contents of which remained private. [FN30] Where society has not established agreed upon parameters, as in cyberspace, the Katz analysis lacks consistent application. [FN31]
B. Katz in Cyberspace
Cyberspace presents privacy problems because it is accessible by many. Since anyone can log onto the World Wide Web, an expectation of privacy on the Web is not reasonable. On the other hand, where a network is limited to specified users, or one is sending a message to a discrete address, an expectation of privacy may be reasonable.
In United States v. Simons, [FN32] a government employer discovered that an employee was using his computer at work to access the Internet and download pornography. [FN33] The employer made the discovery after the network manager (who claimed merely to be checking system capabilities at the time) checked logs of Internet connections and used the keyword "sex" to find inappropriate connections made to the Internet. [FN34] Using the Katz analysis as employed in O'Connor, the district court interpreted O'Connor to require reasonableness when an employer conducted a search rather than probable cause as required in a law enforcement search. [FN35] The court found that the employer's searches of the employee's hard drive, initially from a remote computer, were reasonable since the employer had reason to suspect the employee was engaging in misconduct. [FN36] The court found that the remoteness of the initial search indicated the search was reasonable in light of O'Connor "because there was no entry into Defendant's office." [FN37] Thus, under the Simons analysis, surveillance of employees by computer creates no Fourth Amendment violation.
The Simons court found the initial search of the employee's computer was valid under the O'Connor reasonableness standard. [FN38] As a result, the court held the evidence obtained thereby was admissible in a subsequent criminal proceeding against the employee. [FN39] The court rejected the employee's contention that evidence obtained from searches conducted without a warrant was inadmissible in the criminal case because: 1) the employer and its investigators conducted the search; 2) the employer had a policy of monitoring computer activity; and 3) the employee could not objectively expect privacy when engaging in activity over the Internet. [FN40]
Under different circumstances, courts have upheld employee privacy on the Internet. In McVeigh v. Cohen, [FN41] the district court granted an employee's motion for an injunction to remain in the United States Navy pending litigation of his privacy claim. [FN42] A Navy volunteer who subscribed to America Online (AOL) deciphered from an e-mail she received (from a user named "boysrch") and AOL's member profile directory that the sender was enlisted in the military and was homosexual. [FN43] The Navy then contacted AOL to obtain information linking the e-mail and profile to McVeigh, who was enlisted in the Navy. [FN44] The Navy began proceedings to discharge McVeigh for violating the "don't ask, don't tell" policy because his AOL profile referred to his homosexuality. [FN45]
The court concluded that the Navy violated McVeigh's privacy and engaged in illegal discovery when it obtained information from AOL without a warrant. [FN46] Rather than considering anything placed on the Internet to be public and therefore not subject to an objective expectation of privacy, the court held McVeigh's e-mail signed "boysrch" was private and anonymous. [FN47] The court railed against the Navy for conducting what it considered an unreasonable investigation into an enlisted man's private life. [FN48]
In another military case, United States v. Maxwell, [FN49] the United States Court of Appeals for the Armed Forces held that a reasonable expectation of privacy existed where Maxwell, an AOL subscriber, used different passwords and screen names to remain anonymous. [FN50] The Air Force court-martialed the defendant after the FBI learned he had transmitted indecent e-mail. [FN51] The court agreed with Maxwell that AOL violated his Fourth Amendment rights by divulging his Internet activity to the FBI. [FN52] The court concluded that the content of Maxwell's e-mail and the fact that it was transmitted by a privately owned network (AOL) indicated he had a reasonable expectation of privacy. [FN53]
Unlike Simons, McVeigh and Maxwell were off duty when they used their computers to engage in the communications at issue. [FN54] The different contexts in which the claims in Simons, McVeigh, and Maxwell arose indicate that employees' constitutional privacy to computer communications depends upon a variety of factors such as when and where employees access the Internet, what steps employees take to hide their identities, and the reasonableness of the actions their employers take to discover their identities. McVeigh and Maxwell are rare, however, in the broad protection they afforded the employee. More often, courts have held the nature of computer technology destroys privacy expectations.
Katz noted that the Fourth Amendment protects people, not places. [FN55] Nevertheless, courts have entertained a place-oriented approach in concluding that cyberspace is a place where no privacy exists. [FN56] Where bulletin boards are at issue, the privacy analysis involves a simple analogy of computer bulletin boards with traditional bulletin boards posted in public places. [FN57] As a result, courts have upheld searches against Fourth Amendment privacy claims where law enforcement searched computer bulletin boards for illegal activity. [FN58]
Courts also have treated chat rooms as public places which do not provide an objective expectation of privacy. [FN59] In United States v. Charbonneau, [FN60] the court upheld a search conducted after Florida Department of Law Enforcement officers monitored and recorded conversations that took place in an AOL chat room which indicated users were trading child pornography. [FN61] The officers traced the defendant (who was supplying the chat room users pornography) to Ohio where they conducted a search of his home. [FN62] The court summarily rejected the defendant's claim of privacy in the chat room. [FN63]
While it may seem obvious that bulletin boards and chat rooms are sufficiently public that a reasonable person could not entertain expectations of privacy, where the privacy of e-mail is at stake, the determination of what is public and what is private becomes difficult. In Charbonneau, for example, the court struggled with the Fourth Amendment analysis as applied to e-mail. [FN64] The defendant had sent the pornographic material at issue via e-mail. [FN65] The court allowed the place to determine the extent of privacy. [FN66]
Although the court noted that e-mail was the equivalent of posted mail, it held that mail sent by computer diminished the sender's Fourth Amendment rights "incrementally." [FN67] The court distinguished mail sent from mail received. [FN68] It held that once transmission of e-mail took place, all privacy attached to it vanished, and users of the Internet transmitted e-mail at the risk of law enforcement intercepting and using the e-mail against the sender. [FN69] The court's analysis hinged upon the defendant's use of a chat room to send mail. [FN70] To support its analysis, the court looked to Hoffa v. United States, [FN71] where the Court held statements overheard by an undercover agent were not private. [FN72] In other words, e-mail seen by government agents was akin to overhearing a conversation. [FN73]
E-mail seized incidental to computer seizure also lacks protection. The courts have allowed technology to form the analysis where e-mail is not a part of the crime but incidental to it. In Davis v. Gracey, [FN74] for example, law enforcement officers seized computer equipment used to transmit obscene CD-ROM images via a bulletin board. [FN75] Private subscribers used the bulletin board to communicate. [FN76] The officers seized a computer that contained 150,000 e-mail messages which subscribers had posted but which had not been read by the addressees. [FN77] The defendant alleged the e-mail was the private correspondence of the bulletin board users and not subject to the search. [FN78] The defendant also noted that there was no probable cause to justify a search of e-mail that was not connected to the crime alleged to have occurred. [FN79] Nevertheless, the United States Court of Appeals for the Tenth Circuit held that since the computer was an instrumentality of the crime, everything within it was subject to a search. [FN80] In discussing the legality of incidental seizure of e-mail, the court noted "the obvious difficulties attendant in separating the contents of electronic storage from the computer hardware during the course of a search." [FN81]
The foregoing indicates that traditional Fourth Amendment analysis provides little protection for communications in cyberspace. Although the Fourth Amendment's protection is limited, federal wiretap law protects against wrongful interception and access of computer messages. [FN82] As the discussion below indicates, the federal wiretap law is complicated and counsel often err in the portion of the wiretap law they invoke or the protection they believe the wiretap law provides. Therefore, it is critical for practitioners to study carefully the federal wiretap statute and cases interpreting it to determine what portion of the statute, if any, applies to their case.
II. STATUTORY PROTECTION
Following Katz, Congress enacted Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the federal wiretap statute). [FN83] The federal wiretap statute, in part, provided criminal and civil penalties for the intentional, unauthorized interception or disclosure of a private communication. [FN84] Congress intended the federal wiretap statute to codify the reasonable expectation of privacy principle which the Court had enunciated in Katz. [FN85]
When Congress enacted the federal wiretap statute, it was concerned with illegal wiretaps on telephones, the issue Katz had presented. [FN86] As a result, the federal wiretap statute only applied to "aural" interception and did not contemplate digital communication. [FN87] As electronic communication developed, Congress rectified the federal wiretap statute's limitation by enacting the Electronic Communications Privacy Act (ECPA) in 1986. [FN88] The ECPA added communication by electronic means to those communications the federal wiretap statute protected. [FN89] In addition, Congress enacted the "Stored Communications Act" [FN90] in 1986 to punish the unauthorized, intentional access of information stored following its electronic transmission.
Title I of the ECPA [FN91] addresses interception. An interception under the statute requires receiving or recording the communication while it is being transmitted. [FN92] As a result, retrieving communication already sent, such as voice mail or pages, is not an interception. [FN93]
Similarly, there is no interception if e-mail is retrieved after it reaches its destination. [FN94] In Steve Jackson Games, Inc. v. United States Secret Service, [FN95] the Secret Service seized a computer as part of an investigation of an unauthorized distribution of Bell Company text files. [FN96] The seized computer operated a bulletin board containing private subscriber e-mail that was unrelated to the offense originally investigated. [FN97] After the Secret Service read and deleted the private e-mail, the bulletin board provider alleged the Secret Service violated Title I of the ECPA prohibiting the unlawful interception of electronic communications. [FN98] Because the Secret Service did not access the e-mail contemporaneously with its transmission, but accessed it after it reached its destination, the United States Court of Appeals for the Fifth Circuit held the Secret Service did not violate Title I of the ECPA. [FN99]
The ECPA is not a strict liability statute. Liability under the statute does not exist unless the offender had intent (or knowledge if the violation was disclosure) [FN100] and the offender intruded upon a reasonable expectation of privacy. [FN101] As a result, inadvertent access to e-mail is not an offense under the statute. [FN102] In Wesley College v. Pitts, [FN103] for example, the court refused to find a systems operator guilty of interception when he read e-mail someone accidentally sent to his station for printing. [FN104] In another case, the court held no liability existed where there was insufficient evidence to prove the alleged offender acted "deliberately and purposefully." [FN105]
Whether a privacy interest existed when the interception occurred depends upon whether the sender had a reasonable expectation of privacy. [FN106] In Wesley v. WISN Division, [FN107] the court addressed interception of verbal communications and held the reasonableness of a privacy expectation depended upon the probability of interception. [FN108] Therefore, employees who shielded their conversations from being overheard by speaking in hushed tones could reasonably expect the conversations to remain private and would receive privacy protection. [FN109]
This reasoning, when applied to computer communications, allows technology to diminish privacy because it is reasonable to expect that communications on a network may be intercepted by the network provider and other network users in the absence of encryption or password protection. Where an employer has the ability to access employee terminals via a network, the employee does not have a reasonable expectation of privacy. [FN110] If, however, a court uses the reasoning of Charbonneau, that communication sent over a network is akin to a letter being mailed, then a reasonable expectation of privacy does attach to computer communications en route to their destination. [FN111] An interception also is not a violation if there was consent, which may be implied. [FN112] Those who work in places where recording communications is routine, such as a police station, are deemed to have consented to interception. [FN113]
B. Stored Communications
Title II of the ECPA [FN114] addresses stored communications. [FN115] Accessing stored communications is not an interception and, therefore, does not impose liability under Title I of the ECPA. [FN116] The protection Title II provides stored communications is different and narrower than the protection Title I affords communications in transit. [FN117] First, mere unauthorized access does not create liability. [FN118] Second, electronic communications service providers are excluded from liability under Title II unless a provider knowingly divulges the contents of a stored communication in a manner not permitted. [FN119]
Title II permits electronic communications service providers to divulge contents of a stored communication for a variety of reasons, including divulging the communication to law enforcement authorities if the service provider accidentally locates information which appears to pertain to criminal activity. [FN120] In addition, "contents" of an electronic communication, as used in Title II, has a narrow meaning. In Jessup-Morgan v. America Online, Inc., [FN121] the court held that "contents" consisted of the substance of a communication and not user identification. [FN122] At issue was AOL's disclosure, pursuant to a subpoena, of a user's identification and profile. [FN123] The court used an exception in Title II which allows a service provider to disclose subscriber information "to any person other than a governmental entity," and held that the disclosure did not violate Title II of the ECPA. [FN124]
Unauthorized access of an electronic communications service facility is a violation under Title II of the ECPA, but accessing an individual's private communication is not. [FN125] The narrow scope of Title II of the ECPA prohibits only an electronic communications service provider from disclosing contents of a communication. [FN126] It does not prohibit a private party from disclosing the stored communications of another. [FN127] This dichotomy has resulted in the leakage of information with potentially harmful results. [FN128]
In Anderson Consulting LLP v. UOP, [FN129] for example, adversary litigants published e-mail belonging to Anderson Consulting without its consent in the Wall Street Journal. [FN130] The court held that the parties who published the information, UOP and its lawyers, were not liable because they were not electronic communications service providers within the meaning of Title II of the ECPA and, therefore, were not barred from disclosing stored communications. [FN131] The disclosed e-mail had been stored on UOP's network while Anderson was working on UOP's system. [FN132] The court held that a company-wide network did not qualify as an electronic communications service provider because it did not provide communication services to the public at large. [FN133] As noted below, however, the electronic communications service provider requirement of Title II of the ECPA is open to interpretation.
C. Provider Exceptions
The ECPA does not define what an electronic communications service provider is. [FN134] Coverage under both titles of the ECPA depends upon whether the party who engaged in the proscribed action was an electronic communications service provider. [FN135] Title I of the ECPA excludes from its coverage prohibiting interception "an operator ... or an officer, employee, or agent of a provider of wire or electronic communication service ... while engaged in any activity which is a necessary incident to the rendition of his service." [FN136] Title II of the ECPA has a similar provision excluding electronic communications service providers from its prohibition against accessing stored communications, but allows anyone, except an electronic communications service provider, to divulge stored communications. [FN137]
The lack of a definition of electronic communications service provider and the importance of an offender's status as a service provider has resulted in inconsistent interpretations. [FN138] In Anderson Consulting, the court held that a company's network had to be available to the public at large in order for the company to be a service provider. [FN139] In Bohach v. City of Reno, [FN140] the court did not consider public access to a network necessary to qualify the network provider as an electronic communications service provider under the ECPA. [FN141] The variance in statutory interpretation, in turn, has led to inconsistent holdings. In Anderson, the court applied a definition of electronic communications service provider which enabled a network provider to leak information under Title II by defining provider so narrowly that the network provider did not come under the ECPA's prohibition against providers divulging contents of stored information. [FN142] In Bohach, however, the court defined electronic communications service provider so broadly (anyone who provides personnel with the ability to send or receive electronic communications) that a police department was held to be a provider and, as a result, was not liable for accessing the stored communications of its employees. [FN143]
The manipulation of definitions and statutory provisions can reduce privacy for employees. If a court deems an employer who supplies the means of electronic communication to be a provider, then that employer can access its employees' stored messages and use them in subsequent actions against an employee. [FN144] In United States v. Mullins, [FN145] the court held American Airlines was an electronic communications service provider and did not act unlawfully when it monitored activity over the SABRE network. [FN146] The court held this was the case even though American Airlines did not own SABRE, but simply provided its agents access to the SABRE system which other airlines also used. [FN147] The court's purpose in defining American Airlines as an electronic communications service provider was to uphold American's actions in locating and prosecuting illegal activity which the defendants had conducted by using SABRE. [FN148]
Together, Anderson, Bohach, and Mullins reveal the failure of federal law to provide consistent electronic privacy protection. Whether an entity is a provider within the meaning of the ECPA depends upon what definition of electronic communications service provider a court uses. Until the ECPA is amended to define electronic communications service provider, the outcome of cases will vary from court to court.
Statutory amendment is needed to clarify the meaning of an electronic communications service provider and to clarify when computer communications are subject to a reasonable expectation of privacy. Reliance on the ECPA, as currently enacted, leads to inconsistent results. Reliance on the Fourth Amendment lacks certainty. Although the Fourth Amendment has succeeded in permitting changes in privacy rights as those changes have been needed for social advancement, the Fourth Amendment runs the risk of becoming subordinate to technology if courts continue to hold no privacy exists where technology makes privacy difficult to maintain.
To avoid such an outcome and provide some stability, members of Congress have begun drafting legislation. [FN149] One proposed bill, the Security and Freedom through Encryption (SAFE) Act, seeks to amend Title 18 of the United States Code to permit encryption for lawful use. [FN150] Cryptography already has been successful in protecting confidential consumer transactions and government activity. [FN151] It promises to provide the same protection to individuals without sacrificing the government's ability to locate and punish those engaged in illegal computer activity.
In April 1999, the Senate incorporated SAFE into a larger proposed bill, known as the Electronic Rights for the 21st Century Act. [FN152] This bill, like SAFE, would permit the use, sale and purchase of encryption code. [FN153] In addition, it would tighten warrant requirements for computer wiretaps and require notification to the party whose communications would be monitored pursuant to a warrant. [FN154]
The push in Congress to formulate and pass amendments to Title 18 which would permit encryption reflects a growing consensus that technology should cure the privacy problems which technology created by use of cryptography. [FN155] The utility of encryption is that it 1) indicates that the person who knowingly communicates by encrypted code has a subjective expectation of privacy; and 2) renders that expectation of privacy reasonable since anyone who accesses the communication must decode it to understand it. [FN156] Despite its utility, however, the United States government has sought to control the extent to which encryption code may be used, particularly where it could be used to hide the secrets of foreign governments. [FN157]
In Bernstein v. United States Department of State [FN158] and Karn v. United States Department of State, [FN159] district courts considered challenges to executive branch controls on the export of encryption code. The Bernstein court held that encryption code is speech protected under the First Amendment. [FN160] As a result, the court held the government could not prohibit the commercial use of encryption code because such a prohibition would be a prior restraint on speech in violation of the First Amendment. [FN161] Conversely, the Karn court held regulation of encryption code was a constitutionally permissible method of protecting national security. [FN162] It held the regulations at issue were not based on the contentof the code, but security concerns, and therefore did not implicate the First Amendment. [FN163] The only appellate case addressing the issue to date is a decision from the United States Court of Appeals for the Ninth Circuit which affirmed Bernstein and stated in dicta that there may be a Fourth Amendment right to encrypt communications. [FN164] A few months after the Ninth Circuit issued its opinion, however, it withdrew the same opinion and ordered that the case be reheard. [FN165]
Legislation proposed by Congress pertaining to encryption does not prohibit executive branch control over the use of encryption technology involving foreigners. [FN166] It does not set boundaries on the government's ability to control use of encryption where the government claims national security may be at stake. The proposed legislation also fails to resolve ambiguities in current provisions of Title 18, like the electronic communications service provider exception. The most serious drawback of the proposed legislation is its failure to address warrantless searches. Congress has not attempted to define public and private boundaries of computer transmissions which could assist courts in determining whether a defendant has a reasonable expectation of privacy. Instead, Congress has proposed legislation that would increase the facilities which could disclose information, [FN167] and looked to the use of warrants and encryption to protect users against surveillance. [FN168] Congressional efforts to address warrantless searches have failed to produce any drafted legislation, [FN169] and legislation currently under consideration does not even create any presumption of privacy where encryption or passwords are used.
The executive branch, in turn, has requested Congress consider its version of a cyberspace bill entitled, The Cyberspace Electronic Security Act of 1999 (CESA). [FN170] CESA, while acknowledging the importance of encryption for privacy, is concerned primarily with decrypting communications related to criminal activity. [FN171] CESA would permit law enforcement officers to decrypt data or communications without a warrant, as long as the officers could obtain a warrant within forty-eight hours of decryption, thereby reducing privacy in cyberspace. [FN172] Because Congress has not agreed upon what rules should govern encryption, courts will have to decide whether encryption is a legally permissible manifestation of an expectation of privacy or a legitimate way to protect an existing right to privacy.
Password protection is another method by which technology can solve the privacy problems which technology created. An attempt to prevent access to computer records or communications by password protection may create a presumption that the user had a reasonable expectation of privacy, but courts have not been consistent in their treatment of attempts to protect privacy. [FN173] In Sega Enterprises, Ltd. v. MAPHIA, [FN174] the court rejected the contention that a bulletin board's password requirement protected it from unauthorized access. [FN175] In United States v. Maxwell, [FN176] however, the court found use of an alias indicated the user had a reasonable expectation of privacy. [FN177] A statute which recognizes an attempt to keep communications or data private (by the use of passwords, aliases or encryption) as a manifestation of an expectation of privacy; while punishing those who conceal illegal activity, would enable courts to punish intrusive surveillance without sacrificing law enforcement objectives.
Currently, neither Fourth Amendment principles nor federal statutes provide protection that is comprehensive or consistent. Comprehensiveness and consistency can be achieved through statutes that define computer users' rights, the limitations of those rights, and remedies for the wrongful access or use of computer communications. Given the increasing reliance upon computers and the increasing ability to access computers, it is imperative that a coherent set of rules regarding access to and use of private computer records and transmissions be developed. Without a coherent set of rules, unrestrained intrusion into private computer records or communications will continue to cause litigious and harmful results for unwary computer users. These unfortunate results could lead computer users to distrust the utility of computers to store or transmit private information.
[FNa1]. This note is dedicated to James Kodilla for teaching me the importance of constitutional protection and encouraging my study of law. This note received the Barbara W. Makar writing award for Fall 1999.
[FN1]. See FEDERAL TRADE COMM'N, PRIVACY ONLINE: A REPORT TO CONGRESS 23 (June, 1998) <http://www.ftc.gov/reports/privacy3/priv-23a.pdf>.
[FN2]. See id. at 27.
[FN3]. See Complaint and Req. for Inj., CENTER FOR DEMOCRACY & TECHNOLOGY, 1-2 (Feb. 26, 1999) <http://www.cdt.org/privacy/intelcomplaint.shtml>. The Pentium III chip is not the first to raise concerns about computer privacy. See Wyman P. Berryessa, Escrowed Encryption Systems: Current Public Policy May Destroy Valued Constitutional Protections, 23 U. DAYTON L. REV. 59, 68 (1997). The Clipper Chip, which the government designed to protect computer privacy by encrypting communications, was abandoned following a storm of protest. See id. at 67-68. The public rejected the Chip because it was designed to enable the government to monitor communications to and from a computer in which the Chip was installed by a mechanism called the Law Enforcement Access Field (LEAF). See id. at 67. Civil rights and privacy groups worried that the government would require all computers to be manufactured with a Clipper Chip, resulting in unprecedented government monitoring of personal communications. See id. at 67-68.
[FN4]. See 139 CONG. REC. S6122 (daily ed. May 19, 1993) (statement of Sen. Simon).
[FN5]. See id.; 139 CONG. REC. E1077-78 (daily ed. Apr. 29, 1993) (statement of Rep. Williams); Electronic Privacy Information Center, Protect Your PC's Privacy (visited Feb. 27, 1999) <http://www.bigbrotherinside.com>.
[FN8]. For information regarding state privacy law, see Kevin J. Baum, E- Mail in the Workplace and the Right of Privacy, 42 VILL. L. REV. 1011, 1018-21 (1997); see also Lyrissa Barnett Lidsky, Prying, Spying and Lying: Intrusive Newsgathering and What the Law Should Do About It, 73 TUL. L. REV. 173, 193- 216 (1998) (discussing common law privacy claims).
[FN10]. See Frederick Schauer, Internet Privacy and the Public-Private Distinction, 38 JURIMETRICS J. 555, 562-63 (1998) (arguing that notions of privacy change as technology changes because technology changes our expectations). The prospect of technology eradicating current notions of privacy as technology enables greater access to information has caused concern which some courts are beginning to discuss. See, e.g., United States v. Cusumano, 83 F.3d 1247, 1254 (10th Cir. 1996) (McKay, J., dissenting in part and concurring in part) (discussing the Fourth Amendment problems which the use of thermal imaging to conduct a search has raised):
[I]f we permit information obtained by thermal imaging to be considered waste, abandoned, or to be characterized as having some other non-protected legal status, then we not only permit unwarranted invasions by the police but analytically destroy civil remedies against privacy invaders such as the paparazzi and tabloid photographers. Our failure to draw the line at this first and primitive warrantless invasion would make it particularly difficult to protect against the use of "passive" devises of the future that would invade the privacy of our chambers or that would re-create the full range of the activities in our homes by way of computer-assisted images broadcast at the station house, at the newsroom of the local press or television station, or on the Internet. This modest parade of the horribles is not fanciful: Any user of the Internet or follower of the news media is aware of the fact that the Brave New World is at hand.
Id.; see also Wesley v. WISN Div., 806 F. Supp. 812, 814 (E.D. Wis. 1992) (rejecting the plaintiff's privacy claim, but noting, "we do not have to assume that as soon as we leave our homes we enter an Orwellian world of ubiquitous hidden microphones").
[FN16]. See id. at 361. Subsequent use of the reasonable expectation test occurred in: O'Connor v. Ortega, 480 U.S. 709, 718 (1987); California v. Ciraolo, 476 U.S. 207, 211 (1986); Oliver v. United States, 466 U.S. 170, 177 (1984); Smith v. Maryland, 442 U.S. 735, 740 (1979); United States v. White, 401 U.S. 745, 752 (1971).
[FN18]. See Michelle Skatoff-Gee, Changing Technologies and the Expectation of Privacy: A Modern Dilemma, 28 LOY. U. CHI. L.J. 189, 191 (1996).
[FN19]. See id.
[FN20]. See id. at 191 n.18.
[FN22]. See Skatoff-Gee, supra note 18, at 191.
[FN25]. See id. at 712-13. The Fourth Amendment applied to the employer because the employer was a state hospital and, therefore, a government entity subject to the limitations of the Fourth Amendment as applied to the states under the Fourteenth Amendment. See id. at 714. The Court noted, "The strictures of the Fourth Amendment, applied to the states through the Fourteenth Amendment, have been applied to the conduct of governmental officials in various civil activities." Id.
[FN26]. See id. at 718.
[FN27]. See id.
[FN28]. See id. at 719.
[FN29]. See id. at 718.
[FN30]. See id. at 716.
[FN31]. See Note, Keeping Secrets in Cyberspace: Establishing Fourth Amendment Protection for Internet Communication, 110 Harv. L. Rev. 1591, 1599 (1997). "Because the architecture of cyberspace is dissimilar to most conventional notions of place, analogizing cyberspace to a place for purposes of the Fourth Amendment has serious limitations." Id.
[FN32]. 29 F. Supp. 324 (E.D. Va. 1998).
[FN33]. See id. at 326.
[FN34]. See id. at 325-26.
[FN35]. See id. at 327.
[FN36]. See id. at 328.
[FN37]. See id.
[FN38]. See id.
[FN39]. See id. at 325, 328.
[FN40]. See id. at 327-28.
[FN44]. See id.
[FN45]. See id. The court's opinion was based upon its disagreement with the military's "don't ask, don't tell" policy. See id. at 221.
[FN47]. See id. at 219.
[FN48]. See id. The court noted that statements posted on the Internet often lack reliability since cyberspace "invites fantasy and affords anonymity ...." Id. When referring to the Navy's failure to comply with the warrant requirement of the ECPA, the court said in dicta, "In these days of 'big brother,' where through technology and otherwise the privacy interests of individuals from all walks of life are being ignored or marginalized, it is imperative that statutes explicitly protecting these rights be strictly observed." Id. at 220.
[T]he maker of a telephone call has a reasonable expectation that police officials will not intercept and listen to the conversation .... Drawing from these parallels, we can say that the transmitter of an e-mail message enjoys a reasonable expectation that police officials will not intercept the transmission without probable cause and a search warrant.
Id. at 418 (citations omitted). The Maxwell court also rejected the idea that e-mail files were subject to plain view because they had to be opened prior to seeing the contents. See id. at 422.
[FN55]. See Katz, 389 U.S. 351.
[FN57]. See, e.g., Sega, 948 F. Supp. at 927-30, 939 (holding a bulletin board operator was liable for copyright and trademark infringement after posting pirated Sega software for downloading). The Sega court noted that the bulletin board was open to the public and, therefore, the bulletin board operator could not claim information stored on it was private. See id. at 927, 930.
[FN58]. See Davis v. Gracey, 111 F.3d 1472, 1478-79 (10th Cir. 1997) (rejecting defendant's privacy claim to seized computer equipment because the defendant used the equipment to post pornographic material on a bulletin board).
[FN64]. See id.
[FN65]. See id. at 1179.
[FN66]. See id. at 1184.
[FN67]. See id.
[FN68]. See id.
[FN69]. See id. at 1184-85. The court noted that privacy to the e-mail one sent diminished when received because the recipient of the e-mail then could send it to others on the Internet. See id. at 1185.
[FN70]. See id. The defendant in Charbonneau also raised a First Amendment claim which the court rejected outright as meritless. See id. at 1184. In light of Reno v. ACLU, 521 U.S. 844, 117 S. Ct. 2329, 2345, 2351 (1997), material transmitted by Internet which is offensive but may not be obscene, is protected under the First Amendment.
[FN78]. See id.
[FN79]. See id. at 1480.
[FN80]. See id.
[FN81]. Id. The court compared the computer to a container used to store contraband. See id.
[FN85]. See Skatoff-Gee, supra note 18, at 197.
[FN86]. See Thomas R. Greenberg, E-Mail and Voice Mail: Employee Privacy and the Federal Wiretap Statute, 44 AM. U.L. REV. 219, 227 (1994); Skatoff-Gee, supra note 18, at 193-94.
[FN87]. See Greenberg, supra note 86, at 227.
[FN88]. See Baum, supra note 8, at 1021-22. The ECPA and its predecessor, Title III of the Omnibus Crime Control and Safe Streets Act of 1968, contained exceptions to liability for interception of communications. See Greenberg, supra note 86, at 235-36. Omnibus permitted monitoring another call by extension telephone if done in the ordinary course of business and the extension was provided by a communications carrier in the ordinary course of business. See id. at 235. How the "ordinary course of business" exception applied was disputed among the circuits. See id. at 235 n.88. The ECPA altered the language of the exception to permit an interception by a device which "'a provider of wire or electronic communication service"' furnished in the ordinary course of business "and used by [a] subscriber 'in the ordinary course of its business."' See id. at 236. Arguably, the language broadened the category of monitoring excluded from the statute because any private employer network may contain a device provided by a wire or electronic communications service provider in the ordinary course of business which the employer could use in the ordinary course of business to monitor employee activity and efficiency. See id. However, courts may distinguish using a communications device for business purposes and using it to spy. See George v. Carusone, 849 F. Supp. 159, 164 (D. Conn. 1994) (holding, "If a person surreptitiously records a telephone conversation, then the [ordinary course of business] exception does not obtain").
[FN98]. See id.
[FN99]. See id. at 461-62.
[FN101]. See Payne v. Norwest Corp., 911 F. Supp. 1299, 1304 (D. Mont. 1995); Skatoff-Gee, supra note 18 at 201-03.
[FN104]. See id. at 379, 389-90. The court in Pitts also differentiated between the computer screen, which it considered just a medium, and the wire by which a message is transmitted, to determine that an interception could not occur unless information was tapped while moving across the wire. See id. at 384. The court noted, "Simply put, Congress had in mind more surreptitious threats to privacy than simply looking over one's shoulder at a computer screen when it passed the ECPA." Id.
[FN105]. See Thompson v. Dulaney, 838 F. Supp. 1535, 1542 (D. Utah 1993) (following United States v. Townsend, 987 F.2d 927, 930 (2d Cir. 1989)). In Thompson, the court also refused to find guilt for disclosure of intercepted information where the plaintiff failed to prove the person who disclosed the information knew or should have known the information had been obtained by illegal wiretap. See id. at 1541.
[FN108]. See id. Following the reasoning of Katz, the court held that if a person knew their comments could be detected artificially with ease, then there is no reasonable expectation of privacy. See id. at 815. Some courts have rejected the theory that an expectation of privacy is based on the ability to protect privacy. See Dunlap v. County of Inyo, 121 F.3d 715, 717 (9th Cir. 1997) (unpublished disposition). In Dunlap, the Ninth Circuit held that even where a police department routinely recorded conversations over one of its telephone lines, the employee who used it could have a reasonable expectation of privacy while using it. See id. The court stated, "The capability of monitoring does not create implied consent to any monitoring that occurs. Cellular telephones and electronic mail are both technologies of questionable privacy, but we nonetheless reasonably expect privacy in our cell phone calls and e-mail messages." Id.
[FN112]. See Payne v. Norwest Corp., 911 F. Supp. 1299, 1303 (D. Mont. 1995); George v. Carusone, 849 F. Supp. 159, 164 (D. Conn. 1994); Thompson v. Dulaney, 838 F. Supp. 1535, 1543 (D. Utah 1993). 18 U.S.C. § 2511(2)(d) eliminates liability where there was consent if the interception was not used in furtherance of illegal activity. See 18 U.S.C. § 2511(2)(d) (1998).
[FN113]. See George, 849 F. Supp. at 164. But see Dunlap, 121 F.3d at 717 (holding that police department employee did not consent to monitoring even though the department routinely monitored communications over the telephone line the employee used).
[FN115]. See Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 462 (5th Cir. 1994). In Steve Jackson, the district court held, and the Secret Service did not challenge, that the Secret Service violated Title II of the ECPA by reading and destroying the private e-mail the Secret Service seized. See id.
[FN116]. See id. at 460.
[FN117]. See, e.g., Greenberg, supra note 86, at 248-49 (discussing the irrationality in the difference between Title I and Title II of the ECPA).
[FN118]. See 18 U.S.C. § 2701 (1998) (imposing liability where someone intentionally gains unauthorized access of a "facility through which an electronic communication service is provided ... and thereby obtains, alters or prevents authorized access ....").
[FN124]. See id. at 1108; 18 U.S.C. § 2703(c) (1998). 18 U.S.C. § 2703 contains requirements for government access of electronic communications. See 18 U.S.C. § 2703 (1998). Generally, a warrant, court order, or grand jury or trial subpoena is required for government access. See id. However, a service provider can divulge contents of a communication to law enforcement if the provider notices illegal activity. See 18 U.S.C. § 2702(b). Also, the exceptions to the warrant requirement applicable in warrantless searches under the Fourth Amendment apply under the warrant requirement of 18 U.S.C. § 2703. See United States v. Reyes, 922 F. Supp. 818, 837 (S.D.N.Y. 1996).
[FN127]. See Wesley College v. Pitts, 974 F. Supp. 375, 389 (1997), noting "a person who does not provide an electronic communication service ... can disclose or use with impunity the contents of an electronic communication unlawfully obtained from electronic storage." Id.
[FN128]. See Anderson Consulting LLP v. UOP, 991 F. Supp. 1041, 1042 (N.D. Ill. 1998); Sega Enter. Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (holding that subsequent use of stored e-mail obtained without authorization was permissible because it was obtained from bulletin board that did not qualify as provider of electronic communications service to public).
[FN141]. See id. at 1236. The court held the computer network which the city provided its employees made the city a provider within the meaning of the statute because the "terminals, computer and software, and the pagers it issues to its personnel, are, after all, what provide those users with 'the ability to send or receive' electronic communications." Id.
[FN146]. See id. at 1478. A SABRE network is an airline's computerized reservation system. See id. at 1474. Airline agents log onto a SABRE network by password and identification codes and then can obtain flight information and make or alter reservations through the use of Passenger Name Records (PNRs). See id.
[FN147]. See id. at 1478.
[FN148]. See id. The defendants stole frequent flyer miles that were noted as available on SABRE in order to obtain free tickets which they then sold, reaping a profit of over $1 million. See id. at 1474-75.
[FN149]. See Security and Freedom through Encryption (SAFE) Act, H.R. 850, 106th Cong. (1999) reprinted in <http:// www.cdt.org/legislation/106th/encryption/safe.html> (visited Aug. 15, 1999); Staff Discussion Draft of the Online Privacy Protection Act of 1999 (visited Mar. 19, 1999) <http://www.senate.gov/burns/private.htm>; 139 CONG. REC. E2102 (daily ed. Sept. 8, 1993) and E1077 (daily ed. Apr. 29, 1993) (statements of Rep. Williams).
[FN150]. See H.R. 850.
[FN151]. See Berryessa, supra note 3, at 66.
[FN152]. See 145 CONG. REC. S4041-S4044 (daily ed. Apr. 21, 1999) (statement of Sen. Leahy).
[FN153]. See 145 CONG. REC. S4044-S4045 (daily ed. Apr. 21, 1999) (statement of Sen. Leahy). The proposed legislation would also permit forced decryption pursuant to a warrant during a criminal investigation. See id.
[FN154]. See 145 CONG. REC. S4043-S4045 (daily ed. Apr. 21, 1999) (statement of Sen. Leahy). The proposed legislation permitting encryption would allow decryption of communications pursuant to a warrant. See id. at S4044- S4045.
[FN155]. See Wayne Madsen et al., Cryptography and Liberty: An International Survey of Encryption Policy, 16 J. Marshal J. Computer & Info. L. 475, 479 (1998) (discussing the Global Internet Liberty Campaign to protect on- line rights by encrypting communication). A survey of seventy-six countries showed the majority of countries do not regulate cryptography. See id. at 482. In addition, the Organization for Economic Cooperation and Development and the European Union are relaxing controls of cryptography to enhance commercial encryption technology development. See id. at 482-83.
[FN156]. See Berryessa, supra note 3, at 63. Encryption disguises a message by using an algorithm to translate a computer's code into meaninglessness. See id. Depending upon whether the encryption system uses a "public key" or "private key," the encryption code may be deciphered by the public or just the users. See id. at 64 (providing a detailed explanation of encryption technology).
[FN160]. See Bernstein, 974 F. Supp. at 1306. Following the breadth of First Amendment protection the Supreme Court granted to Internet communications in Reno v. ACLU, 521 U.S. 844 (1997), the Bernstein court stated, "not only is the distinction between print and electronic media increasingly untenable, but ... the Internet is subject to the same exacting level of First Amendment scrutiny as print media." Id. at 1306-07.
[FN161]. See id. at 1306.
[FN162]. See Karn, 925 F. Supp. at 10; see also Junger v. Daley, 8 F.Supp.2d 708 (E.D. Ohio 1998) (holding encryption code, although sometimes expressive, does not deserve protection under the First Amendment).
[FN163]. See id. The regulations at issue in Karn and Bernstein included the Arms Export Control Act (22 U.S.C. § § 2751-2796d) and the International Traffic in Arms Regulations (22 C.F.R. § § 120-30). See Bernstein, 974 F. Supp. at 1291; Karn, 925 F. Supp. at 3.
[FN166]. See 145 CONG. REC. S4044 (daily ed. Apr. 21, 1999) (statement of Sen. Leahy). The proposed legislation permits "any person within the United States, and for any any United States person in a foreign country" to use encryption, but does not seek to prohibit control over the exportation of encryption code. Id.
[FN168]. See, e.g., 145 CONG. REC. S4043 (daily ed. Apr. 21, 1999) (statement of Sen. Leahy) (proposing government access to electronic communication by warrant or subpoena).
[FN169]. See, e.g., 144 CONG. REC. S8236 (daily ed. July 15, 1998) (statements of Sen. Lott, et al.); 139 CONG. REC. S6122 (daily ed. May 19, 1993) (statement of Sen. Simon); 139 CONG. REC. E1077 (daily ed. Apr. 29, 1993) (statement of Rep. Williams) (discussing the need to pass a "Privacy for Consumers and Workers Act" which would ban hidden monitoring).
[FN170]. See President's Message to the Congress Transmitting the Proposed "Cyberspace Electronic Security Act of 1999," 35 WEEKLY COMP. PRES. DOC. 1760 (Sept. 16, 1999).
[FN171]. See Cyberspace Electronic Security Act of 1999, reprinted in < http://www.cdt.org/crypto/CESA/CESArevised.shtml> (visited Sept. 24, 1999).
[FN172]. See Cyberspace Electronic Security Act of 1999, reprinted in < http://www.cdt.org/crypto/CESA/CESArevised.shtml> (visited Sept. 24, 1999).
END OF DOCUMENT