FOR EDUCATIONAL USE ONLY
Emory Law Journal
Fall 1998
Comment
*1439 ALL
BARK, NO BYTE: EMPLOYEE E-MAIL PRIVACY RIGHTS IN THE PRIVATE
SECTOR WORKPLACE
Alexander I. Rodriguez [FNa1]
Copyright © 1998 Emory University School of Law; Alexander I. Rodriguez
Introduction
Under the secrecy of night, the owner of a large
communications company meets with his special private investigators at the back
entrance of the company building. The owner opens the door and the three
quickly make their way to an employee's cubicle. The investigators, also known
as forensic computer analysts, "bag" the employee's computer by
copying the entire hard drive onto a high-density disk. The team then logs onto
the company's e-mail server and downloads every message in the employee's
account. After a final search, the owner concludes that every pertinent file
has been copied and they exit the building. With any luck, the owner will find
what he was looking for: documentation revealing the employee's secret
correspondence with an on-line job search service. [FN1]
Investigations of employee e-mail, such as the one described above, increased
an average of thirty percent each year from 1994 to 1996. [FN2] For the tens of millions of employees
who are provided e-mail accounts by their employers, [FN3] these types of investigations may
constitute illegal invasions of privacy. Such claims often turn on the nature
of the employer, chiefly because the constitutional right to privacy provides
protection only against public employers and not private employers. [FN4] For the most part, the activities *1440
of private employers are subject to state law guidelines, but as the percentage
of privately-owned companies providing e-mail accounts to employees continues
to grow, [FN5] state law is similarly failing to
provide acceptable levels of e-mail privacy protection for such employees.
The effects of technological innovation have made the lack of adequate privacy
protection for employee e-mail even more troublesome. [FN6] People across the world are using
e-mail at increasing rates. [FN7] Moreover, the ongoing shift from the
use of "stand-alone" computers to networked systems, integrating
hundreds of terminals, is leaving personal information dangerously vulnerable
to interested parties. [FN8] Independent surveys confirm that
workplace monitoring is common practice among employers. A 1992 study by the
National Institute for Occupational Safety and Health concluded that nearly
sixty-six percent of all employees who have access to a computer are *1441
electronically monitored. [FN9] Recently, from a survey of companies
employing a total of approximately one million workers, Macworld estimated that
twenty million employees were subject to some type of electronic monitoring
while on the job. [FN10] The pervasiveness of e-mail
monitoring combined with the ease with which private network providers can
infiltrate employee accounts is alarming. But should private employers be
allowed to have indiscriminate access to e-mail accounts on networks financed,
installed, and maintained by corporate funds? Conversely, should, or do,
employees have a right to privacy shielding them from this form of corporate
espionage?
At best, the law provides ambiguous answers to these interdependent questions.
At worst, the law favors the interests of private employers who are also
network providers. Private employers are given great latitude in monitoring
their own e-mail systems, but under certain ill-defined circumstances,
employees may invoke a right to privacy barring corporate access to their
e-mail. As a general rule, to win an invasion of privacy suit against any type
of employer, an employee must first be able to prove an expectation of privacy
that outweighs the employer's reasons for monitoring. [FN11] But because employees are, by
definition, agents of the employer, workplace monitoring is considered by many
to be immune to reasonable privacy expectations. [FN12] On the other hand, opponents of
employer monitoring assert that employees consider e-mail a form of private
property [FN13] and that unregulated employer
monitoring retards the benefits e-mail offers. [FN14] Those who wish to strengthen employee
e-mail privacy rights point out that most courts rule in favor of employers
when employees are merely given advance notice that monitoring will occur. [FN15] Conflicts between employers and
employees arise largely from these opposing concepts regarding the nature and
use of e-mail. [FN16]
*1442 Suggestions as to how employee e-mail privacy can be
improved must not only protect the remarkable benefits of e-mail use in the
workplace, [FN17] but must also consider a future
where e-mail may become the primary means for worldwide communication. As such,
Part I of this Comment analyzes the various sources of the right to privacy as
applied in the workplace environment, including the United States Constitution,
state constitutions, federal legislation, state legislation, and state common
law. [FN18] Part II reviews several proposals
offered by legislators and legal scholars to strengthen employees' right to
privacy over e-mail. [FN19] Expanding on these existing
suggestions, Part II also presents a statutory presumption, whereby an employee
would be presumed to have reserved her right to e-mail privacy unless expressly
waived, as a possible means for strengthening the right to e-mail privacy in
the private sector workplace. [FN20] Finally, to help those urgently in
need of e-mail privacy protection, Part III offers two self-help solutions now
available to interested employees: anonymous remailers and encryption software.
[FN21]
I. Sources of the Right to Privacy
A. United States Constitution
The right to privacy is not expressly mentioned in the text of the United
States Constitution. However, in the landmark case of Griswold v. Connecticut, [FN22] the Supreme Court determined that
"specific guarantees in the Bill of Rights have penumbras, formed by
emanations from those guarantees that help give them life and substance.
Various guarantees create zones of privacy." [FN23] Specific guarantees in the Bill of
Rights do not explicitly provide for *1443 a right to privacy,
but in the employment context, the right is usually derived from the Fourth
Amendment, which states: "The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and
seizures, shall not be violated." [FN24]
United States Supreme Court case law has shaped the substantive limits of the
Fourth Amendment right to privacy. In the seminal case of Katz v. United
States, [FN25] Justice Harlan effectively
established the "reasonableness" test, a standard which still serves
as the method of analysis for claims invoking the constitutional right to
privacy. This balancing test weighs relevant govern-ment interests against the
individual's expectation of privacy. [FN26]
The first case to consider the application of Fourth Amendment privacy
protections in the workplace context was O'Connor v. Ortega. [FN27] In this *1444
decision, the Supreme Court determined that the "reasonableness"
test, rather than the express Fourth Amendment requirement of a warrant
supported by probable cause, would apply to searches and seizures conducted by
public employers. [FN28] The facts of Ortega were as follows:
Dr. Magno Ortega, Chief of Professional Education at Napa State Hospital
("Hospital"), claimed that employees of the Hospital conducted an
illegal search of his office. At the time of the search, Dr. Ortega was the
subject of a Hospital investigation stemming from various allegations of
professional misbehavior. [FN29] In balancing Dr. Ortega's reasonable
expectation of privacy [FN30] against the Hospital's need for
"super-vision, control, and . . . efficient operation of the
workplace," [FN31] the Court rejected the notion
"that public employees can never have a reasonable expectation of privacy
in their place of work." [FN32] Yet, the Court asserted:
The operational realities of the workplace . . . may make some employees'
expectations of privacy unreasonable when an intrusion is by a supervisor
rather than a law enforcement official. Public *1445 employees'
expectations of privacy in their offices, desks, and file cabinets, like
similar expectations of employees in the private sector, may be reduced by
virtue of actual office practices and procedures, or by legitimate regulation. [FN33]
Due to the procedural posture of the case, the Court refused to decide whether
the search of Ortega's office was reasonable. [FN34] Instead, the Court simply reversed
the summary judgment in favor of Ortega, stating that "the record was
inadequate for a determination on motion for summary judgment of the
reasonableness of the search and seizure." [FN35] Nevertheless, by asserting that
employer activity or regulations could affect an employee's reasonable
expectation of privacy, the Court provided an avenue for public employers to
significantly reduce or eliminate an employee's expectation of privacy in the
workplace.
Because the Constitution limits only state actors, the Fourth Amendment right
to privacy may seem irrelevant to a discussion of employee e-mail privacy
rights in the private sector. [FN36] However, constitutional privacy
jurisprudence has tremendously influenced judges confronted with invasion of
privacy claims derived from other legal sources, such as state constitutions,
state common law, and state statutory law. For example, the Katz
"reasonableness" test is essentially the same approach used by state
courts to analyze the common-law tort of invasion of privacy. [FN37] Thus, knowledge of the Fourth
Amendment standard and how it has been applied to workplace privacy disputes is
fundamental to an understanding of how courts examine claims based on other
sources of a right to privacy. [FN38]
*1446 B. State Constitutional Law
Like the United States Constitution, most state constitutions do not expressly
provide a right to privacy but do offer protections against unreasonable
searches and seizures. [FN39] Similarly, judicial interpretations
of these state constitutional provisions have, for the most part, limited the
privacy right to protect only against government intrusions. [FN40] However, ten state constitutions do
explicitly grant a right to privacy. [FN41] In general, courts of these states
have created zones of privacy broader than the privacy protections granted by
the Fourth Amendment, [FN42] but nine of these states still
maintain that *1447 their constitutional right to privacy applies
only against governmental agencies. [FN43]
California is the only state to have ruled that its constitutional right to
privacy provides a cause of action against public and private entities. [FN44] Until recently, most California
courts required private employers to show a "compelling interest" in
order to justify employee monitoring. [FN45] However, in the 1994 case of Hill v.
National Collegiate Athletic Ass'n, [FN46] the California Supreme Court
rejected the "compelling interest" requirement in favor of a "balancing
test" in which the privacy interest at stake must "be specifically
identified and carefully compared with competing or countervailing privacy and
nonprivacy interests." [FN47] In practice, the California
"balancing test" closely resembles the Fourth Amendment
"reasonableness" test, though in California, the plaintiff may rebut
the employer's justifications for an intrusion by showing that other actions
could have been taken by the employer which would have had a lesser impact on
the employee's privacy interests. [FN48]
In spite of state reluctance to extend constitutional privacy rights to the
private sector, some commentators contend that employees could prevail by
arguing that constitutional privacy provisions support a state public policy
favoring regulation of intrusions in the private workplace. [FN49] This type of argument could support
a constitutionally-based tort claim [FN50] and has achieved *1448
some degree of success in Alaska. In Luedtke v. Nabors Alaska Drilling, Inc., [FN51] the Alaska Supreme Court interpreted
the privacy provision of the state constitution to reflect a public policy
restricting specific types of intrusions by private employers. Nevertheless, no
state court has yet ruled that public policy prohibits private employers from
monitoring employee e-mail.
C. Federal Legislation
Although the Constitution sets search and seizure limitations on federal and
state employers, Congress has enacted statutes that limit the monitoring
activities of private employers. In 1986, Congress attempted to address the
issue of e-mail privacy in the private sector by passing the Electronic
Communications Privacy Act ("ECPA"). [FN52] While the Electronic Communica-
tions Privacy Act added electronic communications to an existing list of
protected communications, it took away many protections by retaining or adding
several statutory exceptions which leave employee e-mail exposed to private
employers.
1. The Electronic Communications Privacy Act of 1986
Drafted to amend the technologically outdated Title III of the Omnibus Crime Control and Safe Streets Act of 1968 ("Title III"), [FN53] the ECPA's goal was to respond to unforeseen privacy issues emerging from new communication technologies. [FN54] Of the changes implemented by the ECPA, perhaps the most significant was the insertion of the term "electronic communication" wherever Title III previously only protected wire and oral communications. [FN55] Substantively, the ECPA extended the coverage of Title III by (1) prohibiting unauthorized interceptions by all carriers, not just common *1449 carriers, of electronic communications; [FN56] and (2) by prohibiting the interception of electronic messages in transmission [FN57] and in storage. [FN58] These two changes were intended to address "the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the public." [FN59] Under the ECPA, liability may be imposed against any individual who "intentionally intercepts, endeavors to intercept, or procures any person to intercept or endeavor to intercept, any wire, oral, or electronic communication." [FN60] Because e- mail transmission is virtually instantaneous and many network providers back-up e-mail messages on company servers, the provision regarding "electronic storage" was added. [FN61] This passage declares that anyone who "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility . . . while it is in electronic storage" [FN62] may be subject to fines or imprisonment. [FN63] Although e-mail is not explicitly mentioned as a protected communication, subsequent judicial decisions have squarely placed e-mail within the protective zone created by the ECPA. [FN64]
*1450 2. Exceptions Within the ECPA
Difficult questions of law are implicated when courts attempt to apply the ECPA to cases involving e-mail intrusions by private network providers, [FN65] because the ECPA allows all network providers, under certain conditions, to monitor employee communications. [FN66] These statutory "loopholes" are (a) the provider exception; [FN67] (b) the business extension or ordinary course of business exception; [FN68] and (c) the consent exception. [FN69]
(a) The Provider Exception
Adding only the term "electronic communication" to
the list of protected communications, the ECPA adopted the original text of the
so-called "provider exception" from Title III. Section 2511(2)(a)(i)
states:
It shall not be unlawful under this chapter for an operator of a switchboard,
or an officer, employee, or agent of a provider of wire or electronic
communication service, whose facilities are used in the transmission of a wire
or electronic communication, to intercept, disclose, or use that communication
in the normal course of his employment while engaged in any activity which is a
necessary incident to the rendition of his service or to the protection of the
rights or property of the provider of that service . . . .
*1451 In clearer terms, this exception allows network providers
to intercept, disclose, or use employee e-mail if the privacy intrusion in
question is made during the ordinary course of business and is either: (1)
necessary to the rendition of service or (2) necessary to protect the rights or
property of the company. Presumably, a private provider could always justify an
intrusion into employee communications to protect against breaches of
confidentiality, trade secret theft, or system maintenance. [FN70] In the case of stored
communications, all providers are subject to similar justifications for
accessing employee e-mail saved on a company server. [FN71]
A few cases, most of which were decided before the ECPA, have raised issues
governed by the provider exception. [FN72] In Flanagan v. Epson America, [FN73] the court was confronted with the
legality of an e-mail interception under the California wiretapping statute,
but addressed the applicability of the ECPA to the dispute in a footnote,
finding that the provider exception would have exempted the private network
provider from liability. [FN74] The seemingly broad coverage of the
provider exception has caused many commentators to caution private network
providers against depending too heavily on its protection. [FN75] *1452 At a minimum,
the provider exception should not be able to be utilized by employers who
furnish networks through public providers. [FN76]
Some basic interpretive issues regarding the provider exception have yet to be
determined. For example, when exactly does a company achieve "network
provider" status? [FN77] Pre-ECPA cases do provide some
support for the argument that employers can be "network providers"
and therefore have a right to access employee e-mail for business-related
reasons. [FN78] Certainly, these cases could also
support the argument that employers who operate an internal e-mail system have
the right to monitor use of the e-mail system for security reasons or to
prevent excessive use of the system for personal or non- work related
activities. [FN79] A second unresolved issue under the
provider exception emerges when a private network provider allows a significant
number of outsiders to utilize its system. In this situation, should the
employer continue to exist as a private provider, potentially allowing the
employer access to e-mail of non-employees? If not, should a court try to make
a distinction between the e-mail privacy rights of employees vis-a-vis non-
employees?
(b) The Business-Extension Exception
Rather than focusing on the entity providing the
communications system, the business-extension exception rests on the type of
equipment used to access a transmission. In order to maintain a claim under the
ECPA, a plaintiff must *1453 establish that the alleged violator
accessed a message with an "intercepting device"; [FN80] however, in defining such devices, 18 U.S.C. § 2510(5)(a)
ex-cludes:
(a) any telephone or telegraph instrument, equipment or facility, or any
component thereof, (i) furnished to the subscriber or user by a provider of
wire or electronic communication service in the ordinary course of its business
and being used by the subscriber or user for connection to the facilities of
such service and used in the ordinary course of its business; or (ii) being
used by a provider of wire or electronic communication service in the ordinary
course of its business, or by an investigation or law enforcement officer in
the ordinary course of his duties.
In other words, this provision lawfully permits a network provider to access
e-mail so long as (1) the intercepting device is part of the communications
network and (2) the device is used in the ordinary course of business. To
determine whether the intercepting device is used "within the ordinary
course of business," courts have assessed whether an employer has a
"legal interest" in monitoring communications. [FN81]
Although no court has directly applied this exception to e-mail communications,
[FN82] related judicial decisions shed some
light on how such a case may be determined. Courts faced with an argument
incorporating the business-extension exception have either applied the
"context approach," where the general circumstances surrounding the
intrusion are scrutinized, or the more specific "content approach,"
where the court will first determine whether the communication at issue was
"business" or "personal," and then use the result to decide
whether the employer's business interest justifies the intrusion. [FN83]
(1) The Context Approach
The context approach relies more heavily upon the workplace
environment as opposed to the actual content of the electronic communication. Courts
consider factors such as whether employees were notified that the employer *1454
may intercept communications and whether the employer had a legitimate business
interest justifying the monitoring policy. [FN84] It is settled law that unlimited
monitoring is unlawful under the ECPA, that courts will explore the reasons for
employee monitoring, and that courts will limit the scope of monitoring if
necessary. [FN85] Under this type of scrutiny,
employers will usually escape liability if they satisfy a checklist of
objective notice requirements. [FN86] Some courts will require, at a
minimum, that employers give employees some notice of communications
monitoring. [FN87] However, because the context
approach makes no distinction among types of electronic messages, personal and
business e-mail are lumped together at an equal level of protection. [FN88]
One of the first cases to develop the context approach was United States v.
Harpel. [FN89] An officer, convicted for unlawfully
disclosing a taped telephone conversation between other police officers, [FN90] argued that because the recordings
had been made through an extension telephone, the
"business-extension" exemption cleared him of liability. [FN91] Affirming the conviction, the Tenth
Circuit did not agree with this broad interpretation of the statutory
exemption, stating that the officer failed to show that the recording was made
in the ordinary course of business. [FN92] More importantly, the Tenth Circuit
instituted a minimum standard for workplace monitoring, including proper
employer authorization and adequate employee notice. [FN93]
*1455 Five years later, the Tenth Circuit applied the context
approach in James v. Newspaper Agency Corp. [FN94] In this case, an employer attached a
monitoring system to the phone lines of employees in the customer service
department. After giving notice to its employees that such a system was going
to be activated, and absent employee protest, the installation was completed. [FN95] An invasion of privacy lawsuit
brought by an employee prompted the Tenth Circuit to look at the reasons why
such a monitoring system was needed. The company extended two business
justifications in support of the monitoring device: (1) to protect employees
against abusive calls and (2) to enable supervisors to provide training and
instruction to employees in the area of corporate public interaction. [FN96] Based on these justifications, the
court validated the use of the monitoring system and distinguished it from
Harpel by highlighting the advance notice given to employees and the asserted
business justifications. [FN97]
Finally, the modern application of the context approach was articulated in Deal
v. Spears. [FN98] In this case, the Eighth Circuit
recast the context inquiry into a two-pronged approach, requiring (1) that the
interception equipment be provided to the subscriber by the phone company or
connected by the provider to the phone line, and (2) that the interception be
in the ordinary course of business. [FN99] Deviating from other circuit court
holdings, the court found that because the device used to monitor employee
calls was purchased separately and not a part of the communications system, the
interception was not covered by the exception. [FN100] In spite of such a finding, the
court went on to investigate the second requirement as to whether the
interception was in the ordinary course of business. [FN101] The employer reasoned that such monitoring
was needed to catch store burglars and suppress theft in general. [FN102] The court agreed that this interest
justified some monitoring, but not to the extent practiced by the employer. [FN103] Evidence revealed that the employer
recorded twenty-two hours of calls by the plaintiff employee, most of which
were *1456 personal and unrelated to any business interest. [FN104] Furthermore, not only were the
business justifications clearly insufficient to substantiate such an intrusion,
the court went on to cite notice and consent violations and concluded that the
interception was clearly not in the "ordinary course of business." [FN105]
(2) The Content Approach
Unlike the context approach, the content approach focuses on
the subject matter of the intercepted conversation. Unequivocally, courts have
ruled that employers can lawfully intercept all "business"
communications, but have very limited rights to monitor "personal"
communications. [FN106] For instance, in Watkins v. L.M.
Berry & Co., [FN107] an employer exceeded its stated
monitoring policy by intercepting a personal call during which an employee
discussed a job interview with a prospective employer. [FN108] The court emphasized that the
phrase "in the ordinary course of business" should not be extended to
include communications about which the employer is merely curious. [FN109] Moreover, the court held that an
employer must show that the particular interception at issue was in the
ordinary course of business. [FN110] The court required a demonstrable
"business interest" in the subject matter of the intercepted call. [FN111] Personal calls are never "in
the ordinary course of business . . . except to the extent necessary to guard
against unauthorized use of the telephone or to determine whether a call is
personal or not." [FN112] The court added that, in practice,
a manager must stop listening to an intercepted call as soon as it is
determined that the call is personal. [FN113]
*1457 In contrast, two cases exist in which courts liberally
construed the principles of the content approach. First, in Briggs v. American
Air Filter Co., [FN114] the Fifth Circuit explicitly
rejected the notion that a non-consensual interception is never allowed within
the confines of the business-extension exception. [FN115] The court stressed that under
circumstances such as those in Briggs, if an employer has suspicions that
confidential business information is being disclosed to competitors by
employees, "it is within the ordinary course of business to listen in on
an extension phone for at least so long as the call involves the type of
information [the employer] fears is being disclosed." [FN116] Had the employer in Briggs
monitored any personal portion of the call or engaged in a general practice of
unauthorized monitoring, the case might have been decided differently. [FN117] Similarly, in Epps v. St. Mary's
Hospital of Athens, Inc., [FN118] the court ruled lawful an
employer's recording of a telephone conversation between two employees in which
one employee criticized company supervisors. [FN119] As the facts may have produced a
defense for the employer under the content approach, the employees urged the
court to use the context approach. [FN120] Rejecting the plaintiffs' argument,
the court utilized the content approach and found the communication to be a
"business" call protected by the business-extension exception because
(1) it occurred during office hours and involved remarks about a fellow
employee and (2) because the employer had a legal interest in potential
contamination of the work environment. [FN121]
In regard to e-mail monitoring, the context and content approaches of the
business-extension exception indicate two things: (1) an employer who notifies
employees of monitoring is highly insulated from invasion of privacy claims,
and (2) an employer can lawfully intercept an e-mail transmission to the extent
needed to determine whether the message is business-related or personal.
However, the context and content approaches become problematic in the realm of
e-mail, because unlike voice communications, the intruder would likely have
access to the entire message. How far into an e-mail message can a person read
before the "business or private" distinction must be *1458
made? One sentence? One paragraph? Even if courts set a preordained limit on
how far a monitor could read, what happens when business and personal matters
are commingled in one message? As for disclosure of monitoring activity, one
commentator points out that limitations integrated into a monitoring policy
serve only as a form of "damage control." [FN122] He argues that "[a]n employer
who publishes such a policy is thus only limited in that the scope of its
intrusion must match the legitimate business interest justifying the invasion,
and employers can expand the permissible scope simply by offering legitimate
interests justifying broad monitoring policies." [FN123]
(c) The Consent Exception
The consent exception is applicable when one party to a
communication has given prior consent to an interception by a third party. [FN124] This provision represents the most
unambiguous of the ECPA exceptions, but has garnered a considerable amount of
attention in the courtroom. [FN125] Statutorily, the consent exception
will not apply if the communication is intercepted "for the purpose of
committing any criminal or tortious act in violation of the Constitution or
laws of the United States or any State." [FN126] Although the consent exception has
not yet been applied to stored communications, most courts have adopted a
narrow interpretation by holding that consent to intercept a live transmission
may not be implied. [FN127]
As the consent exception was originally included within the language of Title
III, [FN128] judicial treatment of this
exception can be traced back to Campiti v. Walonis. [FN129] In Campiti, the court found that the
use of an extension telephone by the defendant police officer to intercept
telephone conversations between plaintiffs while they were inmates at a state
correctional facility was illegal *1459 under Title III. [FN130] Absent actual consent, the police
officer argued that, under the circumstances, the inmates gave implied consent
to monitoring. [FN131] The court rejected the officer's
argument, explaining that "[t]o accept [the officer's] theory of implied
consent here would completely distort the plain words of section 2511(2)(c),
legalizing an interception where 'one of the parties . . . has given prior
consent to such interception."' [FN132]
In another case involving implied consent, Watkins v. L.M. Berry & Co., [FN133] the employer had an established
monitoring policy in which all business calls would be monitored and personal
calls would be monitored only to the extent necessary to determine whether the
call was business or personal. [FN134] An employee brought suit claiming
that the employer had illegally intercepted one of her personal calls. The
employee argued that the monitoring policy constituted consent for the
monitoring of business calls only and did not allow for monitoring of the full
content of personal calls. [FN135] On the other hand, the employer
argued that consent to monitor all types of calls could be implied from the
circumstances of employment. [FN136] Holding in favor of the employee,
the court reasoned that the purpose of the ECPA would be defeated "if
consent could be routinely implied from the circumstances." [FN137] Furthermore, the court drew a
distinction between two similar situations in which implied consent may be
arguably invoked. In the first scenario, exemplified by the facts in Watkins,
knowledge of the capability of employer monitoring cannot alone serve to
implicate consent by an employee. [FN138] However, in the second scenario,
courts could imply consent when an employee knew or should have known of an
employee monitoring policy or if the employee placed personal calls on lines
reserved for business communications only and which the employee knew were
regularly monitored. [FN139]
*1460 Accepting the reasoning of Watkins, the Eighth Circuit in
Deal v. Spears [FN140] declined to enlarge the parameters
of the consent exception. In this case, the employer argued that the employee's
consent should be implied from the fact that the employer had advised all
employees that monitoring might be necessary to curtail the increasing number
of personal calls on business lines. [FN141] In flatly rejecting the employer's
argument, the court asserted that an announced possibility of monitoring was
insufficient to establish any form of consent. [FN142] In addition, the court explained
that even though an extension to the business line had been connected in the
employer's home, this did not establish consent because the clicking noise
associated with someone picking up another extension was not triggered by the
monitoring device. [FN143]
Cases implicating the consent exception indicate that although an employer is
at risk for liability if it engages in unrestrained monitoring, courts will
usually rule in favor of an employer who has announced a monitoring policy to
its employees and adhered to its limits. [FN144] With respect to e-mail
communications, the rulings of Campiti, Watkins, and Deal bespeak the idea that
such electronic communications could be accessed under the authority of a
published monitoring policy. Consequently, a private employer who issues a
policy to its employees is presumably only limited by the terms of the policy
itself.
D. State Statutory Law
States are free to enact legislation that is more protective than the ECPA and
courts have held that the ECPA will only preempt state law if the state law is
less protective. [FN145] Some states have enacted
legislation giving broader protection to employees. [FN146] Other states have yet to even
include electronic messages as protected communications. [FN147] In fact, in Nebraska, employers are
*1461 specifically exempted from wiretapping restrictions. [FN148] A number of states have used the
ECPA as a model for legislation, incorporating provisions such as the prior
consent and business- extension exemptions. [FN149]
Several commentators hoped that the California Penal Code would serve as a
model for other states interested in expanding statutory privacy protections to
e-mail. [FN150] However, the Shoars v. Epson
America [FN151] ruling by a California superior
court indicated that California statutory law will not protect e-mail in the
private-sector workplace. [FN152] As a result, a California plaintiff
bringing an invasion of e-mail privacy lawsuit will either have to base such a
claim on constitutional or common law theories.
The lack of uniformity in state e-mail privacy legislation is a mixed blessing.
In states with more protective statutes, such as those where the consent of
"all parties" is required, employers could face severe limitations in
monitoring employee communications. ECPA-styled legislation has resulted in little
progress in the area of online privacy rights, as state courts are now dealing
with many of the same interpretive problems faced by federal courts. Presently,
privacy rights differ greatly from state to state and no state has enacted
legislation specifically targeted at employee e-mail privacy rights in the
private sector workplace. Consequently, many plaintiffs have turned to state
common law as a basis for "invasion of privacy" claims.
*1462 E. State Common Law
Samuel Warren and Louis Brandeis first recognized and introduced the right to
privacy into the sphere of American legal ideology through an article published
in the Harvard Law Review in 1890. [FN153] The Warren and Brandeis notion of a
privacy right was based upon a combination of property law, tort law, copyright
law, and damage principles. [FN154] As a result, the modern
understanding of the right to privacy and its individual cause of action, known
as "invasion of privacy," protects a variety of privacy interests.
Traditionally, four activities give rise to liability for an "invasion of
privacy" under common law: [FN155] (1) unreasonable intrusion upon the
seclusion of another, [FN156] (2) misappropriation of another's
name or likeness, [FN157] (3) unreasonable publicity given to
another's private life, [FN158] and (4) publicity that unreasonably
places another in a false light before the public. [FN159] Every state does not recognize all
four claims, [FN160] yet some states offer even greater
protections than those mentioned above. [FN161] The tort most relevant to the
interception of electronic communications is "unreasonable intrusion upon
the seclusion of another." [FN162] One is liable for invasion of
privacy by reason of "intrusion upon seclusion" where he or she
"intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another or his [or her] private affairs or concerns, if *1463
the intrusion would be highly offensive to a reasonable person." [FN163] The parameters of this tort include
the right to be free from certain kinds of employer activity, such as
communications monitoring. [FN164]
Similar to the standard applied to Fourth Amendment search and seizure cases, [FN165] the four elements of an
"intrusion upon seclusion" claim are (1) whether the intrusion was
intentional, [FN166] (2) whether the act in question is
highly offensive to the reasonable person, [FN167] (3) whether the plaintiff's
activity was subjectively and objectively private, [FN168] and (4) whether the intruder has a
legitimate purpose justifying the invasion. [FN169]
In the context of e-mail monitoring, an employee bringing an "intrusion
upon seclusion" claim should have little difficulty showing that the
intrusion was intentional. [FN170] Likewise, employees should have
little problem demon- strating a subjective expectation of privacy, especially
if the e-mail account in question was password-protected. [FN171] However, an employee may face
serious obstacles proving the remaining elements. For example, if an employer
notified employees that e-mail monitoring could occur, a court may conclude
that the employer's acts were not highly offensive and that an objective *1464
expectation of privacy was unreasonable at the time. [FN172] Furthermore, courts have held that business
interests can justify even extremely invasive activities. [FN173] Several commentators agree that too
much weight is given to "business interests" and that such treatment
marginalizes workplace privacy interests. [FN174] In the end, though state tort law
can directly serve to uphold employee privacy rights in the private sector
workplace, the combination of requirements needed to win an "intrusion
upon seclusion" claim does not favor the employee. [FN175]
II. Improving Employee E-Mail Privacy in the Private Sector Workplace
A. Existing Proposals
Both lawmakers and legal scholars have offered means of increasing employee
e-mail privacy rights in the private sector. At the federal level, the Privacy
for Consumers and Workers Act ("PCWA") was presented to both the
Senate and the House of Representatives in 1993, but ultimately failed to gain
congressional approval. [FN176] Essentially, the PCWA would have required
employers to give advance notice to employees before electronic monitoring
commenced. The type of the advance notice would vary, depending on the
monitored employee's length of service. New employees would have been subject
to random and periodic monitoring during the first sixty days of employment.
Employees with more than sixty days but less than five years of service would
have been subject to monitoring only if the employer supplied a twenty-four
hour written notice and monitored for not more than twenty-four hours a week.
Finally, employees with over five years of experience would have been shielded
from employer monitoring unless the employer could *1465 show a
"reasonable suspicion" that the employee was engaged in criminal
behavior or behavior having a substantive adverse economic effect on the
employer. [FN177] The PCWA did offer a greater degree
of privacy protection to employees, but its specificity rendered many of the
provisions unacceptable to many employers, especially those with experienced
employees. More importantly, though the House bill included e-mail within the
purview of its provisions, the bill introduced to the Senate excluded "the
interception of wire, electronic, or oral communications as described in [the
ECPA]," and thus e-mail, from its definition of electronic monitoring. [FN178]
The "tiered" advance notice scheme proposed by the PCWA was perhaps
its most controversial aspect. One critic stated that "[t]he specific
restrictions that limit[ed] monitoring to only new employees and to specified
amounts of time or observations [we]re too inflexible and d[id] not take into
account the type of business operation." [FN179] As a result, the needs of both
employees and employers failed to be adequately addressed by the PCWA. For
example, the PCWA unsatisfactorily balanced workplace interests by allowing
unrestricted monitoring of new employees despite their special needs (or
established privacy rights) and by creating an unreasonably strict standard for
employers to justify the monitoring of experienced employees, regardless of the
type of work with which an older worker may be involved. [FN180]
The defeat of the PCWA in Congress has prompted many observers to offer their
own proposals for consideration. One commentator's proposal focuses on the
inadequacy of the ECPA and the inflexibility of the PCWA. [FN181] Keeping in mind the need to balance
employee privacy with employer management needs, Dr. Lee suggests adoption of a
"flexible" federal policy "aimed at preventing unreasonable
intrusions relative to varying types of business operations, organizational
needs, and employee privacy needs." [FN182] *1466 Such a policy
would demand that electronic monitoring be "reasonable," requiring
employers to (1) have a "legitimate" business purpose for engaging in
monitoring; (2) use the least intrusive means possible to satisfy the business
purpose; (3) limit the access, use, and disclosure to information reasonably
meeting that objective; and (4) provide reasonable notification of the
monitoring and its use. [FN183] Of equal importance, federal policy
requiring monitoring to be "reasonable" could successfully serve as
the foundation for new legislation which "meet[s] the needs of employee
privacy while preserving employer management needs." [FN184] New legislation should require
employers to "publish and post a policy defining the intended business
uses of e-mail and voice mail systems, and indicate that these systems may be
accessed by the employer without notice to the employees," [FN185] ensuring that employees have some
knowledge of monitoring activity. Additionally, provisions promoting "the
education of employers and employees on the issue and mandat[ing] the
development of company monitoring policies . . . could then provide the
particular specificity that may be needed, within the federal guidelines o[f]
reasonableness." [FN186] New provisions would also require
disclosure of business purposes for adopting an electronic monitoring policy. [FN187] Ultimately, the
"reasonableness" of an employer's e-mail monitoring would be analyzed
by considering the specific work environment and the interests of both the
employees and the employer.
A second commentator suggests new federal legislation explicitly requiring that
a "compelling business interest" be shown by employers to justify
e-mail monitoring. [FN188] Under "such explicit statutory
language, employers will not be able to continue abusive privacy intrusions
simply by minimizing employee privacy expectations to the point where courts
might consider no privacy interest as having been invaded in the first
place." [FN189] Moreover, in each *1467
instance of e-mail interception, the "compelling business interest"
would have to be fulfilled. [FN190] No prior notification provisions
would be required because "any legislation relying on employee notice to
safeguard employee privacy is sorely deficient because notification alone
ultimately serves to institutionalize a marginal view of privacy and legitimize
practices that infringe upon human dignity." [FN191] In other words, judicial reliance
on employee expectations would be eliminated and employers would be barred from
manipulating employee expectations through notification. The implementation of
a "compelling business interest" standard in this area would serve to
tangibly reaffirm the "fundamental" nature of privacy during a period
where privacy rights have dramatically eroded and "emphasi[ze] the
importance of privacy." [FN192]
B. Negotiating Privacy
Individual rights should not disappear upon entering the private-sector
workplace environment. Because the employer-employee relationship is
fundamentally contract-based, [FN193] both parties should be treated as
equals at the bargaining table and in the eye of the law. Proposals which
attempt to place limits on employer monitoring by forcing the employer to
disclose monitoring activity would alert employees to unexpected forms of
monitoring, but would also serve as an announcement to all private employers
that monitoring can be unilaterally instituted. Likewise, a new federal policy
embracing the idea of "reasonableness" would be commendable, but
without statutory mechanisms requiring more than notice, it would do nothing to
stop employers from instituting monitoring policies at their own convenience
and without considering employee privacy.
To be clear, employers should and do have a right to monitor their own
communication networks. However, such a right should be evenly balanced with
the privacy expectations of employees. Courts should recognize that employees
deserve higher levels of privacy protection over e-mail because e-mail is used
for a variety of purposes in the workplace, all of which are not *1468
work- related. Furthermore, e-mail is in many ways similar to traditional mail.
Although e-mail is processed electronically, pressing the "send"
button is much like handing an envelope to the postmaster. Many software
interfaces even display a design resembling a postmark once an e-mail message
has been sent. It is ironic that as more and more e-mail applications attempt
to emulate the procedure of postal carriers, courts refuse to give e-mail the
same type of privacy protection that is given to traditional mail.
In order to equalize employee e-mail privacy rights with employer monitoring
rights, new legislation may offer the most promising avenue for strengthening
employee privacy rights. The Constitution provides no protection against
private employers, a concept supported by a long series of Supreme Court cases.
Though the right to privacy in some state constitutions has been interpreted to
limit actions of private employers, judicial trends indicate that these
protections will not apply to e-mail. Likewise, state court's common-law offers
employees several causes of action which could form the basis for a successful
lawsuit, but the Supreme Court's ruling in Ortega supports the viewpoint that
employee expectations of privacy in the private-sector workplace are minimal at
best. Because common-law formulations essentially weigh employee privacy
interests against employer business interests, the Ortega ruling would serve as
strong precedent against any proposal attempting to increase employee
expectations of privacy. As a result, a common-law proposal strengthening
employee privacy rights would have to limit the scope of acceptable business
interests, such as requiring employers to present a "compelling business
interest" for monitoring.
Legislation, at the state or federal levels, provides a more flexible means for
strengthening employee e-mail privacy in the private sector. Rather than
drafting statutes requiring notice or allowing only specifically tailored
monitoring activity, legislation could be enacted changing the procedure for an
invasion of privacy claim. The statute itself would not provide a cause of
action, but instead, would force courts to presume that employees retain their
right to privacy over e-mail, unless expressly waived. Such legislation could
cover all forms of electronic communications over private networks and would
necessarily become an issue for negotiation at the pre-employment bargaining
table. In other words, instead of employers publishing a generic company wide
monitoring policy, a presumption of non-waiver would force employers to address
privacy rights at an individual level. Moreover, a pre-sumption of non-waiver would
cause the scope of the right to privacy to be negotiated by the employer and
the employee at the beginning of the *1469 employment
relationship rather than later by a court. Such a presumption would also
provide both the employer and employee with a guideline for acceptable
monitoring activities much earlier than a lawsuit. In the end, by making
privacy an issue bargained for and included within the employment contract,
privacy rights would become part of the traditional employer-employee
relationship.
A statute incorporating such a presumption would have to include language which
accommodates employer monitoring. Due to many factors, such as employee
experience or access to sensitive information, employers have interests in
monitoring certain employment positions. Of course, express waiver of all
privacy rights by an employee would destroy the presumption. In this scenario,
the employee would then carry the burden of proving how the alleged privacy
intrusion violated the terms of the waiver agreement, if such a document was
created. However, a more difficult situation could arise if an employee refused
to accept an employer's monitoring proposal and consequently refused to waive
the right to privacy. In this scenario, the statute could provide further language
describing alternative methods in which the presumption could be defeated. For
example, the employer could be allowed to override the presumption of
non-waiver through demonstration of a "compelling business interest."
The statute could further specify that the monitoring activities be
specifically tailored to the "compelling business interest." These
provisions would provide the employer with an argument to defeat the
presumption in cases where an employee refused to waive any privacy rights to
e-mail.
Because procedural presumptions are often based on public policy and fairness
considerations, [FN194] a public policy favoring privacy
regulation in the private-sector workplace could be endorsed to support a
judicial presumption of non-waiver. Some states, such as Alaska, [FN195] have already considered such an
approach and at least one commentator has advocated a public policy of
"reasonableness" in support of new privacy legislation. [FN196] Though limited, the success public
policy arguments have had in state courts suggests that a bill proposing a
presumption of non-waiver may have a better chance of being made into law if
first introduced to state legislatures. Ultimately, a public policy favoring
regulation in the private workplace, paired with a heightened *1470
regard for the contractual nature of the employer-employee relationship, could
serve to justify an adjustment of the burden of proof between the employer and
employee in privacy disputes.
III. Self-Help Remedies To Protect Workplace Privacy Rights
In light of the difficulties prior statutory proposals have
encountered, it would be imprudent for an employee seeking to safeguard e-mail
communica-tions to rely on the passage of new legislation. However, two
self-help options are currently available to employees desiring privacy
protection, namely, anonymous remailers and encryption.
A. Anonymous Remailers
Perhaps the easiest way for e-mail users to protect communications is to send
messages anonymously. In most situations, the identity of each party to a
communication is as valuable as the content of the communication itself. [FN197] For example, an employer may desire
the names of all employees responding to a message calling for a change in
management or, of greater invasiveness, may desire the names of workers posting
messages to an Alcoholics Anonymous online chatroom. [FN198]
According to the Supreme Court, the right to speak anonymously is protected by
the First Amendment and serves many important functions, such as promoting
literature and arts, protecting authors fearing economic or political
retaliation, and protecting those concerned about social ostracism. [FN199] In cyberspace, an author may remain
anonymous by using a variety of mechanisms, but some of the more popular methods
include adopting a pseudonym or using what is known as an "anonymous
remailer"--a service to which a message is initially sent that strips away
all identifying information before forwarding the message to the intended
recipient. Individuals using anonymous remailers should be aware that it can
create online problems such as fraudulent electronic commerce, harassment, and
defamation. [FN200] In light of these concerns, some
commentators have proposed legislation which would eliminate liability for
network providers if they are willing to disclose the *1471
identities of anonymous users who utilize the network to coordinate or conduct
illegal activities. [FN201] Yet, despite these problems, user
anonymity remains a viable option for individuals interested in preserving
e-mail privacy.
B. Encryption
For those desiring stronger electronic privacy protection, encryption programs
have become very popular among sophisticated users. Encryption software allows
users to transmit secure e-mail messages which only the intended recipient can
decode by use of a "decryption key." The most common form of
encryption is public-key cryptography. [FN202] In this procedure, both parties to
a communication utilize a cryptography program to generate two strings of arbitrary
characters as passwords, or "keys." One password is kept as the
user's private key, while the other is used as a "public" key,
distributed to anyone to whom the user wishes to send encrypted messages. Only
the private key can decrypt messages encoded with the public key. To illustrate
how public key cryptography would actually work, imagine a situation where X
wishes to send a secure message to Z. X would encrypt, or password- protect,
the message with Z's "public" key and upon receiving X's transmission,
Z would decode the message with her own private key. Only Z would be able to
view X's message because Z's public key can only be decrypted by her private
key.
Public key cryptography can be viewed as a valuable scheme to privatize e-
mail, but one major problem lurks at the foundation of this technique--senders
must be sure that they have the public key of the person to whom they are
sending the message. [FN203] At first glance, this may seem an
inconsequential problem, but the amount of valuable information contained on
private or corporate networks has drawn the attention of computer hackers who
can send messages impersonating fellow employees. A fraudulent message of this
type, indistinguishable from authentic messages, may prompt the recipient to
encrypt subsequent messages with a public key which is in fact not the public
key of the impersonated employee. As a result, messages intended for the *1472
impersonated employee could end up being sent to the hacker who has exclusive
access to the message by holding the proper private key. [FN204]
As far as employer-providers are concerned, encryption poses several
conflicting consequences. First, encryption obviously implies some degree of
distrust in network security by the participating employees. One reaction by
system administrators to this predicament is to allow employees to transmit
unlimited amounts of encrypted messages or files over the company network. [FN205] Attaching liability to an employer
for the criminal acts of its employees often requires "knowledge" on
the part of the employer. Thus, allowing encrypted messages on a company
network can actually serve to insulate the employer from liability. On the
other hand, a certain amount of control is lost if the employer ignores and
allows the transmission of encrypted messages over the network. This control
issue is not one of superficial interest to most employers, especially because
an entire network may be confiscated if law enforcement learns of encrypted
criminal activity on a private network. [FN206]
Conclusion
During the First Conference on Computers, Freedom, and
Privacy in 1991, distinguished constitutional scholar Professor Lawrence Tribe proposed
a Twenty-Seventh Amendment to the United States Constitution protecting
individual privacy rights, especially in the area of computer technology. [FN207] Highlighting the desperate need for
privacy protection in cyberspace, it is regrettable that Tribe's proposition
fell on deaf ears. American courts now find themselves in the unenviable
position of having to adjudicate novel privacy complaints, brought by employees
against employers, without precise constitutional or statutory guidance.
Additionally, as is the case in most areas of law where technological
innovation has outpaced legislative reform, courts must realize that the ECPA
was never intended to be suitable as controlling law in cases involving e-mail
monitoring by private employers. Although the limited success of codifying
privacy protection provisions in state constitutions is laudable, federal
courts are forced to rely on precedent. Precedent reveals that the right to
privacy in the workplace is to be judged by a "reasonableness"
standard, which in practice, has failed to adequately *1473
safeguard employee privacy interests over e- mail. However, by reinforcing the
existing "reasonableness" test, which plots employee expectations
against employer business interests, with a statutory presumption of
non-waiver, employee privacy rights would be strengthened by procedural, as
opposed to substantive, modifications. In order to defeat the statutory presumption,
an employer would be required to show either employee waiver or, in certain
cases, a compelling business interest.
It would be expected that most employers would oppose a statutory presumption
of non-waiver on the grounds that it would unduly burden monitoring needs and
that it would create an impenetrable barrier for e-mail monitoring. It is true
that a presumption of non-waiver would strengthen employee privacy rights, but
existing law unjustifiably values employer business interests over employee privacy
interests. Additionally, a pre-sumption of non-waiver would still allow private
employers to implement an all-access monitoring policy, so long as employees
explicitly agree to such a program or if the employer can provide a compelling
business interest. Finally, by instituting a presumption of non- waiver,
publication of a monitoring policy would become unnecessary as employees would
have knowledge of the extent of employer monitoring activities through
provisions in their employment contract.
Currently, there exists a significant misunderstanding of how employee privacy
rights should relate to employer monitoring interests. Because of the rapid
growth of e-mail use and the expected increase through workplace networking, it
is imperative that employee privacy rights be strengthened before "private
information" becomes a term of the past. As technology continues to move
forward and the incredible potential of electronic communication is fully
developed, lawmakers will be forced to take corrective measures ensuring the
right to privacy. In the meantime, employees should be aware of the
vulnerability of their communications, pay particular attention to their
employer's monitoring policy, and consider alternative methods for ensuring
communications privacy.
[FNa1]. J.D., Emory University School of
Law, Atlanta, Georgia (1999); B.A., University of Michigan, Ann Arbor, Michigan
(1996). I would like to thank Professor Marc L. Miller whose guidance was
invaluable to the completion of this Comment. My deepest gratitude to Leslie
Rubenstein, Richard Gardner, Shari Goldsmith, Demetria Hannah, and D. Forest
Wolfe for their outstanding efforts in the normally thankless tasks of editing
and spading. Above all, I would also like to thank my mother and father for
their unconditional love and support.
[FN1]. Adapted from Dana Hawkins, Who's
Watching Now?, U.S. News & World Report, Sept. 5, 1997, at 56. Statistics
show that more than one-third of the members of the American Management
Association, the nation's largest organization of its kind, regularly review
employee voice-mail, computer files, and e-mail transmissions. Id.
[FN2]. Id. at 58. Although base figures
were not provided, such significant increases suggest that investigations of
employee e-mail are fast becoming a part of employer monitoring tactics.
[FN3]. While the exact number of employees
is constantly increasing, two years ago one study indicated that approximately
twenty million employees were provided e-mail accounts by their employer. See
Holland & Hart LLP, E-Mail and Voice Mail: Liability Waiting to Happen?,
Idaho Employment L. Letter, July 1996, at 1. At the time, this figure
represented nearly 20% of the total labor force in the United States. See Karen
Brune Mathis, Eyes on Your E-Mail; Messages Sent on Company Computers Are Often
Monitored, Florida Times-Union, July 15, 1996, at 10. By the year 2000, it is
expected that approximately sixty million electronic mail users will be sending
nearly sixty billion messages per year. See Scott Dean, E-Mail Forces Companies
to Grapple With Privacy Issues, Corp. Legal Times, Sept. 1993, at 11.
[FN4]. See, e.g., O'Connor v. Ortega, 480 U.S. 709,
724-25 (1987); United States v. Jacobsen, 466
U.S. 109, 113-14 (1984); Jackson v. Metropolitan Edison
Co., 419 U.S. 345, 349 (1974); see also Julie A. Flanagan, Note,
Restricting Electronic Monitoring in the Private Workplace, 43 Duke L.J. 1256,
1264-65 (1994) ("[T]he protection of the Constitution extends
only to public employees; private employer behavior towards employees is not
restricted.").
[FN5]. Research shows that nearly 90% of
companies with more than 1,000 employees utilize e-mail systems. See Mathis,
supra note 3, at 10. E-mail use in private companies is also growing at an
extraordinary rate--one study revealed that among Fortune 2000 firms, corporate
e-mail use grew 83% between the years of 1991 and 1993. See John Thackery,
Electronic-Mail Boxes a Dumping Ground for Meaningless Data, Ottawa Citizen,
May 28, 1994, at B4 (citing projections by the Electronic Messaging
Association).
[FN6]. Some commentators argue that the
development of communications technology has consistently outpaced the
evolution of privacy jurisprudence, leaving employees subject to unexpected
types of monitoring by employers. See David F. Linowes & Ray C.
Spencer, Privacy: The Workplace Issue of the 90's, 23 J. Marshall L. Rev. 591,
598 (1990) (citing David H. Flaherty, Protecting Privacy in
Surveillance Societies 4 (1989)); Steven B. Winters, Do Not Fold, Spindle or
Mutilate: An Examination of Workplace Privacy in Electronic Mail, 1 S. Cal. Interdisciplinary L.J.
85, 86-87 (1992). Another observer argues that existing technology
gives the employer too much control over the workplace and upsets the desired
balance of power between employees and employers. See Fred W. Weingarten, Communications
Technology: New Challenges To Privacy, 21 J. Marshall L. Rev. 735, 746 (1988).
[FN7]. More than half of all e-mail users
first went on-line between 1991- 93. See Mathis, supra note 3, at 10. Similar
research predicts that e-mail use in the United States will increase from 15%
to 50% of the total population by 2002. See Vanessa Houlder, Failing to Get the
Message: E-Mail's Advantages Could Be Lost By Staff Misusing It, Financial
Times (London), Mar. 17, 1997, at 14.
[FN8]. Through networks, activities and
communications can be easily tracked by use of special software like SurfWatch
Professional Edition, Web Sense, LittleBrother and Elron Internet Manager. One
commentator states:
[These products] enable companies to follow virtually every mouse click a
worker makes across the Internet. They can track access to specific Web sites
and, with some programs, calculate the cost of Web-surfing slackers. Bosses can
even retrieve the results of an employee's search through Internet directories
such as Yahoo! and Excite.
Deborah Branscum, Bigbrother theoffice.com, Newsweek, Apr. 27, 1998, at 78.
[FN9]. See Robert B. Fitzpatrick, Privacy Issues
in the Electronic Monitoring and Surveillance of Em-ployees, C742 A.L.I.-A.B.A.
Course Study 1165, 1169 (1992) available in WESTLAW, ALI-ABA database (citing
Office of Technology Assessment, Electronic Supervisor: New Technology, New
Tensions 124- 25 (1987)).
[FN10]. See Charles Piller, Bosses With
X-Rays, Macworld, July 1993, at 118, 120.
[FN11]. See, e.g., O'Connor v. Ortega, 480 U.S. 709,
714-26 (1987).
[FN12]. See Linowes & Spencer, supra
note 6, at 598.
[FN13]. See Note, Addressing the New Hazards
of the High Technology Workplace, 104 Harv. L. Rev. 1898, 1909-10 (1991).
[FN14]. See Jennifer J. Griffin, The
Monitoring of Electronic Mail in the Private Sector Workplace: An Electronic
Assault on Employee Privacy Rights, 4 Software L.J. 493, 500-01 (1991).
[FN15]. See Linowes & Spencer, supra
note 6, at 592-93.
[FN16]. See Note, supra note 13, at 1909.
[FN17]. Improved employee efficiency and
workplace flexibility have been cited as two major effects of e-mail use. See
James J. Cappel, Closing the E- Mail Privacy Gap; Employer Monitoring of
Employee E-Mail, J. Sys. Mgmt., Dec. 1993, at 6 (noting e-mail had circumvented
problems of "telephone tag" and rising costs of paper and postage
use); see also Griffin, supra note 14, at 498-99 (arguing that e-mail use had
increased employee productivity by facilitating more concise communication
among employees).
[FN18]. For a discussion of the sources to
the right to privacy, see infra notes 22-175 and accompanying text.
[FN19]. For a discussion of congressional
bills and relevant proposals, see infra notes 176-92 and accompanying text.
[FN20]. For a discussion regarding the
procedural presumption and its implications, see infra notes 193-96 and
accompanying text.
[FN21]. For a discussion of employee
self-help remedies, see infra notes 197-206 and accompanying text.
[FN22]. 381 U.S. 479 (1965).
[FN23]. Id. at 484.
[FN24]. U.S. Const. amend. IV
(emphasis added).
[FN25]. 389 U.S. 347 (1967)
(holding unconstitutional a warrantless government recording of defendant's
conversation in enclosed public phone booth).
[FN26]. Id. at 361 (Harlan, J.,
concurring). The most critical part of this test involves a determination of
the individual's reasonable expectation of privacy. In performing this task,
Justice Harlan suggested that the first inquiry should be whether the
individual, by his or her conduct, "exhibited an actual (subjective)
expectation of privacy." Id. Secondly, the court should ask whether the
individual's subjective expectation of privacy is "one that society is
prepared to recognize as 'reasonable."' Id. Most Fourth Amendment
decisions turn on the court's assessment of the individual's expectation of
privacy. See Anthony G. Amsterdam, Perspectives on the Fourth Amendment, 58
Minn. L. Rev. 349 (1974). For a recent case in which the
"reasonableness" standard was used, see Bohach v. City of Reno, 932 F.
Supp. 1232 (D. Nev. 1996) (holding that police officers had no
subjective expectation of privacy over communications left over precinct
messaging system).
In analyzing government interests, courts will consider criteria such as
whether there was a legitimate or compelling government interest prompting the
privacy intrusion; whether readily available alternatives were considered;
whether property rights were at stake; and whether precautions against the
privacy intrusion were taken. For an analysis of these criteria, see Laura
Thomas Lee, Constitutional and Common Law Informational Privacy: Proposing a
"Reasonable Needs" Approach to New Technologies, Paper Presented to
the AEJMC Annual Convention, Kansas City (Aug. 1993) (unpublished manuscript on
file with The John Marshall Law Review).
[FN27]. 480 U.S. 709 (1987).
The Ortega holding has been applied in numerous cases and is controlling
precedent in most workplace Fourth Amendment search and seizure cases. See,
e.g., Leckelt v. Board of Comm'rs, 909
F.2d 820 (5th Cir. 1990) (holding that hospital's requirement for
employees to be tested for infectious diseases was reasonable and did not
constitute impermissible invasion of privacy); Shields v. Burge, 874 F.2d 1201
(7th Cir. 1989) (finding government search of desk, automobile, and
briefcase of allegedly corrupt police officer permissible under Ortega
analysis); Schowengerdt v. General Dynamics
Corp., 823 F.2d 1328 (9th Cir. 1987) (holding unreasonable
employer's search of employee's office because search was unrelated to business
activities); American Fed'n of Gov't Employees,
Local 1616 v. Thornburgh, 713 F. Supp. 359 (N.D. Cal. 1989) (holding
that employer's mandatory urinalysis tests were unreasonable under Ortega
analysis). For further information on Ortega, see Steven Winters, The New
Privacy Interest: Electronic Mail in the Workplace, 8 High Tech. L.J. 197
(1993); Keith P. Larson, Comment, Government Intrusion into the Public Employee
Workplace-- O'Connor v. Ortega, 21 Creighton L. Rev. 409, 419-420 (1987); Note,
Fourth Amendment--Work-Related Searches By Government Employers Valid on
"Reason-able" Grounds, 78 Crim. L. & Criminology 792 (1986).
[FN28]. Ortega, 480 U.S. at 722.
In our view, requiring an employer to obtain a warrant whenever the employer
wished to enter an employee's office, desk, or file cabinets for a work-
related purpose would seriously disrupt the routine of conduct of business and
would be unduly burdensome. Imposing unwieldy warrant procedures in such cases
upon supervisors, who would otherwise have no reason to be familiar with such
procedures, is simply unreasonable.
Id. Dissenting, Justice Blackmun noted that the Court seemed to be suggesting
that government employees have little, if any, privacy in the workplace so long
as searches are reasonably work-related. See id. at 734-36 (Blackmun, J.,
dissenting). In respect to electronic communications, one commentator opined
that the analytical shift represented by Ortega foretold the notion that
"courts [should] fashion case law so as to provide public employers with
unbridled discretion to monitor E-mail transmissions." Winters, supra note
27, at 209.
[FN29]. See Ortega, 480 U.S. at 713.
[FN30]. In addressing Dr. Ortega's
expectation of privacy, the Court stated:
[His] expectation of privacy must be assessed in the context of the employment
relation. An office is seldom a private enclave free from entry by supervisors,
other employees, and business and personal invitees. In many cases, offices are
continually entered by fellow employees and other visitors during the workday for
conferences, consultations and other work-related visits. Simply put, it is the
nature of government offices that others--such as fellow employees,
supervisors, consensual visitors, and the general public--may have frequent
access to an individual's office. ... [S]ome government offices may be so open
to fellow employees or to the public that no expectation of privacy is
reasonable.
Id. at 717-18.
[FN31]. Id. at 720.
[FN32]. Id. at 717.
[FN33]. Id.
[FN34]. See id. at 726 (holding that
district court and court of appeals were in error for considering hospital
policy in determining reasonableness because search was reasonable at its
inception).
[FN35]. Id. at 727.
[FN36]. Under most circumstances, Fourth
Amendment jurisprudence does not apply to monitoring conducted by private
employers because such behavior does not constitute state action. See Simmons v. Southwestern Bell Tel.
Co., 452 F. Supp. 392, 395 (W.D. Okla 1978), aff'd, 611 F.2d 342 (10th Cir. 1979).
However, in some cases, courts have found Fourth Amendment privacy protections
applicable to the private sector. For instance, "the Amendment protects
against [private party] intrusions if the private party acted as an instrument
or agent of the Government." Skinner v. Railway Labor
Executives' Ass'n, 489 U.S. 602, 614 (1989). Additionally, if a
private entity, such as an incorporated municipality, undertakes functions
normally ascribed to the public trust, constitutional limitations may apply.
See Marsh v. Alabama, 326 U.S. 501
(1946).
[FN37]. See Julia T. Baumhart, The
Employer's Right to Read Employee E-Mail: Protecting Privacy or Personal
Prying, 8 Lab. Law. 923, 937-38
(1992). For an analysis of "invasion of privacy" claims and their
application in the context of e-mail monitoring, see infra notes 153-75 and
accompanying text.
[FN38]. "Fourth Amendment law as
decided by the Supreme Court heavily influences both state and federal court
interpretations of non-public employee's privacy rights in the workplace."
Winters, supra note 27, at 200- 01. "[A]lthough the Fourth Amendment does
not protect private employees against privacy invasions by their employers,
cases from the Fourth Amendment context are critical to discussing how the balancing
would apply to private employers' interceptions of employee E-mail." Larry
O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in
the Private Sector Workplace, 8 Harv. J.L. & Tech. 345, 380
(1995) (footnote omitted).
[FN39]. See Flanagan, supra note 4, at
1265; see also Kenneth A. Jenero & Lynne D. Mapes-Riordan, Electronic
Monitoring of Employees and the Elusive "Right to Privacy," 18
Employee Rel. L.J. 71, 80 (1992).
[FN40]. See, e.g., Bianco v. American
Broad. Co., 470 F. Supp. 182, 186 (N.D. Ill. 1979) (holding that private
employer's electronic monitoring of employees did not violate the employee's
privacy rights because the Illinois constitutional provision prohibiting
"unreasonable ... interceptions of communications by eaves-dropping
devices" limits only government intrusions).
[FN41]. See Alaska Const. art. I, § 22
("The right of the people to privacy is recognized and shall not be
infringed."); Ariz. Const. art. II, § 8
("No person shall be disturbed in his private affairs, or his home invaded,
without authority of law."); Cal. Const. art. I, § 1
("All people are by nature free and independent and have inalienable
rights. Among these are enjoying and defending life and liberty, acquiring ...
safety, happiness, and privacy."); Fla. Const. art. I, § 23
("Every natural person has the right to be ... free from governmental
intrusion into his private life except as otherwise provided herein."); Haw. Const. art I, § 6
("The right of the people to privacy is recognized and shall not be infringed
without the showing of a compelling state interest. The legislature shall take
affirmative steps to implement this right."); Ill. Const. art. I, § 6
("The people shall have the right to be secure in their persons, houses,
papers and other possessions against unreasonable searches, seizures, invasions
of privacy or interceptions of communications eavesdropping devices or other
means."); La. Const. art. I, § 5
("Every person shall be secure in his person, property, communications,
houses, papers, and effects against unreasonable searches, seizures, or
invasions of privacy."); Mont. Const. art. II, § 10
("The right of individual privacy is essential to the well-being of a free
society and shall not be infringed without the showing of a compelling state
interest."); S.C. Const. art. I, § 10
("The right of the people to be secure in their persons, houses, papers, and
effects against unreasonable searches and seizures and unreasonable invasions
of privacy shall not be violated ...."); Wash. Const. art. I, § 7
("No person shall be disturbed in his private affairs, or his home
invaded, without authority of law.").
[FN42]. See, e.g., Immuno A.G. v. J. Moor-Jankowski,
567 N.E.2d 1270, 1278 (N.Y. 1991) (holding free speech and press
provisions of state constitution are limited by greater privacy protections
than those supplied by U.S. Constitution), cert. denied, 500 U.S. 954 (1991); Hope v. Perales, 571 N.Y.S.2d 972,
978 (Sup. Ct. 1991) (finding state due process clause provides
greater privacy protection than federal due process clause), aff'd, 189 A.D.2d 287 (N.Y. App. Div.
1993); see also Hannibal F. Heredia, Comment, Is There Privacy in
the Workplace?: Guaranteeing a Broader Privacy Right for Workers Under
California Law, 22 Sw. U.L. Rev. 307, 313 (1992).
[FN43]. See Flanagan, supra note 4, at
1265; see also Laura Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring
and Privacy Law in the Age of the Electronic Sweatshop, 28 J. Marshall L. Rev. 139, 150
(1994).
[FN44]. See, e.g., Valley Bank of Nevada v. Superior
Court, 542 P.2d 977 (Cal. 1975); Luck v. Southern Pac. Transp. Co.,
267 Cal. Rptr. 618, 627-29 (Cal. Ct. App. 1990) (holding private
employers bound by California constitutional privacy provision, but not
defining scope of circumstances under which private action would violate
constitution), cert. denied, 498 U.S. 939 (1990); Semore v. Pool, 266 Cal. Rptr. 280
(Cal. Ct. App. 1990) (holding unconstitutional private employer's
random substance abuse testing of employees); Wilkinson v. Times Mirror Corp.,
264 Cal. Rptr. 194, 198-200 (Cal. Ct. App. 1989); Porten v. University of San
Francisco, 134 Cal. Rptr. 839 (Cal. Ct. App. 1976) (holding private
university liable for improperly disclosing a student's grades from another
university to State Scholarship and Loan Commission).
[FN45]. See, e.g., Soroka v. Dayton Hudson Corp., 1 Cal.
Rptr. 2d 77, 86 (Cal. Ct. App. 1991); Luck, 267 Cal. Rptr. at 631-32;
Porten, 134 Cal. Rptr. at 843.
[FN46]. 865 P.2d 633 (Cal. 1994).
[FN47]. Id. at 655. The
California Supreme Court decided that the "compelling interest"
standard would still be applicable against private employers if the privacy
interest at issue was "fundamental to personal autonomy," such as the
"freedom from involuntary sterilization or the freedom to pursue
consensual familial relationships." Id. at 653.
[FN48]. Id. at 657.
[FN49]. See Baumhart, supra note 37, at
938; Heredia, supra note 42, at 329. For further analysis, see Gantt, supra
note 38, at 392-94.
[FN50]. See Baumhart, supra note 37, at
943.
[FN51]. 768 P.2d 1123 (Alaska 1989).
Accord Cordle v. General Hugh Mercer
Corp., 325 S.E.2d 111 (W. Va. 1984) (finding private employer's
requirement that employees submit to random polygraph tests in contravention of
state public policy); but see Barr v. Kelso-Burnett Co., 478
N.E.2d 1354 (Ill. 1985) (rejecting notion that public policy
supports constitutional right to privacy).
[FN52]. Electronic Communications Privacy
Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified as amended in
scattered sections of 18 U.S.C.). Though applied to cases implicating employee
e-mail privacy, the Electronic Communications Privacy Act does not explicitly
mention e-mail as a protected communication. See Griffin, supra note 14, at
512-13.
[FN53]. See 18 U.S.C. §§ 2510-20 (1994); see also S.
Rep. No. 99- 541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.
[FN54]. See S. Rep. No. 99-541, at 1-2
(1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555-56.
[FN55]. See 18 U.S.C. § 2511(1)(a)
(adding "electronic" communications, in addition to "wire"
and "oral," to base offense).
[FN56]. See 18 U.S.C. § 2511(2)(a)(i)
(substituting "any communication common carrier" with "a
provider of wire or electronic communication service"). Legislative
history also reveals that Congress intended the ECPA to extend protections to
private telephone networks, not just common carriers. See S. Rep. No. 99-541,
at 3 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3556-57 ("It does not
make sense to say that a phone call transmitted via common carrier is protected
by the current federal wiretap statute, while the same phone call transmitted
via a private telephone network such as those used by many major U.S.
corporations today, would not be covered by the statute.").
[FN57]. See 18 U.S.C. § 2511.
[FN58]. See id. § 2701. "Electronic
storage" is defined as "any temporary, intermediate storage of a wire
or electronic communication incidental to the electronic communication thereof;
and ... any storage of such communication by an electronic communication
service for purposes of backup protection of such communication." Id. § 2510(17)(A)-(B).
[FN59]. S. Rep. No. 99-541, at 35 (1986),
reprinted in 1986 U.S.C.C.A.N. 3555, 3589.
[FN60]. 18 U.S.C. § 2511(1)(a)
(emphasis added). The ECPA defines an "interception" as "the
aural or other acquisition of the contents of any wire, electronic, or oral
communication through the use of any electronic, mechanical, or other
device." 18 U.S.C. § 2510(4). An
"electronic communication" is described as "any transfer of
signs, signals, writing, images, sounds, data, or intelligence of any nature
transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectric, or photo-optical system that affects interstate ...
commerce." 18 U.S.C. § 2510(12).
[FN61]. Id. § 2701.
[FN62]. Id. § 2701(a).
[FN63]. See id. § 2701(b).
[FN64]. See Steve Jackson Games, Inc. v.
United States Secret Serv., 36 F.3d 457 (5th Cir. 1994); Wesley College v. Pitts, 974 F.
Supp. 375 (D. Del. 1997).
[FN65]. See Russell S. Burnside, The
Electronic Communications Privacy Act of 1986: The Challenge of Applying
Ambiguous Statutory Language to Intricate Telecommunications Technologies, 13 Rutgers Com-puter & Tech.
L.J. 451 (1987); see also Robert I. Webber, Note, The
Privacy of Electronic Communication: A First Step in the Right Direction, 1
J.L. & Tech. 115 (1985). To be clear, network providers, or
"carriers," can come in two forms: public (common) or private. Public
providers, such as BellSouth, Mindspring, or America Online, offer network
services as a product. On the other hand, many businesses have found such
outsourcing unnecessarily expensive and have elected to construct their own
networks for internal communications. These businesses are classified as
private network providers.
[FN66]. "While the post-ECPA Title III
does protect many forms of communication that previously lacked a legal shield,
the ECPA retained or redefined many of the statutory provisions existing prior
to the 1986 amendments, which provided employers with broad authority to
monitor employee communications." Thomas R. Greenberg, E-Mail and Voice
Mail: Employee Privacy and the Federal Wiretap Statute, 44 Am. U. L. Rev. 219, 234-35
(1994). Nevertheless, in analyzing the legislative history of the
ECPA, congressional intent does not indicate that the Act should not be read to
include private employer monitoring of employee e-mail transmissions. See
Winters, supra note 6, at 119.
[FN67]. See 18 U.S.C. § 2511(2)(a)(i).
[FN68]. See id. § 2510(5)(a).
[FN69]. See id. § 2511(2)(d).
[FN70]. See Mark S. Dichter & Michael
S. Burkhardt, Electronic Interaction in the Workplace: Monitoring, Retrieving
and Storing Employee Communications in the Internet Age, (visited December 19,
1998) <http: // www.mlb.com/speech1.htm>. In fact, some commentators
interpret this exception to mean that private network providers are excluded
from liability for perusing and disclosing employee e-mail transmissions. See
Michele C. Kane, Electronic Mail and Privacy, in 15th Annual Computer Law
Institute, at 419, 430 (PLI Patents, Copyrights, Trademarks, and Literary
Property Course Handbook Series No. 369, 1993); see also Baumhart, supra note
37, at 925; Ruel Torres Hernandez, ECPA and Online Computer Privacy, 41 Fed.
Comm. L.J. 17, 39-40 (1988); Alice LaPlante, Is Big Brother Watching?,
Infoworld, Jan. 14, 1991, at 68.
[FN71]. See 18 U.S.C. § 2701(c)(1).
The ECPA authorizes a provider to disclose stored communications, inter alia,
"to a person employed or authorized or whose facilities are used to
forward such communication to its destination" or "as may be
necessarily incident to the rendition of the service or to the protection of
the rights or property of the provider of that service." 18 U.S.C. § 2702(b)(4)-(5).
[FN72]. See, e.g., Simmons v. Southwestern Bell Tel.
Co., 452 F. Supp. 392 (W.D. Okla. 1978),
aff'd, 611 F.2d 342 (10th Cir. 1979);
United States v. Clegg, 509 F.2d
605 (5th Cir. 1975); United States v. Beckley, 259 F.
Supp. 567 (N.D. Ga. 1965).
[FN73]. No. BC007036, slip op. (Cal. Super.
Ct. Jan. 4, 1991).
[FN74]. Id. at 5-6 n.1. The court asserted
that an employer-provider who intentionally examines everything on the system
is not in violation of the ECPA. See id.
[FN75]. See Baumhart, supra note 37, at
925. One commentator argues that the provider exception should not apply to
private network providers. This conclusion was reached through an analysis of
the text of the exception, where the term "service" seems to indicate
an external entity providing a network and "the term 'user' is defined as
a 'person or entity ... who uses an electronic mail service."' Michael W.
Droke, Private, Legislative, and Judicial Options for Clarification of Employee
Rights to the Contents of Their Electronic Mail Systems, 32 Santa Clara L. Rev. 167, 182
(analyzing 18 U.S.C. §§ 2510(13), (15) (1988)).
Another commentator has contested this interpretation by arguing that the ECPA
does not strictly limit the term "provider" to public entities and
because some companies may be considered public providers while others may
properly be deemed users of networks provided by these public providers. See
Gantt, supra note 38, at 360 n.101. Conversely, one commentator concludes that
the expansive coverage of the provider exception is justified by the fact that
communications on a company- owned network are property of the employer. See
James Baird et al., Public Employee Privacy: A Legal and Practical Guide to
Issues Affecting the Workplace 60 (1995).
[FN76]. See Baumhart, supra note 37, at
927.
[FN77]. When an employer contracts with an
outside service, such as Prodigy, Compuserve, or MCI Mail, to provide e-mail
services to its employees, the employer is not considered a "provider."
Alternatively, if the employer has its own internal e-mail system, maintained
by an in-house information technology department, the employer will probably be
considered a provider. However, does the installation of one private telephone
wire transform a company into a private network provider? Or, does an actual
interconnected network need to exist before "provider" status can be
achieved?
[FN78]. See United States v. Mullins, 992 F.2d
1472 (9th Cir. 1992) (holding American Airlines employee's search of
computerized travel reservations system for reservation discrepancies and
subsequent discovery of fraudulent reservations legal because employee was
acting to protect the rights and property of airline within the meaning of
provider exception), aff'd, 611 F.2d 342 (10th Cir. 1979);
Simmons v. Southwestern Bell Tel.
Co. 452 F. Supp. 392 (W.D. Okla. 1978) (holding that the company's
interests in monitoring calls for service quality control checks and to prevent
persistent use of telephone lines for personal use were valid and legitimate
reasons to invoke the § 2511(2)(a)(i)
exception).
[FN79]. See Dichter & Burkhardt, supra
note 70.
[FN80]. See 18 U.S.C. § 2510(5)(a).
[FN81]. See Jenero & Mapes-Riordan,
supra note 39, at 90.
[FN82]. See Gantt, supra note 38, at 365
(citing Steven B. Winters, Do Not Fold, Spindle or Mutilate: An Examination of
Workplace Privacy in Electronic Mail, 1 S. Cal. Interdisciplinary L.J.
85, 118 (1992)).
[FN83]. See Gantt, supra note 38, at 365-69.
Other commentators have substituted the "context" and
"content" terminology with the terms "legitimate business
purpose" and "subject of call," respectively. See Greenberg,
supra note 66, at 239-46.
[FN84]. See Martha W. Barnett & Scott
D. Makar, "In the Ordinary Course of Business": The Legal Limits of
Workplace Wiretapping, 10 Hastings Comm. & Ent. L.J. 715, 727-28 (1988).
[FN85]. See Sanders v. Robert Bosch Corp., 38
F.3d 736 (4th Cir. 1994) (holding that employer's 24-hour recording
of employee telephone conversations was unlawful even though proffered reason
for conducting interceptions was investigation of bomb threat); see also Deal v. Spears, 980 F.2d 1153,
1158 (8th Cir. 1992) (holding that employer's interest in catching
thief did not justify recording of 22 hours of primarily personal phone calls).
[FN86]. See Barnett & Makar, supra note
84, at 728.
[FN87]. See James v. Newspaper Agency Corp.,
591 F.2d 579, 581 (10th Cir. 1979) (upholding interceptions based on
facts that employer provided full notice and that interceptions were for
legitimate business purposes of providing training, instruction, and protection
against abusive calls); United States v. Harpel, 493 F.2d
346 (10th Cir. 1974) (holding unlawful employer's interception of
telephone conversations, partially because employer did not provide any notice
of monitoring).
[FN88]. See Gantt, supra note 38, at 370.
[FN89]. 493 F.2d 346 (10th Cir. 1974).
[FN90]. See id. at 348.
[FN91]. See id. at 350.
[FN92]. See id. at 351.
[FN93]. See id.; see also Barnett &
Makar, supra note 84, at 728.
[FN94]. 591 F.2d 579, 581 (10th Cir. 1979).
[FN95]. See id. at 581.
[FN96]. See id.
[FN97]. See id. at 582.
[FN98]. 980 F.2d 1153 (8th Cir. 1992).
[FN99]. See id. at 1157. The
two-pronged context approach was used by the Fourth Circuit in Sanders v. Robert Bosch Corp., 38
F.3d 736 (4th Cir. 1994).
[FN100]. Deal, 980 F.2d at 1158.
[FN101]. See id.
[FN102]. See id.
[FN103]. See id.
[FN104]. See id.
[FN105]. Id.; see also People v. Otto, 831 P.2d 1178,
1189-90 n.14 (Cal. 1992) (indicating that employer monitoring must
be limited to particular purpose, time, and place to be shielded by
business-extension exception, and that exception does not cover general
practice of unauthorized eavesdropping).
[FN106]. See Briggs v. American Air Filter Co.,
630 F.2d 414, 420 (5th Cir. 1980) (holding employer not liable for
communications interception where employer limited time and scope necessary to
intercept portion of call in which employee discussed his employer's business
with competitor).
[FN107]. 704 F.2d 577 (11th Cir. 1983).
[FN108]. Id. at 581.
[FN109]. Id. at 582-83.
[FN110]. See id.
[FN111]. Id.
[FN112]. Id. at 583.
[FN113]. See id. at 584. The court cited
one case where an interception of a personal call for 10 to 15 seconds was
reasonable, but viewed the result of another case, in which an interception of
3 to 5 minutes occurred, as problematic. See id. at 584-85.
[FN114]. 630 F.2d 414 (5th Cir. 1980).
[FN115]. Id. at 419.
[FN116]. Id. at 420.
[FN117]. Id.
[FN118]. 802 F.2d 412 (11th Cir. 1986).
[FN119]. Id. at 417.
[FN120]. See id. at 416.
[FN121]. See id. at 416-17.
[FN122]. See Gantt, supra note 38, at 358.
[FN123]. Id.
[FN124]. See 18 U.S.C. § 2511(2)(d) (1988)
(interception); 18 U.S.C. § 2702(b)(3)
(access to stored communi-cations).
[FN125]. See infra notes 129-44 and
accompanying text.
[FN126]. 18 U.S.C. § 2511(2)(d) (1988).
[FN127]. See Deal v. Spears, 980 F.2d 1153,
1157 (8th Cir. 1992); see also Griggs-Ryan v. Connelly, 904 F.2d
112, 116 (1st Cir. 1990); but see Jandak v. Village of Brookfield,
520 F. Supp. 815, 820 (N.D. Ill. 1981) (indicating that implied
consent existed where police officer should have known that police department
regularly monitored employee telephone calls).
[FN128]. See 18 U.S.C. § 2511(2)(d) (1982).
[FN129]. 611 F.2d 387 (1st Cir. 1979).
[FN130]. Id. at 394.
[FN131]. See id. at 393-94. The
police officer argued that the circumstances implying consent were "that
[the plaintiff] was in restricted custody, that the call was placed for him by
a staff officer, that the common practice at Walpole was to monitor such calls,
that the expectation of inmates was that calls would be monitored and that [the
plaintiff] kept the call short and the conversation innocuous." Id. at 393.
[FN132]. Id. at 394.
[FN133]. 704 F.2d 577 (11th Cir. 1983).
[FN134]. Id. at 579.
[FN135]. See id. at 580.
[FN136]. See id. at 581.
[FN137]. Id.
[FN138]. Id.
[FN139]. See id. at 581-82.
[FN140]. 980 F.2d 1153 (8th Cir. 1992).
[FN141]. See id. at 1156-57.
[FN142]. See id. at 1157.
[FN143]. See id.
[FN144]. See Baumhart, supra note 37, at
935; see also Barnett & Makar, supra note 84, at 737; John P. Farfuro &
Maury B. Josephson, Electronic Monitoring in the Workplace, N.Y.L.J., July 6,
1990, at 32.
[FN145]. See, e.g., United States v. McKinnon, 721
F.2d 19, 21 n.1 (1st Cir. 1983); Evans v. State, 314 S.E.2d 421,
425 (Ga. 1984), cert. denied, 469 U.S. 826 (1984).
[FN146]. For example, legislation in
California, Delaware, Florida, Illinois, Louisiana, Maryland, Massachusetts,
Michigan, Montana, Oregon, Pennsylvania, and Washington requires prior consent
by all parties before a communication may be intercepted. Jenero &
Mapes-Riordan, supra note 39, at 94 n.36.
[FN147]. See Robert Ellis Smith,
Compilation of State & Federal Privacy Laws 60-63 (1992).
[FN148]. See Neb. Rev. Stat. § 86-702(2)(a)
(1992).
[FN149]. See Ariz. Rev. Stat. Ann § 13-3012
(West 1989); Colo. Rev. Stat. § 18-9-305
(West 1990); Del. Code Ann. tit. 11, § 1336
(1995); Fla. Stat. ch. 934.03 (1996); Ga. Code Ann. § 16-11-66 (1996);
Haw. Rev. Stat. § 803-42 (1993);
Idaho Code §§ 18-6702;
18-6720 (1997); Iowa Code Ann. § 8082.B (1993); Kan. Stat. Ann. §§ 21-4001;
22-2514 (1995); La. Rev. Stat. Ann. § 15:1303
(West 1992); Md. Code Ann. Cts. & Jud.
Proc. § 10-402 (1995); Minn. Stat. Ann. § 626A.02
(West 1998); Miss. Code Ann. § 41-29- 531
(1993); Mo. Ann. Stat. § 542.402
(West 1998); Neb. Rev. Stat. § 86- 702 (1994);
Nev. Rev. Stat. Ann. § 200.620 (Michie 1997); N.H. Rev. Stat. Ann. §§ 570-B
(1997); N.J. Rev. Stat. § 2A:156A-24 (1985); N.M. Stat. Ann. § 30-12-1
(Michie 1998); N.D. Cent. Code § 12.1-15-02
(1997); Ohio Rev. Code Ann. § 2933.52
(Anderson 1996); Okla. Stat. Ann. tit. 13, § 176.4
(West 1994); Or. Rev. Stat. § 165.543 (1991);
18 Pa. Cons. Stat. Ann. § 5704
(West 1983); R.I. Gen. Laws. § 11-35-21 (1994);
Tex. Penal Code § 16.02
(West 1994); Utah Code Ann. § 77-23a-4 (1995);
Va. Code Ann. § 19.2-62
(Michie 1995); W. Va. Code § 62-1D-3 (1997);
Wis. Stat. § 968.31 (1985);
Wyo. Stat. Ann. § 7-3-602 (Michie 1996). For further information on these
statutes, see Lee, supra note 43, at 175-77.
[FN150]. See, e.g., Victoria Slind-Flor,
What is E-Mail Exactly?, Nat'l. L.J., Nov. 25, 1991, at 22; Michael Traynor,
Computer E-Mail Privacy Issues Unresolved, Nat'l. L.J., Jan. 31, 1994, at S3.
[FN151]. Ruling on Submitted Matter,
Flanagan v. Epson Am., Inc., No. BC007036 (Cal. Super. Ct. Jan. 4, 1991).
[FN152]. See Frank C. Morris et al., Issues
from the Electronic Workplace and E-Mail Communication: The Developing
Employment Law Nightmare, SB07 A.L.I.- A.B.A. 335, 343 (noting courts desire to
defer such matter to California legislature). For an excellent analysis of
Flanagan v. Epson, see Winters, supra note 6, at 222-32.
[FN153]. See Samuel Warren & Louis
Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).
[FN154]. See id.
[FN155]. See Restatement (Second) of Torts
§§ 652B-652E (1965).
[FN156]. See, e.g., Dietemann v. Time, Inc., 449 F.2d
245 (9th Cir. 1971); Nader v. General Motors Corp., 255
N.E.2d 765, 770-771 (N.Y. 1970).
[FN157]. See, e.g., Douglass v. Hustler Magazine,
Inc., 769 F.2d 1128, 1138-39 (7th Cir. 1985); Carson v. Here's Johnny Portable
Toilets, Inc., 698 F.2d 831 (6th Cir. 1983).
[FN158]. See, e.g., Haynes v. Alfred A. Knopf, Inc., 8
F.3d 1222, 1229- 35 (7th Cir. 1993); Diaz v. Oakland Tribune, Inc., 139
Cal. App. 3d 118 (1st Dist. 1983).
[FN159]. See, e.g., Time, Inc. v. Hill, 385 U.S. 374,
391-94 (1967).
[FN160]. See Howell v. New York Post Co., 612
N.E.2d 699 (N.Y. 1993) (refusing to recognize common law tort
invasion of privacy).
[FN161]. For example, private persons and
celebrities are protected against misappropriation of name or likeness in
California and New York. See Jonathan Rosenoer, Cyberlaw: the Law of the
Internet 129 (1997).
[FN162]. Griffin, supra note 14, at 503-04.
Another tort which could give rise to a cause of action in the context of
e-mail monitoring is "intentional infliction of emotional distress."
See Kevin J. Baum, E-Mail in the
Workplace and the Right to Privacy, 42 Vill. L. Rev. 1011, 1020 (1997).
Liability for "intentional infliction of emotional distress" arises
when "[o]ne who by extreme and outrageous conduct intentionally or
recklessly causes severe emotional distress to another." Restatement
(Second) of Torts § 46 (1965). For a recent case in which an "intentional
infliction of emotional distress" theory was used against an employer for
accessing an employee's e-mail, see Restuccia v. Burk Technology, No. 95-2125,
1996 Mass. Super. LEXIS 367 (Mass. Super. Ct. August 12, 1996).
[FN163]. Restatement (Second) of Torts §
652B (1965). For a recent case in which an "intrusion upon seclusion"
theory was used against an employer for accessing an employee's e-mail, see Smyth v. Pillsbury Co., 914 F.
Supp. 97 (E.D. Pa. 1996).
[FN164]. E-mail is protected because the
invasion may be non-physical. Restatement (Second) of Torts § 652B cmt. b
(1965); see also 2 Privacy Law and Practice P 9.02[3] (George B. Trubow, ed.,
1987).
[FN165]. See supra notes 22-38 and
accompanying text. The Fourth Amendment standard balances the employee's subjective
and objective expectations of privacy against the employer's justification for
monitoring.
[FN166]. See Marks v. Bell Tel. Co., 331 A.2d
424 (Pa. 1975). Courts have considered electronic surveillance, such
as telephone "tapping," sufficient to establish this element of the
tort. See Dietemann v. Time, Inc., 449 F.2d
245 (9th Cir. 1971); Nader v. General Motors Corp., 255
N.E.2d 765 (N.Y. 1970); Billings v. Atkinson, 489 S.W.2d
858 (Tex. 1973).
[FN167]. See Restatement (Second) of Torts
§652B cmt. d (1965).
[FN168]. See Michael W. Droke, Private,
Legislative and Judicial Options for Clarification of Employee Rights to the
Contents of Their Electronic Mail Systems, 32 Santa Clara L. Rev. 167, 184-86
(1992). In most cases, it is easier for a plaintiff to show a
subjective expectation of privacy in regard to a certain activity. However, a
plaintiff must also show that the expectation of privacy is objectively
reasonable, a difficult burden to meet if the employer has published a
monitoring policy. See Simmons v. Southwestern Bell Tel.
Co., 452 F. Supp. 392 (W.D. Okla. 1978).
[FN169]. See Miller v. NBC, 232 Cal. Rptr. 668
(Cal. Ct. App. 1986); Horstman v. Newman, 291 S.W.2d 567
(Ky. Ct. App. 1956); Engman v. Southwestern Bell Tel.
Co., 631 S.W.2d 98 (Mo. Ct. App. 1982).
[FN170]. It is safe to assume that e-mail
monitoring constitutes an intentional act. Yet, an employer could attempt to
show that the invasion was incidental to system maintenance and therefore
unintentional. See Lee, supra note 43, at 163.
[FN171]. See Lois R. Witt, Terminally Nosy:
Are Employers Free to Access Our Electronic Mail?, 96 Dick. L. Rev. 545, 555, 561
(1992).
[FN172]. "[E]mployee notification is
important because, as under the ECPA analysis, courts may imply consent to
E-mail monitoring when employers provide notice or when the employees are aware
that monitoring can occur." Gantt, supra note 38, at 377. An employee may
also have trouble proving that e-mail was actually read. See, e.g., Marks v. Bell Tel. Co., 331 A.2d
424 (Pa. 1975) (plaintiff failed
to prove that certain telephone conversations were actually heard by third
party).
[FN173]. See, e.g., Saldana v. Kelsey-Hayes Co., 443
N.W.2d 382 (Mich. Ct. App. 1989) (holding that business interests
justified home monitoring of employee who claimed to have work-related
injuries).
[FN174]. See Gantt, supra note 38, at 377;
Griffin, supra note 14, at 509.
[FN175]. See Julie A. Flanagan, Note,
Restricting Electronic Monitoring in the Private Workplace, 43 Duke L.J. 1256,
1267 (1994).
[FN176]. The PCWA was introduced in the
House of Representatives by Rep. Pat Williams (D-Mont), H.R. 1900, 103rd Cong.
(1993), and introduced in the Senate by Senator Paul Simon, S. 984, 103rd Cong.
(1993).
[FN177]. See S. 984, 103rd Cong. § 5(B) (1993).
[FN178]. See Gantt, supra note 38, at 409
(referring to S. 984, 103d Cong. § 2(2)(c) (1993)). Furthermore, the PCWA's
advance notice scheme did not limit the scope of monitoring nor the potential
for abuse that often occurs. In effect, instead of restricting employer monitoring,
the PCWA did the exact opposite by allowing monitoring during specified periods
of time. See Gantt, supra note 38, at 409-10; see also Jeffrey S. Kingston
& Gregory L. Lippetz, E- Mail Privacy Rights Can Be Tricky, So Firms Need
To Study Up, Bus. J., Feb. 1, 1993, at 21.
[FN179]. See Lee, supra note 43, at 171.
[FN180]. Id.
[FN181]. See Lee, supra note 43, at 170-74.
For similar proposals, see Kevin J. Baum, E-Mail in the
Workplace and the Right to Privacy, 42 Vill. L. Rev. 1011, 1035-40 (1997);
Greenberg, supra note 66, at 219.
[FN182]. Lee, supra note 43, at 172.
[FN183]. Id.
[FN184]. Id.
[FN185]. See Greenberg, supra note 66, at
249-50.
[FN186]. See Lee, supra note 43, at 172-73.
"It is imperative that employers create a company policy that clearly
spells out monitoring practices and employee privacy specific to that company's
operation." Id.
[FN187]. See id. The author does provide a
comprehensive list of possible objectives a monitoring policy could achieve,
including: (1) to identify the reasons for surveillance and business purpose to
be achieved; (2) to explain the monitoring procedures which may or may not be
used; (3) to contain limitations on what is collected and the use of
information obtained, restricting it to its stated purpose and ensuring
confidentiality; and (4) to establish employee usage guidelines, such as
whether, when, and to what extent the system may be used for non-business
communications. See id. at 173.
[FN188]. See Gantt, supra note 38, at 416.
[FN189]. Id.
[FN190]. Id.
[FN191]. Id at 417.
[FN192]. Id. at 416-17. The European
Union's Directive on the Protection of Individuals with Regard to the Personal
Data and on the Free Movement of Such Data incorporates a similar
standard--subjects have a right to object to the processing of personal data on
the basis of "compelling and legitimate grounds." See Thomas J.
Smedinghoff et al., Online Law: The SPA's Legal Guide to Doing Business On the
Internet 276-77 (Thomas J. Smedinghoff ed., 1996).
[FN193]. See Mark A. Rothstein et al.,
Employment Law § 2.27 (West 1994).
[FN194]. See Irving Younger et al.,
Principles of Evidence 879 (3d ed. 1997).
[FN195]. See supra notes 49-51 and
accompanying text.
[FN196]. See supra notes 181-87 and
accompanying text.
[FN197]. See Rosenoer, supra note 161, at
139.
[FN198]. See supra note 1 and accompanying
text for another example.
[FN199]. See McIntyre v. Ohio Elections
Commission, 514 U.S. 334, 342-43 (1995).
[FN200]. See Smedinghoff, supra note 192,
at 279.
[FN201]. See David R. Johnson & Kevin
A. Marks, Mapping Electronic Data Communications Onto Existing Legal Metaphors:
Should We Let Our Conscience (And Our Contracts) Be Our Guide?, 38 Vill. L. Rev. 487 (1993)
(proposing Electronic Communications Forwarding Act).
[FN202]. For a detailed analysis of
public-key cryptography, see Daniel J. Greenwood & Ray A.
Campbell, Electronic Commerce Legislation: From Written on Paper and Signed in
Ink to Electronic Records and Online Authentication, 53 Bus. Law. 307, 310-16
(1997); see also Lance Rose, NetLaw: Your Rights in the Online World
181 (1995).
[FN203]. See Greenwood & Campbell,
supra note 202, at 315.
[FN204]. See id.
[FN205]. See Rose, supra note 202, at 182.
[FN206]. See Steve Jackson Games, Inc. v.
United States Secret Serv., 36 F.3d 457 (5th Cir. 1994).
[FN207]. See Henry Weinstein, Amendment on
Computer Privacy Urged, L.A. Times, Mar. 27, 1991, at A3.