Return to Cyberspace Law & Policy Institute Home Page.
It is generally accepted by e-mail users that their messages are at least somewhat vulnerable at some level if they are stored by either the sender or the receiver. People understand that law enforcement personnel may seek legal access to files, and that offices can have stated policies regarding e-mail privacy.
But the vulnerability of e-mail messages goes far beyond access to stored files. Apart from potential problems with hackers or prying systems operators, some e-mail systems actually copy messages as they pass through the system. Other systems may automatically create back-up copies of new e-mail as it arrives on system "servers." Thus even erasing messages from in-boxes and out-boxes may not actually delete e-mail from system files. Local attorneys have been amazed to discover that they can actually obtain access to electronic communication by relying on such automatic "storage" devices.
From a legal perspective, too, e-mail users have substantially less protection in most jurisdictions today than those who converse on the telephone or send traditional mail through the U.S. Postal Service. And for most users of either the Internet or private electronic mail systems, determining the parameters of this protection is a complex inquiry that is likely to trigger an analysis of a wide-ranging and often contradictory body of law.
To begin with, some privacy protections are available under the U.S. Constitution. These protections are typically rooted in the Fourth Amendment's guarantee against unreasonable searches and seizures and in the Fourteenth Amendment's implied right of privacy in the areas of marriage, procreation, contraception, and abortion.
In California, Article I, Section 1 of the State Constitution provides an express right to privacy, which has been held to protect state residents in both the public and the private sector. The scope of this protection has arguably been limited to at least some degree by the California Supreme Court's recent decision in a Stanford drug testing case, Hill v. NCAA, 7 Cal. 4th 1 (1994). In Hill, the court analyzed the claim by student athletes that the NCAA's mandatory post-season and championship tournament drug testing program violated the California Constitution, and ruled that a compelling state interest need not be shown to justify a privacy-right infringement under Article I, Section 1.
Under federal statutory law, the Electronic Communications Privacy Act (ECPA), which originally served as an anti-wiretapping act, has now been expanded to include electronic communication. 18 U.S.C. Sections 2510-2710. But commentators have pointed out that this statute is filled with exceptions and provides a significantly lower level of protection for e-mail users than it does for others employing electronic transmission devices. See Larry O. Gantt, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector, 8 Harvard Journal of Law & Technology 345 (1995). For example, if there is no agreement on privacy between a systems operator and an e-mail user, the operator can generally review all e-mail that is stored in the system...even messages that have not yet been retrieved by the user. And, as a general rule, the ECPA provides a significantly lower level of protection for e-mail users in the private sector.
Under common law tort doctrine, a plaintiff in this context might be able to rely on the protections against unreasonable intrusion that are deemed to be part of the right of privacy. See Prosser & Keeton, The Law of Torts Section 117 (5th ed. 1984). But this protection has only been deemed applicable if a plaintiff is entitled to privacy in the first place.
Given the sketchy and uneven protections outlined above, it is understandable that commentators continue to argue that new legislation is needed to provide e-mail with the same protection as other forms of personal communication.
Lawsuits regarding the nature and extent of e-mail privacy are beginning to make their way into the courts. Two recent California cases are particularly instructive in this regard. For example, in a class action lawsuit brought against Epson under California Penal Code Section 631 -- which provides a private cause of action for illegal interceptions of private wire communications -- seven hundred employees argued that the company was illegally intercepting and reading e-mail messages on the office system. The trial court ruled in favor of Epson, however, declaring (1) that it was not clear that these employees had a reasonable expectation of privacy in their e-mail messages, and (2) that even if plaintiffs had such an expectation, Section 631 did not apply to e-mail. Flanagan v. Epson America, Inc., No. BC007036 (Cal. Super. Ct. Jan. 4, 1991).
In a similar lawsuit filed under tort law by employees who argued that the Nissan Motor Company was tortiously intercepting many of their personal e-mail messages, the California Court of Appeal affirmed the trial court's decision that Nissan was well within its rights to do so. The court reasoned in an unpublished opinion that plaintiffs had no reasonable expectation of privacy because they had signed a waiver form which stated that "it is company policy that employees...restrict their use of company-owned computer hardware and software to company business." Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. of Appeal July 26, 1993).
A very interesting and related hypothetical might be set at a California public university, where so many employees, students, and faculty members have dial-in capabilities and are able to use the university e-mail systems at home for a variety of personal reasons. Suppose, for example, that a local reporter seeks access to a professor's e-mail under the California Public Records Act, which provides that "any person may receive a copy of any identifiable public record." Cal. Government Code Section 6256. Public record is defined in the Act as including "...any writing containing information relating to the conduct of the public's business." Cal. Government Code Section 6252 (d).
Although the professor might challenge such a disclosure under both the California Constitution and the ECPA, her case would be a lot stronger if her e-mail had been student-related. If the e-mail had been sent to or from a student, or if it had addressed a student-related issue, it could then be construed as a student record. And student records are given extensive privacy protection under the Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. Sections 1232g-1232i.
Finally, it should be noted that if the e-mail in question was in fact private communication with family and friends, it might not even constitute "public business" within the meaning of the Public Records Act.
E-mail privacy is a complex and multi-faceted area, and disputes that reach the courts will clearly require an exploration of the interplay between a wide variety of legal principles under both federal and state law. It will be some time before the rights and responsibilities in this area can be sorted out by the legislatures and the courts.
Return to Cyberspace Law & Policy Institute Home Page.