THE LAWS PROTECTING YOUR PRIVACY How effective are they?

Privacy in Cyberspace: by Ann Beeson Copyright 1996, The American Civil Liberties Union

I. Introduction

The age of information is a double-edged sword when it comes to civil liberties. On the one hand, the Internet is a true "marketplace of ideas," in which individuals around the globe come together to organize, debate, and share information unrestricted by geographic distances or national borders. It is perhaps the most democratizing medium yet created, as ordinary citizens -- not just large media conglomerates -- have an inexpensive platform for communicating with millions of persons at once with the simple click of a mouse. The Internet has contributed to the spread of democratic values, as online users become active producers of information rather than passive consumers, and netizens with common interests organize to influence public policy and increase oversight of government affairs. On the other hand, the same technology that promotes the First Amendment values of free speech, association, and access to information also poses a serious threat to another fundamental constitutional value -- the right to privacy.

Technology in the age of information has brought with it a whole new level of privacy concerns. Online communication is fluid, and much of the personal information we send into cyberspace in the form of e-mail messages and postings is easily tracked and stored by others -- including the government. An e-mail message addressed to one individual can be immediately forwarded to thousands. It is impossible to know who might be lurking on mailing lists and chat rooms. Do you have a reasonable expectation of privacy when communicating by private e-mail or through other private online fora? Against whom -- other users, the government, your Internet Service Provider, your boss? Are transmissions to and from mailing lists, Usenet newsgroups, chat rooms, and the web protected from unwanted intrusion? Can the police seize your entire computer system if they suspect you of transmitting illegal material? Do they need a warrant? Can they intercept and monitor your e-mail during transmission? Do you have any recourse if your service provider reveals your private messages to the world?

There has so far been little legal guidance regarding the right to privacy in the emerging world of online communication. With the exception of a panic-inspired rush to impose strict content regulations on the Internet, legislators have been slow to react to the information age. Courts are struggling to apply old privacy concepts to the new medium of cyberspace, and have not yet resolved many ambiguities in new electronic privacy laws. The following paper is an attempt to summarize the current status of privacy rights in the online world, and to offer a few suggestions for increasing online privacy protections.

II. A Brief History of Privacy Law

A. Courts

A brief review of the history of privacy rights in the United States will assist the discussion of the threat to privacy posed by the online world. Although the importance of privacy is deeply ingrained in our political heritage and social psyche, the right is not explicitly mentioned in the Constitution. But the Bill of Rights is a broad affirmation of personal privacy because it limits the government's power to interfere with individual liberty. For example, the First Amendment recognizes the right to personal autonomy ("the right to be left alone") by guaranteeing the privacy of personal beliefs and associations. The Fourth Amendment imposes limits on government interference with personal autonomy by protecting "persons, houses, papers, and effects" from unreasonable search and seizure. The Fifth Amendment's protection against self incrimination also implicates privacy concerns, prohibiting the government from coercing an individual to reveal private matters. It is only in this century, though, that the courts began to recognize a constitutional right to privacy.

Samuel Warren and Louis Brandeis are credited as the forefathers of privacy law in the United States because of an influential article they wrote in the Harvard Law Review in 1890. They constructed the first legal concept of privacy out of property doctrine, tort law, copyright law, and damage principles. As one commentator noted, "Warren and Brandeis presented the idea of privacy as it should be understood: as deeply entrenched in culture, evolving over time, fundamental to the wholeness of the individual, and reflecting the social environment in which people exist."

Thus, a number of different principles comprise the modern understanding of the "right to privacy." Initially, the right to privacy was interpreted to include only "protection against tangible intrusions resulting in measurable injury." The common law torts of invasion of privacy, casting another in a bad public light, and physical intrusion into a person's home or solitude are examples of this approach to the right of privacy. Then, in a series of cases in the early part of this century, the Supreme Court began to formulate the constitutional right to privacy. In Meyer v. Nebraska , the Court invalidated a state law prohibiting the teaching of a language other than English because it interfered with personal autonomy. In Pierce v. Society of Sisters , the Court struck down a law requiring all children to attend public schools, recognizing that "the fundamental theory of liberty . . . excludes any general power of the state". Faced with what might be dubbed the first "cyberspace" privacy case, though, the Court was constrained by the property-based notion of privacy; in Olmstead v. United States , the Court held that phone wiretapping did not require a warrant because no physical intrusion was involved. Justice Brandeis wrote a strong dissent, recognizing that "the right to be left alone" was "the most comprehensive of rights and the right most valued by civilized men."

In NAACP v. Alabama , the Court recognized a First Amendment associational privacy right by refusing to allow a state to compel the disclosure of organization membership lists, articulating the "right of the members to pursue their lawful private interest privately and to associate freely with others" without "the deterrent effect . . . which disclosure of membership lists is likely to have." In Griswold v. Connecticut , the Court held that the Bill of Rights created "zones of privacy" within a "penumbra," striking down a Connecticut statute prohibiting married couples from using contraceptives because the law impermissibly intruded on the marital relationship. The "zone of privacy" surrounding the home led the Court in Stanley v. Georgia to hold that an individual could not be arrested for mere possession of obscene materials in his home. Justice Thurgood Marshall wrote, "If the First Amendment means anything, it means that a State cannot tell a man, sitting alone in his own house, what books he may read or what films he may watch." The "zone of privacy" reasoning was extended to include a woman's right to choose to have an abortion in Roe v. Wade .

In Katz v. United States , the Court reversed the Olmstead holding and declared that warrantless wiretapping was unconstitutional. In doing so, the Court articulated a new balancing test that would guide future considerations of the right to privacy. The test weighs the government's interest in a search against the individual's expectation of privacy. Important for discussions of privacy in the online world is Katz 's recognition that the right to privacy included not only tangible property but also "an individual's communications, personality, politics, and thoughts."

Unfortunately, the Supreme Court then began a restrictive trend regarding the right to privacy. In Terry v. Ohio , the Court used its new sliding scale approach to privacy to uphold a police frisk in the absence of probable cause, reasoning that the level of suspicion required should be tailored to the intrusiveness of the search. The anti-privacy trend was also reflected in a series of cases regarding personal information stored on institutional computers. Acknowledging the reluctance of courts to extend privacy protections, privacy advocates turned to Congress.

B. Legislation

In the 1970s, Congress passed the Privacy Act, granting individuals the right to see, copy, and correct their federal agency records, and to restrict disclosures of the information without their consent. Congress also created the Privacy Protection Study Commission (PPSC), which concluded after two years that a range of new laws were required to provide legal safeguards for personal records. Unfortunately, very few of the PPSC recommendations have been enacted into law.

In 1980, Congress passed the Privacy Protection Act (PPA), which provides:

Notwithstanding any other law, it shall be unlawful for a government officer or employee, in connection with the investigation . . . of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication.

The PPA prohibits law enforcement from searching or seizing "work product" and "documentary" materials from journalists and publishers unless they have "probable cause" to believe the person possessing the materials is involved in a crime, and the materials sought are evidence of the crime. Congress enacted the PPA to lessen the chilling effect of intrusive searches on those engaged in activities protected by the First Amendment.

In 1986, Congress revamped The Electronic Communications Privacy Act (ECPA), legislation originally enacted in 1968 to prevent telephone wiretapping. ECPA was amended to cover all forms of digital communications (including private e mail), to prevent private entities in addition to the government from unauthorized access, and to prevent unauthorized access to stored messages as well as interception of messages. Unfortunately, the complexity of ECPA is not mirrored by the level of privacy it offers online users. Most significantly, ECPA provides only a set of default rules, all of which can be abrogated by contract between the provider and user or with the consent of the user. III. User Privacy in the Online World

A. Public versus Private Online Fora

Several factors affect the level of privacy that online users can expect. First, privacy will vary depending on the forum in which the user is communicating. Generally, only private e-mail and private simultaneous chat is protected. While many online users may think of their postings on Usenet newsgroups and public message boards as "private" because the communications take place in the comfort and safety of their own living room, in fact these fora are the "town halls of cyberspace" -- they are by nature public and are thus entitled to no protection. Law enforcement can roam these public online spaces without a warrant, listening in on conversations and looking for criminal activity. Even mailing lists with limited subscribers (often referred to as "mail exploders" or "listservs") are only as private as the person on the list with the least degree of privacy protection. Thus, if one person or member of a mailing list has a contract with a service provider negating their privacy rights, none of the postings on the list will be considered "private."

B. Stored Messages versus Messages in Transmission

Second, the level of privacy protection will vary depending on whether the message is in the process of transmission or is being stored. For example, ECPA provides a much higher level of protection for messages during the process of transmission than for stored communications. Title I of ECPA imposes strong civil and criminal penalties against the government, providers and third parties who intercept electronic messages in live or real-time transmission between users; it also requires a "super-warrant" for law enforcement who wish to intercept electronic messages for the purposes of a criminal investigation. Title II of ECPA, which governs unauthorized access to stored messages, protects only against third party and government access and not against access by the service provider. Penalties for violations of Title II are lighter, and there is no "super-warrant" required before the government can gain access to stored messages during a criminal investigation. "Stored messages" may include messages in the addressee's mailbox waiting to be picked up by the addressee, and records of private online discussions between users.

C. The Identity of the Intruder

Third, online privacy rights vary tremendously depending on the identity of the potential intruder. The section below reviews online privacy rights in relation to employers, Internet Service Providers, third parties, and the government. Generally, users have the least privacy protection in relation to their employers (for communications over networks provided by the employer), and the most privacy protection in relation to the government's ability to intrude on non-criminal communications.

1. Employers

Many people are first exposed to online communications when their employer provides them with a personal e-mail account. Because electronic mail is a very economical way to communicate and share information and files with clients and business colleagues, especially across long distances, businesses are putting their employees online in increasing numbers. Many employees don't realize that the law recognizes little if any privacy protection in electronic mail sent or received by an employee on their work accounts -- even if the mail is personal and not work-related. While the "Omnibus Crime Control and Safe Streets Act of 1968" prohibits employers from eavesdropping on the private phone conversations of their employees at work, there is no similar protection of electronic mail communications. The law is still in its infancy, but "most lawyers agree that under current laws, workers do not have privacy rights on in-house company systems unless their employers give them those rights."

Courts have yet to rule on whether ECPA prevents employers from accessing employee e-mail, but employers are probably exempt from ECPA as applied to company e-mail systems under the "business extension rule" routinely applied to allow employers to monitor company voice mail systems. In addition, ¤2511(2)(a)(I) of ECPA provides that:

It shall not be unlawful . . . for . . . a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service , except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. [emphasis added]

The exception could be interpreted to allow an employer to access employee e-mail if necessary for "the protection of the [employer's] rights or property." While ECPA may still pose some limitations to an employer's right to monitor or access employee e-mail, these limitations will have to be determined by the courts.

Electronic privacy rights in the workplace have been considered in a handful of cases, all of which concluded that an employee has no expectation of privacy in her e mail. In Shoars v. Epson , an employee was fired for refusing to participate in her supervisors' monitoring of employee e-mail. She sued for wrongful termination, relying on a California state law that prohibits electronic surveillance. The court held that the statute's protections did not extend to e-mail. In another California case, Bourke v. Nissan Motors Corp , the company fired an employee for sending personal messages (some containing sexual content) through the company e-mail system. Bourke sued for wrongful termination, claiming invasion of privacy. That court denied the claim also. It reasoned that Bourke had no reasonable expectation of privacy in her e-mail because she had signed an agreement with the employer that restricted use of the system to company business and because she knew that the employer sometimes monitored electronic messages.

In Smyth v. The Pillsbury Co. , a federal district court in Philadelphia recently dismissed another wrongful discharge claim from an employee who was fired after the company intercepted "inappropriate and unprofessional comments" that the employee had made to his supervisor over the company e-mail system. The Pillsbury Company had repeatedly assured its employees that all e-mail communications would remain confidential and privileged, and that it would not intercept e-mail or use it as grounds for termination. Smyth argued that his termination was "in violation of public policy which precludes an employer from terminating an employee in violation of the employee's right to privacy as embodied in Pennsylvania common law." Despite the employee's reliance on the company's assurances, the Court held that there was no "reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system. . . . Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost." The case sets a disturbing precedent regarding the enforceability of agreements that employers will not monitor employee e-mail.

2. Internet Service Providers

Users disturbed by the lack of privacy provided by their company e-mail may decide to purchase their own access to the Internet, either through one of the large commercial service providers like America Online or CompuServe or through a local Internet Service Provider. Almost all service providers have "online service agreements" that may restrict user privacy otherwise protected under ECPA. Unfortunately, most users do not realize they are signing away privacy rights when they go online through a service provider, because most service agreements are "take-it-or-leave-it" contracts.

In the absence of an agreement, ECPA provides a set of default rules that limit the extent to which service providers may intercept or access the private communications of their users. Title I of ECPA prohibits system operators from intercepting e-mail or private real-time chat messages during transmission. Title II of ECPA allows system operators to look through stored messages, but prevents them from disclosing the messages to third parties (including the government) unless an ECPA exception applies. But because many systems are configured to store all messages that pass through it, "the ability to review stored messages effectively gives the operator the ability to review all messages passing through the system."

ECPA provides civil remedies for users whose privacy has been violated by their service provider. However, providers who cooperate with law enforcement who present proper warrants or subpoenas are not subject to later action by users. ECPA provides a complex set of rules for the proper disclosure of information by the service provider to law enforcement. Service providers may not provide basic information about users to law enforcement without an administrative subpoena; that information includes user name, billing address, how long the user has used the service, and which features were used. Service providers may not disclose the content of messages less than 180 days old to law enforcement without a warrant. (Neither the government nor the provider are required to inform the subscriber.) Service providers may not disclose the content of messages more than 180 days old to law enforcement without a warrant, or government notice to the subscriber and an administrative subpoena or court order. Service providers may reveal any stored message to law enforcement if the provider accidentally comes across the message. (Law enforcement are required to obtain a warrant to intercept future messages or conduct further review on their own.)

Service providers are also forbidden from disclosing the transactional records of a user to law enforcement without a warrant, a court order, or the consent of the user. However, ECPA explicitly allows service providers to disclose the transactional records of users to "any person other than a governmental entity."

3. Third Parties and Hackers

Cyberculture is notorious for its hackers -- net savvy youth who like to show off their skills by cracking and invading computer systems. Although the damage from these intrusions is often minimal, the privacy violation is not. The law imposes criminal penalties on third parties who intercept private communications or stored messages without the user's consent. Title I of ECPA (intercepted messages) provides for fines and/or imprisonment up to five years. Title II of ECPA (stored messages) provides for a fine of up to $5000, or imprisonment for up to six months, or both. If the offense is committed "for purposes of commercial advantage, malicious destruction or damage, or private commercial gain," Title II provides for a fine of up to $250,000 or imprisonment up to two years, or both. Hackers can also be prosecuted under the federal wire fraud statute, theft of government property, and the Computer Fraud and Abuse Act. Users damaged by the activities of hackers may also seek civil damages under ECPA.

4. Government and Law Enforcement

a. The Fourth Amendment in Cyberspace

When dealing with the government, online users enjoy constitutional privacy protections in addition to statutory ones. The Fourth Amendment forbids unreasonable searches and seizures and requires that warrants issue only with probable cause. Under prevailing law, any interception or access to private electronic communications -- regardless of whether the police listen in on your e-mail conversations, ask your service provider for past messages, or knock down your door and seize your entire computer system -- constitutes a "seizure" under the Fourth Amendment. However, users must remember that the Fourth Amendment does not protect against police who "go undercover online" to gather evidence in public areas of online systems, because there is no expectation of privacy in such areas.

Law enforcement may attempt to seize computer systems if (1) the system itself is suspected of criminal activity; (2) law enforcement believe that evidence of a crime committed by others is available through the system. Although the normal warrant rules apply, many questions regarding warrants for computer evidence have not yet been answered. For example, may law enforcement seize an entire computer system, including all the files on the hard drive, if it suspects that one illegal e-mail message has been transmitted on the computer? Or must law enforcement specify with particularity the illegal files they seek, and limit their search only to those files?

Users whose systems have been subjected to seizure in violation of the Fourth Amendment may seek redress under a Section 1983 action. If criminal charges are brought against the user based on an illegal seizure, the user may seek to exclude the tainted evidence. In addition, state constitutional claims may be asserted. So far, ten states have amended their Constitutions to include an explicit right to privacy: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington.

b. Statutory Rights

i. ECPA

Under ECPA, law enforcement must meet much higher standards than required for an ordinary warrant in order to intercept private e-mail. Users may recover civil damages against law enforcement who violate ECPA. However, law enforcement may assert as a defense a "good faith reliance" on a warrant or court order. To search and seize stored messages from a user's personal computer, law enforcement need only meet the regular warrant requirements. ECPA provides lighter standards for standards for law enforcement to obtain access to some stored messages from the user's service provider.

The distinction between a "stored message" and a "transmitted message" may affect an online user's privacy rights in relation to law enforcement. In Steve Jackson Games v. U.S. , a federal court held that unread e-mail was a "stored communication" rather than a "transmission," which entitled it to lesser protections under ECPA. This interpretation provides a dangerous loophole that may allow law enforcement to bypass the strict warrant requirements for interception of e-mail messages. Rather than comply with the strict interception requirements, law enforcement can go to the suspect's service provider, sometimes with a mere administrative subpoena, and get access to stored e-mail communications. Hopefully, future courts will realize the abrogation of privacy rights inherent in an interpretation that unread e-mail qualifies only as a "stored message" under ECPA, and will hold instead that law enforcement must meet the interception warrant requirements whenever they seek access to unread e-mail.

i. Privacy Protection Act

Online systems and their users are protected by the PPA "to the extent they act as publishers and maintain publishing-related materials on the system." Electronic newsletters, e-mail, web pages, and other electronic databases, if not available publicly, may all be protected under the PPA. PPA provides for civil damages against the government and individual agents. As a defense, agents may assert a "reasonable good faith belief" that their conduct was lawful. In Steve Jackson Games , the Court appeared to accept as a "good faith" defense an agent's assertion that he did not know that the PPA applied to online systems, a ruling that will hopefully not be replicated in other jurisdictions.

c. Steve Jackson Games

One of the most dramatic examples of an overbroad search and seizure of an online system is the case of Steve Jackson Games v. US . Steve Jackson Games was a small company that designed online role-playing games; it had a computer bulletin board for customer support. Federal agents were after a hacker group known as the "Legion of Doom," and one of the suspected members worked for Steve Jackson Games. The agents raided the company, seizing the online system computer, many extraneous computer parts, printers, and other equipment unrelated to the daily operation of any online system. They had only an unsigned photocopy of a warrant. They also seized a book under development called "GURPS Cyberpunk," a role playing game that described various exotic ways to break into computer systems in an imaginary future world. The agents thought they had come upon a real hacker handbook, but computer experts say that anyone with even limited knowledge of online technology would have known immediately that the handbook was entirely fictional. Law enforcement failed to return any of the equipment for several months, resulting in much damage to the business. Neither Steve Jackson Games nor any other person was ever criminally charged as a result of the raid. Steve Jackson Games sued under ECPA and PPA, and won damages; individual users of the system were also awarded damages.

IV. Conclusion: Negotiating for Increased Privacy

The above review reveals the limitations of current privacy protections for online communications. Most significantly, statutory protections can be reduced or negated through private agreement. But private agreements can also be used to increase user privacy. Users may negotiate for stronger privacy protections with two of the four potential privacy intruders -- employers and service providers. In addition, such agreements, and the level of system security they require, may limit the ability of law enforcement and third parties to gain access to the user's communications.

Currently, the trend in service agreements, both with employers and service providers, has been for lessened privacy protection. Many system operators who fear liability for the illegal actions of their users require all users to sign contracts that authorize the system operator to snoop at will, completely negating the ECPA privacy rights. This is a bad business decision for two reasons. First, virtually all crimes contain a "knowledge" requirement. Providers who routinely review e-mail messages are more likely to be seen as "knowing" the contents of those messages, and thus to expose themselves to criminal liability, than providers who never review messages.

Second, the higher the level of privacy granted by the provider to its users, the higher the level of protection against government seizure of the entire online system. The privacy rights of the online system are based largely on the privacy rights of its users. A contract provision that allows providers to snoop in e-mail means that there are no private messages on the system. Thus, by definition, everyone has equal authority to look at the messages, including law enforcement. Law enforcement agents could seize and then roam through the entire system, reading random e-mail even of persons not directly associated with the initial investigation. Conversely, if the online system gives strong privacy rights to its users, law enforcement must tailor their warrant very narrowly to specific messages between those users suspected of criminal activity.

Online users can use these arguments to lobby for strong privacy protections for e-mail at work; the Electronic Mail Association has provided useful sample agreements. The same arguments can be used to persuade Internet Service Providers to change their online service agreements to provide for stronger privacy protections for their customers. Of course, citizens, privacy advocates, and civil rights lawyers should also work to increase online privacy protections through new legislation and case law. There remains much to be done to secure the fundamental right of privacy in the new sphere of cyberspace.

Copyright 1996, The American Civil Liberties Union