[CPSR Home Page] | [CPSR Newsletter Index] | [Fall 1995 Issue--Table of Contents ]

The Legal Right to Privacy in Electronic Communications

by Timothy Stanley

CPSR News Volume 13, Number 3: Fall 1995

Briefly, my recommendations for those who need communications privacy are as follows: (1) use PGP or another strong encryption method, (2) do not use your employer's computer system for personal messages and messages you do not want your employer to read, and (3) choose a service provider who contractually gives on-line users strong privacy rights. For many messages, privacy is not a great concern; these three measures are for those situations in which privacy is needed. With these recommendations in mind, let's now examine the legal right to electronic privacy.

This article discusses the legal structure of individual privacy rights for on-line communications. It primarily concerns those federal laws that have been designed or held to protect these privacy rights. The most important of the laws form part of the Electronic Communications Privacy Act of 1986.1 will also point out a few constitutional issues that might be relevant to on-line privacy, although there have been no related major decisions as of this writing.

Although much of what this article contains is relevant to companies and other commercial enterprises, its focus is on the individual and not on privacy related issues such as trade secret rights.

The amount of privacy that one has in one's dealings depends to a large extent on who the other party is. The law tends to divide privacy rights into three categories that correspond to one's privacy rights with regard to the parties involved. These categories are ( I ) service providers, such as a commercial on- line service, system operator, or employer, (2) the government, and (3) other individuals who might come upon our electronic communication. The most important relationship is that with the service provider, since privacy rights with all others begin with that contractual relationship. In this article, I first give brief background on the Electronic Communication Privacy Act (ECPA) and other privacy laws. I then look specifically at the privacy rights one has in relation to one's service provider, the government, and other individuals.

An Overview of Privacy Legislation
In the 1950s and 1960s, as electronic technology became more advanced, electronic surveillance became a potential threat to the individual's privacy. In 1968, Congress passed the Omnibus Crime Control and Safe Streets Act, which set in place anti-telephone-wiretapping laws to curtail electronic surveillance. These laws focused primarily on voice communication. But, as other forms of electronic communication became more prevalent in society, Congress, with some prodding, moved to protect these other forms as well.

In 1986 Congress passed the Electronic Communications Privacy Act, or ECPA. The ECPA expanded privacy rights in two directions. One included coverage of all other forms of electronic communication in addition to voice communication. The other forbade eavesdropping by private (nongovernmental) individuals or entities.

These were big changes in the law, reflecting both changes in patterns of communications and the fact that the threat to privacy from other individuals seemed at least as great as that from the government.

These laws give on-line users some protection in the absence of any other agreement. In most cases, however, there are other agreements between an on-line user and his or her service provider. These agreements take precedence over the laws, and thus it is very important for individuals to make contractual decisions that protect their privacy. Failure to do so may lead to situations in which one believes one has a privacy right but really does not under the law.

Since much of the privacy we have with all individuals depends on the agreements we make with our on- line service provider, I will first focus on privacy rights relative to the provider and then show how they relate to privacy rights with the government and other individuals. Again, it is important to remember that the ECPA is really just a set of default rules or a starting point from which bargaining for privacy proceeds.

Service Providers
There are two primary types of service providers an on-line user is likely to encounter. The first is an independent on-line provider or a bulletin board system (BBS) operator. This group includes services such as America On Line or CompuServe and local BBS operators, as well as universities that provide access to students. The second type of on-line service provider is the employer. Users have fewer privacy default rights when on their employers' computer systems than on one they have contracted to use privately.

Almost all users have some type of on-line service agreement; I certainly do with my accounts on America On Line, Stanford, and other BBSs. Parties can always agree to fewer or more privacy rights than those specified in the default ECPA rules. The privacy agreement reached (often on a take-it-or-leave-it basis) with the on-line service provider will affect your privacy rights, even with those who are not parties to the agreement. Since rules governing commercial service providers and employers differ in some significant respects, they are discussed in separate sections.

Commercial Service Providers
In the absence of countervailing contractual arrangements, the ECPA specifies the following default rules for privacy with regard to system providers, including BBS operators (referred to here as system operators.) The ECPA does not allow system operators to intercept messages in transmission. This prohibition includes email as well as real-time chats. It does, however, allow system operators to read stored messages. A stored message can be thought of as any message not in the process of transmission, including both messages waiting to be delivered and those held in the system after delivery. Of course all messages that pass through a system can be stored, and thus all messages potentially can be read.

Although system operators may look through stored messages they may not show the messages to others. There are exceptions. The most important is that a system operator can show a message to law enforcement officials if the message has been accidentally obtained and if the system operator believes that legally questionable activities are taking place. The key phrase is accidentally obtained, which refers to the intent of the system operator. If the system operator is actively searching a file, the finding of legally questionable material is not "accidental"; if the system operator comes across such material while performing normal duties, it is an "accidental" find. The system operator may read any and all stored messages, but may show to law enforcement agents only those that were accidentally obtained. The system operator may not go back and review messages with the intention of forwarding them to law enforcement officials. If, for instance, a message accidentally obtained is forwarded to the police and they want to see more messages, they must obtain a search warrant. If one's rights are violated by a system operator, the remedy is to sue that person and attempt to collect damages. Criminal penalties are also a possibility.

One can seek or negotiate any level of desired privacy with a systems operator. Some BBSs give users nearly total privacy, while others offer little or none. Most commercial contracts fall somewhere near the America-On-Line agreement not to invade an individual's privacy unless they believe there may be a problem, however broadly defined. For agreements with smaller BBSs, one might be able to negotiate on an individual basis for higher (or lower) privacy standards. With the larger commercial services, the take-it-or-leave-it attitude is likely to prevail. Of course one can still pick the on-line service that offers the most privacy as one of its features (an attribute to be considered along with price, interface, information content, and so on).

It is not necessarily in system operators' interest to offer no privacy, since in that case the government does not need a warrant to search the machine. It is only when users have privacy that the government is required to have a warrant. For BBS system operators who have an interest in setting up contracts, the appendix of NetLaw by Lance Rose* offers sample contracts for user agreements, system operator agreements, information provider agreements, and online space and services agreements. Of course on-line users should read carefully any existing or intended contracts with service providers. (Key information is often found under the title of Usage Policies.)

Employer-Employee Service
The ECPA default rules provide for fewer restrictions on employers than on other service providers. Under the default rules an employer can monitor communication transmissions taking place in real time as well as stored messages. The basic reasoning is that the equipment is the employer's, to be used for work, and that the employer can establish and enforce the restrictions on its use.

The employer may give individuals certain privacy rights, by either expressed or implied contract. Some employers do give employees privacy rights; many do not. Employers who wish to establish a privacy contract with employees can consult the Electronic Message Association (web site at http://www.ema.org/ema/ema-home.html).

Government
As mentioned above, even the government's ability to intrude on one's privacy depends to a large extent upon one's contractual relationship with the system operator (or employer). The default rules are that for private communication the government needs a warrant for any message being transmitted in real time or stored for fewer than 180 days. For messages stored for more than 180 days, the government needs an administrative subpoena, a mere formality to obtain (but, of course, an important formality).

Lawful recipients of a message, however, may forward the message to the government, since an intended recipient of a message may legally forward it to anyone. If the system operator and users have a contract that explicitly allows the system operator to monitor messages, then that person may also forward messages to the government. (In this case one can think of the system operator as an additional intended recipient.) If all messages on the BBS are public, or there is a statement in the contract that communications are not private (possibly in the user agreement), then the government may have direct access to messages, since users in this case have no expectation of privacy. An important situation involves mailing lists. In terms of later use as evidence, a message on a mailing list has only as much privacy as the individual on the mailing list with the least amount of privacy. If a message is sent to an individual who has no privacy, then that message is not private in any way. Anyone can repost it or forward it anywhere (even if it has been intercepted from someone else). A similar situation can arise with the forwarding of a message by one recipient to another. As in the mailing list example, the weakest link in the chain is the one that counts when determining whether the message is private or can be used as evidence.

The U.S. Constitution offers some protections from governmental intrusion. They include constitutional guarantees of peaceful assembly and privacy. (The privacy right has not been explicitly stated, but it has been held to exist by Supreme Court decisions. It could be taken away by future decisions.) To the extent that a constitutional right can be demonstrated, it supersedes any limitation established by statute. However, constitutional rights in the electronic world are largely undetermined.

General Population
Except as alluded to above, it is illegal for uninvolved individuals (i.e., those who are neither senders nor intended recipients) to intercept or disclose private email communications. This should not be of overwhelming comfort, though, as one is unlikely to know whether messages have been intercepted or who has been doing the intercepting. Again, situations such as the mailing list example indicate that, in many cases, messages assumed to be private may not be legally protected.

Exceptions
The foregoing is just a general summary of one's communication privacy rights. There are numerous exceptions, many of which are quite logical, to these rules. Intent is also important. For example, system operators can always forward messages to the intended party or to another party for the purpose of forwarding it to the intended party. If a system operator forwards a message to someone he or she thinks is the intended person, the operator cannot be held accountable if it goes to the wrong person. This is true even if your worst enemy has tricked the system operator into thinking that he or she is you. (Of course, your enemy may now be in trouble.) Also, the U.S. government can, and does, intercept and monitor messages leaving the United States. Sending a message to an overseas remailer is probably not going to provide anonymity, at least not relative to the U.S. government. If there is an emergency situation involving national security, immediate risk of death or physical harm, or activities likely to be related to organized crime, the U.S. government may be able to intercept messages now and get the warrant later. These are just some of the exceptions to the privacy guidelines I have outlined. You need to read the ECPA and the legislative history to really understand all the exceptions that exist or might be argued. But in most cases, common sense will give the correct answer. There are also state laws and contractual remedies that might apply. This, of course, depends on your state and the contracts you make.

A Final Word
I would point out two important considerations. First, it is very unlikely that the legal protections you have will be of much value if a private party or government agency really wants to invade your electronic privacy. To have the law enforced you would have to ( I ) detect that your privacy has been invaded, (2) determine who invaded your privacy, (3) file an action or complaint, and (4) make the invasion of privacy observable to a third-party decision-maker (such as a judge or government agency). Overcoming these barriers is improbable in many, if not most, situations. To truly protect privacy one must use independent, nonlegal means. These include using strong cryptography for protecting email and choosing on-line providers that tightly control physical and electronic access to their computer systems.

The second point I would like to make is that for most people it is unlikely that your privacy will be violated. You need to ask yourself, "Why would someone want to invade my privacy?" Realistically, there probably is not a conspiracy of young hackers or government agents trying to read your email. There are three primary exceptions to this assumption. One is the employer-employee situation; a second concerns the system operator. Both these exceptions involve parties with whom the individual has a relationship. The final exception involves trade secrets or other commercial information that may have value to competitors. Commercial espionage should not be discounted, since it is relatively cheap to steal information as compared to discovering it.

My guess is that in the future, as now, individuals and companies will rely on self-help. The law will be useful only in those peculiar cases where one is able to determine that his or her legally protected privacy has been violated and to prove who committed the violation. The practical message is clear: if you want privacy in electronic communication, provide your own protection.

Note
* An excellent and very readable book (regardless of one's knowledge of law) that contains much useful information as well as pointers to sources that could be used to further explore issues of interest.

References
Banisar, David, Ed., EPIC 1994 Crytography and Privacy Sourcebook, The Electronic Privacy Information Center, 1994.

Cavazos, Edwards A., and Morin, Garvino, Cyberspace and the Law: Your Rights and Duties in the On- Line World, MIT Press, 1994.

Rose, Lance, NetLaw: Your Rights in the Online World, Osborne McGraw-Hill, 1995.*

Rothfeder, Jeffrey, Privacy for Sale: How Computerization Has Made Everyone's Private Life an Open Secret, Simon & Schuster, 1992.

Electronic resources that the reader may find useful are:

L. Detweiler's FAQ on internet privacy issues at URL: http://cpsr.org:80/cpsr/privacy/communications/net-privacy-faq

The Electronic Communications Privacy Act at URL: http://cpsr.org:80/cpsr/privacy/communications/wiretap/electronic_commun_privacy_act.txt

Tim Stanley is a member of the CPSR/Palo Alto Civil Liberties Working Group. He is also a lawyer and is currently finishing a PH.D. in Engineering -Economic Systems at Stanford University. He has (a WWW page at http://www-leland.stanford.edu/~tstanley1 and can be reached at tstanley@leland.stanford.edu.

[Previous Article] | [Table of Contents] | [Next Article]

© Computer Professionals for Social Responsibility
P.O. Box 717 Palo Alto, CA 94302-0717
Tel. (415) 322-3778 Fax (415) 322-3798 webmaster@cpsr.org