I was surprised by the reaction here a few weeks ago when I discussed the oral argument before the Supreme Court in City of Ontario v. Quon, which concerns the right to privacy possessed by a police officer and those with whom he corresponded in text messages sent and received from his government-issued pager. Y'all were pretty blasé about it, with most here expressing no expectation of privacy in anything done on a device you didn't own.
Maybe this one will strike you differently. Cue theme music.
NYC doctor's office. Doctor installs keystroke logging software on an office computer and doesn't tell anyone, and tells an employee to only use that computer. Doctor uses the results of the keystroke logging software to log into the employee's personal email account, review emails, print out some of them, and emails some around to others ... resulting in criminal charges under New York Penal Law 156.05, which states:
A person is guilty of unauthorized use of a computer when he or she knowingly uses, causes to be used, or accesses a computer, computer service, or computer network without authorization.
Doctor moves to dismiss the charges, arguing that the victim had no expectation of privacy with regard to email use at work since he owned the computer, not the employee.
And the Hon. Mark Whiten of the Criminal Court of the City of New York, New York County, agreed with him and dismissed the charges, writing:
In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.
It is today's reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. Compound that reality with an employee's use of his or her employer's computer for the transmittal of non-business related messages, and the technological reality meets the legal roadway, which equals the exit of any reasonable expectation of, or right to, privacy in such communications.
Whereas, some may view emails as tantamount to a postal letter which is afforded some level of privacy, this court finds, in general, emails are more akin to a postcard, as they are less secure and can easily be viewed by a passerby. Moreover, emails are easily intercepted, since the technology of receiving an email message from the sender, requires travel through a network, firewall, and service provider before reaching its final destination, which may have its own network, service provider and firewall. An employee who sends an email, be it personal or work related, from a work computer sends an email that will travel through an employer's central computer, which is commonly stored on the employer's server even after it is received and read. Once stored on the server, an employer can easily scan or read all stored emails or data. The same holds true once the email reaches its destination, as it travels through the internet via an internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in email communications....
Although, the allegations state the defendant installed keystroke-tracking software and was seen accessing an email account, they fail to sufficiently support the claim that defendant's access was without authorization, inasmuch as (1) defendant owned the computer and (2) the email ownership is unstated. Accordingly, this court finds the allegations, herein, fail to support that defendant's access was unauthorized or that defendant was on notice that access was unauthorized.
The whole problem with the "reasonable expectation of privacy" test which forms the basis of our protections is that gradual erosion of privacy makes each subsequent incursion seem more "reasonable"; there's no objective baseline.
So where can you expect privacy these days? New Jersey! On March 31, 2010, a unanimous New Jersey Supreme Court saw the issue of email privacy on work computers much differently. Marina Stengart had quit her job with the Loving Care Agency and and filed a discrimination and harassment lawsuit. Loving Care then, um ...
Stengart had been provided a laptop computer to conduct company business. From the laptop, she could send e-mails using her company e-mail account; she could also access the Internet through Loving Care's server. Unbeknownst to Stengart, browser software automatically saved a copy of each web page she viewed on the computer's hard drive in a "cache" folder of temporary Internet files. In December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop. Not long after, Stengart left her employment with Loving Care and returned the laptop. In February 2008, she filed the pending complaint.
In anticipation of discovery, Loving Care hired experts to create a forensic image of the laptop's hard drive, including temporary Internet files. Those files contained the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account. At the bottom of the e-mails sent by Stengart's lawyer, a legend warns readers that the information "is intended only for the personal and confidential use of the designated recipient" of the e-mail, which may be a "privileged and confidential" attorney-client communication.
Attorneys from the law firm (the "Firm") representing Loving Care reviewed the e-mails and used the information in discovery. Stengart's lawyer demanded that the e-mails be identified and returned. The Firm disclosed the e-mails but argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer in light of the company's policy on electronic communications (Policy). The Policy states that Loving Care may review, access, and disclose "all matters on the company's media systems and services at any time." It also states that e-mails, Internet communications and computer files are the company's business records and "are not to be considered private or personal" to employees. It goes on to state that "occasional personal use is permitted." The Policy specifically prohibits "certain uses of the e-mail system," such as discriminatory or harassing messages.
Obviously, the attorney-client issues complicate this question beyond general email snooping by employers. Still, wrote the Court:
Stengart plainly took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer. In other words, she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of a future lawsuit.
In light of the language of the Policy and the attorney-client nature of the communications, her expectation of privacy was also objectively reasonable. As noted earlier, the Policy does not address the use of personal, web-based e-mail accounts accessed through company equipment. It does not address personal accounts at all. Nor does it warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company. Indeed, in acknowledging that occasional personal use of e-mail is permitted, the Policy created doubt about whether those e-mails are company or private property....
Loving Care argued that the manner in which the e-mails were sent prevented the privilege from attaching. Specifically, Loving Care contends that Stengart effectively brought a third person into the conversation from the start -- watching over her shoulder -- and thereby forfeited any claim to confidentiality in her communications. We disagree.
Stengart has the right to prevent disclosures by third persons who learn of her communications "in a manner not reasonably to be anticipated." See N.J.R.E. 504(1)(c)(ii). That is what occurred here. The Policy did not give Stengart, or a reasonable person in her position, cause to anticipate that Loving Care would be peering over her shoulder as she opened e-mails from her lawyer on her personal, password-protected Yahoo account.... Stengart took reasonable steps to keep discussions with her attorney confidential: she elected not to use the company e-mail system and relied on a personal, password-protected, web-based account instead. She also did not save the password on her laptop or share it in some other way with Loving Care.
As to whether Stengart knowingly disclosed the e-mails, she certified that she is unsophisticated in the use of computers and did not know that Loving Care could read communications sent on her Yahoo account. Use of a company laptop alone does not establish that knowledge.
The NJ Supremes left it to the trial court to decide how to punish the offending law firm, whether by disqualifying it from the case, screening which attorneys could handle the representation, imposing costs or via other sanctions.
Bottom line, gang? Protecting privacy requires vigilance -- both in terms of demanding it as a cultural expectation, and in watching just what you use your work PCs for in the interim and otherwise employing the tools available in social networking to protect your content from the public at large. Your privacy shouldn't depend on which side of the Kill van Kull you're on.