Mark D. Rasch
Published: 01 Oct 2003
It's Friday afternoon, and Lois, who works for a large brokerage house, prepares for a weekend filled with work. At home, she connects her laptop to a wireless 802.11b network. She uses a VPN to connect to the office, but it is, after all, the weekend, and she does a bit of Web surfing -- paying bills online, making airline reservations, reading the news and listening to music.
When she returns to work on Monday, she is reprimanded, not for personal use of a company computer, but because of the content of her personal e-mails, or the type of Web pages visited.
As an employee, do you have any expectation of privacy in what you do online in the office or while telecommuting? Can your employer read your corporate e-mail or capture and record every keystroke you enter on your company laptop, even if you use it at home?
Expectation of Privacy
The starting point for any analysis of workplace privacy rights is determining whether the employee has any legitimate expectation of privacy. The question isn't as simple as it may appear. While the employer controls the workplace, this doesn't imply that all vestiges of privacy are lost. Employers can't generally eavesdrop on "water cooler" conversations; install video surveillance in lockers, restrooms, or other "intimate" places; and -- with some exceptions -- may not be able to examine the contents of your purse, wallet or briefcase while you are out to lunch. Similarly, the law places some limits on the rights of the employer to monitor electronic communications and telephone calls, whether these are personal or business related, unless -- and this is a big unless -- you agree to the monitoring.
Electronic Communications Privacy
For years, the only limits on the authority of the government or others to listen in on conversations were "invasion of privacy" or "intrusion into seclusion" lawsuits at the state level. These were difficult to win, particularly as they applied to the workplace, with its reduced expectation of privacy.
In the late 1960s, however, Congress passed a comprehensive federal wiretap law, essentially prohibiting the interception of communications in transmission or disclosing the results of such an interception. In the early 1980s, Congress extended these protections to e-mail and other electronic communications, passing the Electronic Communications Privacy Act (ECPA).
The general rule is that employees do have an expectation of privacy in telephone calls, e-mail and electronic communication -- whether at home or at work. However, there are some rather broad exceptions to the prohibition against interception, which tend to supersede this expectation of privacy.
The law permits the provider of telecommunications facilities -- for example, a telephone company, an ISP or an employer -- to intercept communications "to protect its rights or property" if the interception is done in the ordinary course of business. Some companies have relied on the so-called "provider" exception to listen in on employees' telephone calls and read their e-mail, but in many cases, the monitoring is done as part of a forensic investigation, and not as a routine part of conducting business.
More broadly, the federal law permits the interception of communications -- e-mail, Web browsing, keystroke logging -- if one of the parties to the communication has "consented" to the monitoring-explicitly or implicitly. Thus, a well-publicized (and well-written) policy that states that by using the employer's network the user consents to monitoring generally creates a consensual environment. But the policy must be explicit.
As the employer, do you intend to monitor employees' keystrokes and fire them if they aren't typing fast enough? Are you really going to monitor Web usage logs and take personnel action for nonwork-related computer use? If that's your intent, you'd better make sure you clearly inform employees.
ECPA wiretap provisions apply only to the interception of communications "in transmission." When an e-mail is received and stored, more liberal provisions of ECPA apply, which generally permit the viewing of such "stored communications" -- particularly by an employer. So, when is a business e-mail "received?" When the employee reads it, or when it hits the corporate mail server? What about personal Web mail? Some courts have read the "in transmission" requirement so narrowly as to permit employers to read almost any communication, under the theory that, once it hits the server, it's no longer in transmission.
Electronic Monitoring & Privacy Resources
Policy, Policy, Policy
Companies that monitor employee activities run a genuine risk of liability. Clear policies on use of company computers inside and outside the workplace are essential. Stock phrases such as "business use only," "no expectation of privacy" or "all e-mail is the property of the company" aren't particularly helpful, are generally unenforceable, and may give rise to charges of discriminatory enforcement.
Companies should also consider policies for inbound mail as well. A recent case in which a former Intel engineer sent thousands of e-mails to current employees couldn't be prosecuted as a trespass because Intel didn't generally restrict inbound e-mails, and therefore filtered the engineer's mail based solely on its content.
In all instances, a sound, flexible, enforceable and well-reasoned policy is the best defense.
About the author:
Mark D. Rasch is senior VP and chief security counsel of managed security services provider Solutionary, and a former prosecutor of cybercrimes at the Department of Justice.