Privacy Law and Policy Reporter
Employees’ email privacy and the challenge of advancing technology
Kathy Eivazi AUSTRALIAN NATIONAL UNIVERSITY
The state of current technology endangers employees’ privacy in ways never before imagined. Advances in information technology, in particular, have changed the nature of possible intrusion into the individual’s right to privacy.
Computer technology, with its capacity to collect, analyse and disseminate information on individuals, has revolutionised today’s workplaces and created new privacy issues, which have shifted the balance of control and performance monitoring in the workplace.
Employees are constantly subject to the watchful eyes of the monitoring software, often without their knowledge or consent. This constant practice of collecting and browsing, done in the name of performance monitoring, is on the rise and this is a growing concern for employees.
It is true that the development of information technology has enormously increased the quality of information available in digital form and has brought us many conveniences and commodities. This technology includes email and access to the internet. At the same time, as the use of the computer spreads throughout modern workplaces, it has created many disadvantages and inconveniences. As a powerful communication tool, it has created greater opportunities for employers to intrude into employees’ privacy by spying on their electronic communications.
In today’s electronic age, invasion of employees’ privacy is only a click away. It is like being connected by an umbilical cord to the computer, and there is no way out.
Current laws appear to generally favour employers’ business interests when it comes to email monitoring in the workplace, rather than employees’ privacy rights.
Privacy protection is frequently seen as a way of drawing the line limiting how far society can intrude into a person’s affairs, and indicating what value and importance society gives to privacy. If we acknowledge the value of privacy, how might we safeguard email privacy in today’s workplace?
Threats to privacy from information technology
The following strong comment was made in the Chicago Tribune on 5 March 2000:
Watching your every move, reading your every email message, tracking who you talk to and when, following your cursor around the internet. International espionage? Hardly. We’re talking about your employer. The workplace — where you spend more hours than anywhere but home — is where you have the least amount of privacy. Advanced software and computer-based technologies have made it easy for companies to monitor their employees’ activities with concealed cameras in elevators, hallways and work areas; software that records email messages, visited internet sites and telephone calls.
When human beings designed and implemented computer technologies, many focused on making a machine work — its reliability, efficiency and correctness. Rarely did they focus on human values such as autonomy, privacy and freedom of speech.
For many years paper has reigned as the supreme way of communication but, today, electronic messages have dethroned that monarch. The inherent limitations of the paper based system at least provided a certain level of privacy protection. Now, with the migration of records and files to IT systems, and as the use of the internet and computer at work is becoming the standard rather than an option, employees feel that the little privacy that they had has been threatened.
Warren and Brandeis said that:
Solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.
Surveillance involves monitoring the movements or affairs of a person or persons. Computer surveillance can involve accessing or reading the storage mechanism of a suspect’s computer, or monitoring a person’s operation of a computer. As a working party on Information Security and Privacy appointed by the OECD points out:
Individuals who use the internet often leave behind ‘electronic footprints’, that is, digital records of where they have been, what they have spent time looking at, the thoughts they aired, the messages they sent, the goods and services they purchased. Furthermore, this data tends to be detailed, individualised and computer-processable.
Unlike visual monitoring performed in the past, employees being monitored electronically may not know they are being watched. The vast majority of employees are not even granted the common courtesy of prior notice of their employees’ electronic monitoring. It is only fair that they should be warned if they are being watched or monitored.
The rapid change in the technology has endangered employees’ rights to privacy in ways never before imagined. New developments in information technology offer several types of computer monitoring.
Employers can use computer software that enables them to see what is on the screen or stored in the employee’s computer terminals and hard disks.
People involved in intensive word processing and data entry jobs may be subject to keystroke monitoring. This system tells the manager how many keystrokes per hour each employee is performing. It also may inform employees if they are above or below the standard number of keystrokes expected.
Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal.
As Andrew Schulman states:
It is likely that about one out of four large companies systematically monitors the computer, internet, or email use of its employees.
A survey by the office of the Privacy Commissioner for Personal Data in Hong Kong found that 27 per cent of responding organisations monitor employee computer use, 23 per cent monitor web browsing, and 21 per cent monitor employee email.7 There are more than 40 products available today which allow employers see what their employees are doing at work on their ‘personal’ computers, in their email and on the internet.
The appearance of new software makes the monitoring of employees cheaper and easier than before. One of the best ways to understand the scope of workplace surveillance is to look at the market for employee monitoring products. Email surveillance is at the top of the list for popular monitoring techniques. The largest ‘employee monitoring’ (EM) company, Websense, recently reported its subscription based revenues for the first quarter of 2001 were US$6.7 million, representing more than 8.25 million worldwide customer ‘seats’ prepaid on a subscription basis. Almost every month, a new vendor seems to enter this market. There is no doubt that it is a growing business.
In some workplaces employers use the same surveillance techniques that are used for combating criminal activities. Some products scan all emails for certain keywords, much as the US FBI’s Carnivore was reported to do. As Andrew Schulman says:
... in a sense, we’re dealing here with the technical possibility of ‘Carnivore on the desktop’: ubiquitous, fine granular surveillance in the hands of every employer.
Reasonable expectations of privacy
There are many individuals who would feel that they have a reasonable expectation of privacy in their daily life. Everyone has the right to respect for his or her private life, property and correspondence. An employee is also entitled to the comfort and ordinary enjoyment of his or her private life without unreasonable interference by his or her employer.
The notion of privacy derives from the assumption that all information about a person is their own, for that person to communicate or retain as he or she sees fit. In the computerised workplace, considering that the most popular use of the internet is sending and receiving emails, many employees have legitimate expectations of privacy in relation to their email communications. Many employees wrongly view use of their employer’s email system as akin to making a telephone call, and thus feel the email messages they send on their company’s internal system should be free from intrusion.
Often employers will stress to their employees that when leaving their desks, they should not leave their computers turned on as that may allow others to access their files or emails. Such a comment may give them a wrong impression of some privacy or security over their email as there is with their lockers and desk drawers. They would feel they have a legitimate expectation of privacy in relation to their communications.
Even having passwords can give employees a false assurance of some privacy over their email, because many times they have been told to safeguard their passwords and not give them to anyone. Many employees would naively believe that by using their password, they would have control and they could prevent any unauthorised access to their online communications.
Permanency of email is another concern. Most employees wrongly think that if they delete their email it is gone forever. The fact is that emails are hard to destroy as most electronic documents are backed up and recoverable. The delete command does not make a message disappear; it can still be retrieved from back-up systems. Email messages can easily be intercepted and read by system managers, operators and employers.
Email is a very informal medium which often is compared to a postcard and not a letter, in that messages travelling over the internet from computer to computer are open and available in the same way as postcards travelling through the ordinary mail system.
Even if the email is marked private, it seems that choosing this option does not give any greater protection or expectation of privacy for employees, though some commentators have suggested it should. As Paul McGuinness argues:
... if the information was of a confidential nature surely encryption must be of relevance as it is evidence that the communication was imparted in circumstances importing an obligation of confidence. It is submitted that any form of reasonable encryption should be sufficient to impose upon the unauthorised recipient the duty not to disclose the information obtained by decoding the information.
Many employers argue that because they own the computer resources on which email messages are transmitted, they should have an unconditional right to control and monitor the contents of those messages. But there should be a balance between an employee’s reasonable expectation of privacy and an employer’s business justification for this intrusion. Sadly, as Jim Nolan states:
The use of an employer’s email system in the course of employment, so far as the law is concerned, is simply the use of just another piece of employer’s property.
In Smyth v Pillsbury Company,14 the United States District Court for the Eastern District of Pennsylvania found that an employee has no reasonable expectation of privacy in their email. The Court held that a reasonable person would not consider an employer’s interception of email communications to be a substantial and highly offensive invasion of privacy. The Court found that the employer’s interest in preventing inappropriate communications over its email system outweighed any privacy interest by those employees who transmitted such communications.
In this case the plaintiff received certain emails from his supervisor over his computer at home in October 1994. He then exchanged some offensive and threatening messages such as ‘Kill the back-stabbing bastards’ concerning the company’s sale management. On 17 January 1995 the defendant notified him that his employment was terminated for transmitting what it deemed to be inappropriate and unprofessional comments over the defendant’s email system. The plaintiff claimed that his termination was in violation of public policy, which he argued precluded an employer from terminating an employee in violation of the employee’s right to privacy as embodied in Pennsylvania common law. In particular, the plaintiff relied upon the American tort of ‘intrusion upon seclusion’, which is defined in the Restatement (Second) of Torts.15 He alleged that his employer had assured employees that emails would remain confidential and privileged.
In Bohach v Reno,16 the Court denied the plaintiffs’ application for a preliminary injunction based on alleged violations of the Fourth Amendment rights by the Reno police department’s monitoring alphanumeric pager messages, which the plaintiffs, who were police officers, sent to each other over the department’s messages system. The police officers had been told that all messages would be logged on the network and that the system should not be used for certain types of messages. The system was freely accessible with no password requirement. The Court held that the system was essentially electronic mail and that the officers did not have an objectively reasonable expectation of privacy in these communications and therefore it was not likely to prevail on their Fourth Amendment civil rights claim.
In May 1999, a Texas Court in McLaren v Microsoft Corp18 considered whether an email password could support a reasonable expectation of privacy. In this case, the employee claimed that the fact that his email messages were stored under a private password with the employer’s consent gave rise to a legitimate expectation of privacy. The Court of Appeal, in upholding the District Court decision, found that the employee’s computer was provided to him by the employer so that he could perform the functions of his job; therefore, the messages contained on the computer were not his personal property but merely an inherent part of the office environment. The Court held that the employee, even by creating a personal password, did not manifest a reasonable expectation of privacy.
Although the current weight of authority finds no objectively reasonable expectation of privacy in email, at least two courts have rejected that conclusion. As an example, in Restuccia v Burk Tech,20 the employer discharged employees after reading email files that contained derogatory references to the company’s president. Employees sued the employer for invading their privacy by reading emails without advance warning. The Court concluded that:
... there remain genuine issues of material fact on the issue of whether plaintiffs had a reasonable expectation of privacy in their email messages and whether the employer’s reading of their email messages constituted an unreasonable, substantial, or serious interference with plaintiff’s privacy.
The Court noted further that the ability to create passwords and delete emails supported expectations that employees’ messages would remain private.
In Dunlap v County of Inyo,22 the Court noted in dictum, that:
Cellular telephones and electronic mail are both technologies of questionable privacy, but we nonetheless reasonably expect privacy in our cell phone calls and email messages.
In Australia, the case of Australian Municipal, Administrative, Clerical & Services Union v Australia Ltd raised an issue of an employee’s use of the employer’s email system and allegations of the victimisation of a union member. In this case, the Court had to consider whether a union delegate’s use of Ansett’s email system was unauthorised and, as such, constituted an act of misconduct which justified her dismissal. The judge found that the use of the email system was impliedly authorised as Ansett’s email guidelines permitted ‘authorised business users’.
Merkel J held that the dismissal of an employee who was also a union member contravened the freedom of association provisions in the Workplace Relations Act 1996 (Cth). Ansett had failed to discharge the onus of proving that the dismissal was not for a prohibited reason. The importance of employees being clearly informed about a company’s IT policy and the company following the policy consistently is highlighted by the decision of Merkel J in this case. Since there was an arrangement between the union and Ansett regarding the communication of agreement negotiations, it was held that this communication fell within the category of an authorised business uses. If this arrangement had not been in place, in the face of an employer policy against the use of the email system, the employee could have been disciplined. Therefore, it is important for employers to have a clear written policy regarding the appropriate use of electronic communications, web browsing and privacy in the workplace.
In general, courts have tended to find that an employer’s needs or business interests outweigh the employee’s privacy interest. And if there is a publicised policy in place, this can reduce the employee’s expectation of privacy. It is possible, however, that if the employee’s email messages are encrypted or coded, a further expectation of privacy may be created. It is apparent that the particular employment setting will determine whether an employee has a reasonable expectation of privacy.
Employees do not have rights of privacy in email communications they send and receive on their employer’s system unless the employer acts in a manner giving rise to a reasonable expectation of privacy. An employer can possibly create this expectation of privacy if it allows the system to be used for personal communications and its employee is aware of the use of the email system for that purpose. Under these circumstances, an implied agreement is arguably created granting employees the right to expect that their private communications will not be monitored or accessed.
There is continuing debate in New South Wales about whether employees’ expectation of privacy in email communications should be recognised in law.
The former Minister for Industrial Relations and Attorney-General, Jeff Shaw, requested the NSW Privacy Commissioner develop email privacy guidelines while the NSW Law Reform Commission was given a reference on surveillance by the NSW Government. The Office of Information Technology has subsequently issued an Information Management Guideline, developed in collaboration with Privacy NSW. The Law Reform Commission report, published in early 2002, contained recommendations for email privacy in the workplace based on the regime in the existing Workplace Video Surveillance Act 1998 (NSW). Although the then Attorney-General had in July 2001 foreshadowed legislation based on these recommendations, nothing has happened to date.
While surveillance is as old as work itself, new technology presents an alarming threat to the privacy and autonomy of employees. As Michael Levy points out:
Electronic surveillance invades workers’ privacy, erodes their sense of dignity and frustrates their efforts to do high quality work by a single-minded emphasis on speed and other purely quantitative measurements.
Faced with a revolutionised communication industry and dated legislation on monitoring, employers have been quick to put the new technology to their own use. Advances in information technology have changed the structure and nature of our workplaces. They have led to more invasive and often covert monitoring practices. They have also pushed the boundaries of what personal details and information an employer can acquire from an employee.
This revolution is one of the imperatives for changing the law. If privacy is to keep its meaning, each individual, including employees, should have the right to be treated as an autonomous human being and not just as another piece of the employer’s property.
As in all privacy interests, there should be a balance between the interest in the protection of the employee’s private and personal communications and an equally legitimate interest in the protection of the employer’s lawful interest and property. To ensure openness and accountability employees should be informed in advance of any electronic monitoring. The law must be revised if we are to preserve the meaning of ‘being let alone’; otherwise there is a chance that we will end up in a society where privacy does not exist. l
Kathy Eivazi, lawyer, PhD scholar, AustralianNational University.
An earlier version of this article appeared in the Commonwealth Law Journal, vol 11 No 3, December 2002.
. Jim Nolan ‘Employee privacy in the electronic workplace, Pt 1: surveillance, records and emails’ (2000) 7(6) PLPR 105.
. Samuel Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard LR 193.
. As above.
. Organisation for Economic Co-operation and Development, Working Party on Information Security and Privacy, Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks, May 1999, at 7, accessible at <www.olis.oecd.org/ olis/1998doc.nsf/linkti/dsti-iccp-reg(98)12-final>.
. See <www.privacyrights.org/fs/ fs7-work.htm>.
. Andrew Schulman ‘Computer and internet surveillance in the workplace’ (2001) 8(3) PLPR 49.
. <www.pco.org.hk/info/newsletter/ prithoughts4.html>.
. As above.
. Above note 6 at 50.
. At <dir.yahoo.com/Computers_ and_Internet/Internet/Issues/Privacy/ Carnivore>. The system forces internet service providers to attach a black box to their networks — essentially a powerful computer running specialised software — through which all of their subscribers’ communications flow.
. Above note 6 at 55.
. Paul McGuinness ‘The internet and privacy — some issues facing the private sector’ Computers & Law (June 1996) at 26.
. Above note 1 at 108.
. Smyth v Pillsbury Company, 914 F Supp 97 (E Dpa, 1996) at <www. Loundy.com/CASES/Smyth_vPilsbury. html>.
. Kent Davey ‘Privacy protection for internet email in Australia — Part 1’ (June 1997) Computers & Law No 33, 3.
. Bohach v Reno, 932 F Supp 1232 (D Nev 1996).
. IBallon ‘The Emerging Law of the Internet’ 507 PLI/Pat 1163 (February 1998). The Fourth Amendment provides right to protection from unreasonable search and seizures by state actions.
. McLaren v Microsoft Corp 1999 WL 339015 (Tex App-Dallas).
. At 6.
. Restuccia v Burk Tech, LW No 12-384-96 (Mass Sup Ct 1996).
. Mary E Pivec and Susan Brinkerhof ‘Individual Rights and Responsibilities’ accessible at <www.abanet.org/irr/hr/winter99_ pivec.html>.
. Dunlap v County of Inyo, 1997 WL 414380 (9th Cir 23 Jul 1997).
. At 3.
.  FCA 441; (2000) 175 ALR 173.
. (2000) FCA 441 (7 Apr 2000), -.
. Above note 1 at 110.
. Workers On Line weekly (email newspaper) Labour Council of New South Wales, Issue 53, 2000, at 12.
. Michael Levy ‘Electronic monitoring in the workplace: Power through the panopticon’ accessible at <http://is.gseis.ucla.edu/impact/s94/ students/mike/mike_paper.html>.