10/10/12: Peering into email accounts

This op-ed appeared in The Virginian-Pilot on the date shown.

IS THERE SUCH a thing as email privacy in the workplace? I’ll bet former state Del. Phil Hamilton wishes there were.

Hamilton is serving a 9½- year sentence after being convicted of bribery and extortion. The evidence against him included personal emails sent to his wife using his work email address and computer. A friend-of-the-court brief filed in Hamilton’s appeal by The Electronic Privacy Information Center argues that those personal emails should not have been allowed.

Employers have increasingly implemented policies regarding email and computer use. They often include a notice that such information will be monitored and stored for later retrieval. Newport News Public Schools, Hamilton’s employer, notified him of the policy, and on two occasions he acknowledged it.

Communications between spouses is generally considered to be private, as are communications between attorneys and their clients. But neither of those privileges is ironclad, and the U.S. Supreme Court has held that if you have “knowingly exposed” something to another person or to the public, you do not have a reasonable expectation of privacy.

Drug dealers were put on notice last August, when the U.S. Court of Appeals for the Sixth Circuit ruled that GPS data emitted from a cell phone could be used to track them.

Last May, the Sacramento Third Appellate District ruled that emails between a client and attorney were not privileged if the client used a work email account to write the messages.

In both cases, after information was “knowingly exposed,” there was no reasonable expectation of privacy.

The Electronics Communication Privacy Act, last updated by Congress in 1986, covers all forms of digital communication, including email.

The ECPA generally prohibits unauthorized and intentional interception of communications in transit and unauthorized access of electronically stored communications. Employers are exempt from ECPA under one of two exceptions, the most common one being consent. Hamilton’s acknowledgment of the policy change gave his employer the right to monitor his computer usage, including emails. Thus, the argument goes, he had no expectation of privacy.

An interesting argument in the EPIC brief deals with the retroactive application of NNPS’ policy. The emails in question were sent in 2006, while the policy was not adopted until 2007. How was Hamilton to go back and review the archived emails and to delete them? Unless one is extremely computer savvy, that poses a tremendous challenge. From this layperson’s point of view, this is probably the strongest part of the brief.

One of the lessons in the Hamilton saga is to resist the temptation to use an employer’s equipment or email address to conduct personal business. Just don’t do it.