by John W. Bagby[1]
Network management is performed in both the private
and public sector for security, confidentiality and data integrity purposes.
Network managers must control, plan, allocate, deploy, coordinate, and monitor
the resources of information and communications technologies (ICT) networks.
Managers of various ICT networks balance network security duties against their
compliance with boundary conditions imposed by private contracts and laws
protecting privacy and constraining electronic surveillance. Discharging this
duty increasingly requires deployment of network security enhancing methods
that can diminish privacy rights or violate various constitutional, statutory,
and industry standards.
The prevailing legal focus on electronic
surveillance has centered on law enforcement’s interception of message traffic
in traditional telephony and the role of the telecommunications industry to
facilitate that access. Under revisions to the Communications Assistance for
Law Enforcement Act (CALEA) and FCC rules broadening the application of CALEA
to voice over Internet protocol (VoIP) telephony, there is an increasing
recognition of the cross-migration of considerable telephony traffic and
Internet communications traffic. All this suggests overlap and a general
blurring of traditional network management techniques given the convergence of
voice and data communications in communicating through architectures roughly
categorized as e-mail, instant messaging (IM), text-messaging, website
interaction, transmission of file attachments (including text, audio and video
content), various forms of electronic transactions processing, web services,
and difficulties looming with the hosting and operation of large scale, grid
computing interconnections.
This paper reports the preliminary findings of a
funded project that examines how law enforcement’s electronic surveillance
duties compare with network management. The interception authority and
techniques used in network management is compared with the techniques
authorized for law enforcement agencies. The broadening view of this area
recognizes similarities and differences among access to stored communications
as well as to the retrieval of content and examination of communication logs by
government law enforcement, national security agencies, other regulatory
agencies, self-regulatory organizations (SROs), research institutes operated by
non-governmental organizations (NGO), and private sector entities. Also
analyzed are network administrators sometimes conflicting duties to protect the
privacy of employees and clients/customers/third parties, assure
confidentiality of organizational secrets and maintain the integrity of data
stored and data in transit.
This comparative examines the application and
extension of existing electronic surveillance laws such as the Electronic
Communications Privacy Act (ECPA), the Stored Communications provisions of
ECPA, the facilitation of wiretap authority under CALEA as modified by the USA
Patriot Act, variations in state law and the authority granted in contracts
with employees as well as contracts with various service providers that enable
network managers’ electronic surveillance. Implications are also discussed of
recent controversies involving social network analysis (SNA) using network traffic
data-mining techniques, programs arguably skirting the spirit of the Foreign
Intelligence Surveillance Act (FISA). Finally, this paper compares limitations
on the allowable range of uses for evidence derived from electronic intercepts
in law enforcement against those uses of evidence derived from private network
management.
The extent of privacy law that is applicable to
surveillance generally, and to electronic surveillance as a special class of
surveillance, emanates from dozens of laws imposed at various levels: state,
federal and international.[2]
Electronic surveillance privacy laws have been imposed through almost all the traditional
law-making mechanisms: privacy rights are defined in regulations, rights emanate
from common law precedents, rights are created in statutes, and privacy is
protected by constitutional provisions. These privacy rights have been made
part of several major fields of law: criminal law and procedure, civil litigation
procedure, tort law, property rights and privacy rights are modified by contracts.
To add further complexity, the contours of privacy rights are also derived from
outside traditional governmental venues, they emanate from norms, standards and
professional practices that inform the evolving public expectation of privacy
and therefore impact the definition of privacy and the attendant security
duties to safeguard private information.[3]
The federal law of electronic surveillance is
broad-based. It is derived from fundamental and conceptual privacy rights, made
specific to particular economic and governmental sectors and is often highly
detailed in areas with recurring problems. Electronic privacy law continually tests
the trade-offs inherent in privacy rights. Indeed, the
The supremacy of these federal constitutional
privacy rights over contrary state law[5]
or contrary federal law has three major impacts. First, federal statutes or regulations
cannot abridge these constitutional rights without constitutional
reinterpretation.[6]
Second, the U.S. Constitution’s rights for individuals is a floor, essentially
creating minimum standards for individual privacy above which the states are
generally free to implement stronger privacy protections, but not to weaken
them. Third, the redundancy among various provisions of both state and federal constitutional
privacy protections conspire to a robust, structural privacy system that
resists wholesale or piecemeal weakening.
Consider the privacy
protections and generally reinforcing interrelationships that exist among the Bill
of Rights and other amendments. Of particular note are the 1st, 3rd,
4th, 5th, 6th, 9th, 10th,
and 14th Amendments. Justice Blackman recognized the privacy
protecting character of the Bill of Rights in this famous quote from Roe v. Wade:
The Constitution does not explicitly mention any
right of privacy. In a line of decisions, however, going back perhaps [to 1891][7]
the Court has recognized that a right of personal privacy, or a guarantee of
certain areas or zones of privacy, does exist under the Constitution. In
varying contexts, the Court or individual Justices have, indeed, found at least
the roots of that right in the First Amendment,[8]
in the Fourth and Fifth Amendments,[9]
in the penumbras of the Bill of Rights,[10]
in the Ninth Amendment,[11]
or in the concept of liberty guaranteed by the first section of the Fourteenth
Amendment.[12]
These decisions make it clear that only personal rights that can be deemed
“fundamental” or “implicit in the concept of ordered liberty,”[13]
are included in this guarantee of personal privacy.[14]
The 1st Amendment[15]
guarantees freedoms of speech, religion, press, assembly and petitions thereby
protecting the privacy of literature, entertainment, ideas, absorbed political
and religious beliefs, worship practices and group membership.[16]
However, the 1st Amendment is a double-edged sword for privacy
protection. The 1st Amendment’s purposes purpose in freeing the press,
freeing speech and assuring assembly also permits certain passive intrusions
including the right to observe and to learn knowledge acquired about others’
private activities. Indeed, the 1st Amendment’s arguably creates a
marketplace of ideas permitting observers to learn and use that knowledge in
their political and commercial decision-making.[17]
The 3rd Amendment[18]
prohibits the quartering of soldiers (except in time of war) which shows a
privacy inspired respect for the sanctity of the home by protecting it from the
physical intrusion of the military along with the attendant military surveillance
inside the home.
The 4th Amendment,[19]
a crucial right discussed throughout this report, prohibits unlawful search and
seizure by requiring that law enforcement obtain a warrant or court order
before there is search of persons, homes, papers and effects. Furthermore, law
enforcement or regulatory investigators must justify the grant of a warrant
with a showing of probable cause. The 4th Amendment creates a significant
zone of secrecy around the communications and correspondence of interest in
this report.
The 5th Amendment[20]
protects several privacy interests[21]
by prohibiting double jeopardy and self-incrimination, requiring due process
for the accused at the federal and state levels[22]
and prohibiting uncompensated takings of private property. Privacy interests
thus include some protection from repeated legal process, forced revelation of
information and a generally enhanced individual autonomy, all privacy interests
under the broad conceptualization of privacy. Consider that the 5th
Amendment self-incrimination privilege limits how government can capture
incriminating information, such as in police interrogation or tax returns.[23]
Another delicate balance is implicated: mental thoughts broadly benefit from 5th
Amendment protection but physical manifestations do not always receive such
protections. Indeed, the courts increasingly find that physical examinations
and samples are not protected by the 5th Amendment.[24]
Also, the 5th Amendment can also be understood to limit privacy
because government is empowered to condemn private property and take ownership
when fair valuation procedures are followed and fair compensation is paid. Like
the 1st Amendment, the 5th Amendment is a complex
collection of individual rights and societal rights and these amendments draw a
balance among these often conflicting rights.
The 6th Amendment[25]
limits privacy by requiring that most trials be recorded in the public record,
that the privacy of adverse witnesses be generally limited by the opposing
party’s right to confrontation, usually through cross-examination. The 6th
Amendment also generally prevents the secrecy of trials.[26]
Intrusion is thereby enhanced as the inquiry delves into witnesses’ solitude by
requiring testimony and exposing witnesses to cross-examination that opens up to
scrutiny their related activities, past conduct and other knowledge. The 9th
Amendment[27]
assures the people that there are most surely other rights not enumerated in
the Bill of Rights or in the Constitution. These rights can form an independent
basis to infer privacy rights even when not expressly stated in Constitution.[28]
The 10th Amendment[29]
reserves the power of government to the states or to the people thereby making
a more enduring basis for dual federalism.[30]
The 10th Amendment opens the door to various state powers, including
the police power, to protect the health, safety, welfare and morals of its
citizens.[31]
Many forms of state privacy law are arguably justified as implementations of
the state police power or otherwise couched as part of some other reserved
powers conferred by the 10th Amendment on the states.
Finally, the 14th
Amendment,[32]
passed as part of the post-Civil War reconstruction effort, supplies a second
due process clause into the U.S. Constitution that more clearly applies (absorbs,
incorporates)[33] most
of the Bill of Rights, including their various privacy protections, to the
states. The 14th Amendment includes the privileges and immunities clause as well as the equal protection clause; these deny the
states powers to discriminate against citizens of other states, including
discrimination against out-of-state residents based on state privacy law. The
14th Amendment forms a basis to withhold or limit access to
information and it upholds freedom of personal choice by individuals. As
private information becomes more generally recognized as a form of property
right,[34]
the 14th Amendment may also become useful to extend the 5th
Amendment’s takings clause to the states. The 5th Amendment property
rights argument for private information may cut both ways. First, it reinforces
each individual’s privacy interests as intangible property rights. However, the
5th Amendment arguably limits such individual rights of subject
individuals when others are observers who lawfully collect and use the private
information they perceive of the subject individuals. It would arguably constitute
a taking if state action were to be invoked to prevent observers from taking
ownership of their observations and the resulting knowledge acquired about
subject individual’s private activities unless the intrusion was itself
unlawful or other rights declare privacy as the property right of the subject
individual.[35]
Despite the many roots of privacy
found in the Amendments and mainly in the Bill of Rights, one provision stands
out as a predominant constitutional privacy protection: the 4th
Amendment’s prohibition against unreasonable search and seizure. While other
The American colonists sought many freedoms in the
That the house of everyone is to him as his castle
and fortress, as well for his defence against injury and violence, as for his
repose…
The colonists’ adverse experience with the English Crown’s
privacy intrusions, both preceding and during the Revolutionary War, was
pronounced. A predominant English practice in the colonies, the search and
seizure of private residences under general
warrants generally known in Colonial times as a writ of assistance, inspired
the framers to enshrine this privacy interest into the 4th Amendment.
Writs of assistance were used to
discover seditious libels, a wrong that included almost any political criticism
threatening respect for the English Crown, for its designated colonial
government, for its laws, or for its public officials.[37] The result was the 4th Amendment:
The right of the people to
be secure in their persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons or things to be seized.[38]
The contours of the 4th
Amendment are complex and evolving, largely depending on the target of search
as new technologies develop and on an elusive equilibrium in the balance
between societal security and individual privacy. Of course, these are the very
same fundamental challenges confronting modern electronic surveillance
practices.
There are several major limitations
on the 4th Amendment’s protections involving: (1) the identity of the
individual subjected to search, (2) the warrant acquisition procedure including
the constitutional requirement of demonstrating probable cause, (3) the
exclusionary rule’s protection against the “fruit of the poisonous tree,” (4) the
reasonable expectation of privacy, (5) the party conducting the search, and (6)
the purpose of the search. First, the right plainly protects human individual
persons but has been interpreted to extend to certain aspects of artificial
persons, thereby protecting some corporate records.[39]
Second, the right generally requires government to follow procedures to obtain
a warrant from a federal magistrate. In such a proceeding the government must satisfy
a standard of reasonable suspicion and potential relevance of the evidence expected
to be seized in the search by demonstrating probable cause.[40]
Third, the exclusionary rule is a primary 4th Amendment enforcement
mechanism that prevents the introduction of illegally obtained evidence, such
as that obtained in an illegal search and seizure.[41]
Fourth, the 4th Amendment applies where the search target has a
reasonable expectation of privacy.[42]
Fifth, the 4th Amendment constrains only government from conducting unreasonable
searches and seizures, it does not prohibit searches by private parties.[43]
Finally, the President may have special privileges to skirt the 4th
Amendment in situations of national security.[44]
It is generally recognized
that the electronic surveillance history implicating 4th Amendment
constraints is rooted in the 1928 case, Olmstead
v.
In affirming the convictions,
Chief Justice Taft cited a history of alleged 4th Amendment violations
to justify confining 4th Amendment protections to physical trespass
at a protected premises[48]
while holding that the wiretaps were not violative of the conspirators’ 4th
Amendment rights against unlawful search and seizure because electronic
telephone communications wiretapping involved no physical trespass on the
target’s premises:
The amendment does not forbid what was done here.
There was no searching. There was no seizure. The evidence was secured by the
use of the sense of hearing and that only. There was no entry of the houses or
offices of the defendants…The language of the amendment cannot be extended and
expanded to include telephone wires, reaching to the whole world from the
defendant’s house or office. The intervening wires are not part of his house or
office, any more than are the highways along which they are stretched.[49]
Thus, Olmstead
validated various forms of electronic surveillance, some already in routine use
for decades.
Nevertheless, Justice Louis Brandeis’ famous dissent
became a rallying point for wiretap prohibitions. Much of this dissent seems
prophetic, even today, about privacy diminished by intrusion techniques enabled
with technological change:
The progress of science in
furnishing the government with means of espionage is not likely to stop with
wire tapping. Ways may some day be developed by which the government, without
removing papers from secret drawers, can reproduce them in court, and by which
it will be enabled to expose to a jury the most intimate occurrences of the
home. Advances in the psychic and related sciences may bring means of exploring
unexpressed beliefs, thoughts and emotions.[50]
Brandeis highlighted the dire intrusion of
wiretapping too closely reminiscent of the precise impetus for the 4th
Amendment from Colonial times:
The evil incident to
invasion of the privacy of the telephone is far greater than that involved in
tampering with the mails. Whenever a telephone line is tapped, the privacy of
the persons at both ends of the line is invaded, and all conversations between
them upon any subject, and although proper, confidential, and privileged, may
be overheard. Moreover, the tapping of one man's telephone line involves the
tapping of the telephone of every other person whom he may call, or who may
call him. As a means of espionage, writs of assistance and general warrants are
but puny instruments of tyranny and oppression when compared with wire tapping.[51]
Justice Brandeis dissent sought to broaden 4th
Amendment beyond the physical space of premises or the physical embodiment of
communication in paper documents to cover intangible privacy interests like
those at issue today:
The makers of our
Constitution undertook to secure conditions favorable to the pursuit of happiness.
They recognized the significance of man's spiritual nature, of his feelings and
of his intellect. They knew that only a part of the pain, pleasure and
satisfactions of life are to be found in material things. They sought to
protect Americans in their beliefs, their thoughts, their emotions and their
sensations. They conferred, as against the government, the right to be let
alone-the most comprehensive of rights and the right most valued by civilized
men.[52]
The wiretap prohibitions were passed six years later
in the Federal Communications Act.[53]
Katz v. United States[54] is perhaps the most
important
In 1967, Katz overruled Olmstead contributing to a 1960s pendulum swing[61]
towards strengthening privacy from law enforcement’s attempt to expand search
and seizure and methods of surveillance, including electronic methods.[62]
Although Katz conviction for transmitting wagering information[63]
was upheld by the 9th Circuit which had narrowed 4th
Amendment protections to physical premises, the Supreme Court reversed, broadening
protections beyond physical premises, traditionally framed as “constitutionally
protected areas.”[64]
Arguably federal agents had sufficient probable cause to target Katz for electronic
surveillance; furthermore, they narrowed their scope of intrusion consistent
with prevailing warrant standards.[65]
Nevertheless, the FBI chose not to obtain a search warrant, instead they attached
listening devices to the outside of a glass-encased public telephone booth and
made six three-minute recordings quite damaging to Katz’ defense.
The 4th Amendment
“protects people and not places.”[66]
Katz thereby broadened privacy beyond
the so-called premises rule - that limited protection absent a “physical
penetration” or trespass by law enforcement into a “constitutionally protected
area.”[67]
Instead, protection “cannot turn upon the presence or absence of a physical
intrusion into any given enclosure.”[68]
Citations to Katz make clear how well
accepted Justice Harlan’s concurrence has become the key in establishing the
“reasonable expectations” standard.[69]
Reasonable expectations necessarily follows from the majority’s holding that
the scope of protection is not defined by physical premises and must therefore be
inferred from the subjective intent of the protected individual. Harlan’s celebrated
formulation requires that the protected individual’s subjective expectation be
accepted by society in that such a class of expectation is generally recognized
as reasonable:
My understanding
of the rule that has emerged from prior decisions is that there is a twofold
requirement, first that a person have exhibited an actual (subjective)
expectation of privacy and, second, that the expectation be one that society is
prepared to recognize as “reasonable.”[70]
The year following the Katz decision, Congress expanded electronic surveillance protections with passage of the Omnibus Crime Control and Safe Streets Act of 1968.[71] Title III of that law was traditionally given the common name, the Wiretap Act. The Wiretap Act was originally targeted against law enforcement to prohibit illegal electronic or wire surveillance of communications. It enabled wiretapping for “law enforcement investigations of serious crimes.”[72] Law enforcement was required to obtain a warrant before “interception” of telephonic communications. Title III prohibits anyone other than law enforcement agents from intercepting oral communications. The standard for a court order to authorize a government official to conduct a wiretap search was probable cause. The wiretap protections were expressly extended to state law enforcement, thus Title III prohibited wiretaps by private parties unless falling within an exception, such as consent by the party monitored. Dissatisfaction with the limitations of Title III eventually led to the subsisting, major revision of the 1968 Act and is the main federal focus in electronic surveillance.
The current federal wiretap
statute is the Electronic Communications Privacy Act of 1986
(ECPA),[73]
as amended.[74] The
ECPA is composed of three main components: Title I prohibits certain
interceptions of communications in
transit;[75] Title
II is the Stored Communications Act (SCA) that protects the electronic storage
of communications, such as on computers and servers;[76] and
Title III contains revisions addressing pen register and trap and trace devices
that log telephony dialing information including, addressing, routing and
signaling information.[77]
During the time that had passed since the 1968 Wiretap
Act, various new technologies came into use that necessitated extension of the
prior law. The
ECPA amendments extend the scope of
wiretapping to include wire, oral, or electronic communications (hereinafter,
protected signals),[78]
such as the electronic transmissions of data using computers and
telecommunications networks. Technological advances made the ECPA amendment
necessary to address emerging forms of electronic surveillance. The 1968
Wiretap Act applied to “common communications carriers,” and did not clearly
adapt to extend to monitoring by operators of private communications networks.
The ECPA made technical changes to accommodate these private networks, and to
protect the privacy of individuals using these systems. Today, large numbers of
persons employed in both the private and public sectors utilize private
networks.
Title I of the ECPA protects only communications in
transit. ECPA draws a balance between individual privacy and the need for
certain types of electronic surveillance. The actions regulated under the ECPA
include: (a) the “interception” of protected signals,[79]
(b) the use of “any electronic, mechanical, or other device to intercept”
protected signals,[80]
(c) intentional attempts to disclose or actual “disclosure” of the contents of
intercepted protected signals knowing of their interception,[81]
(d) intentional attempts to use or intentional use of the contents of
intercepted protected signals knowing of their interception,[82]
and (e) various forms of obstruction in the intentional use of the contents of
intercepted protected signals.[83] The
ECPA provides for criminal sanctions,[84]
injunctive relief[85]
and civil liability.[86]
Furthermore, the admission of evidence is prohibited if derived from an illegal
interception of a protected signal, thus impacting law enforcement, regulatory
agencies and private parties.[87]
The
ECPA is notable in that a considerable portion of its provisions are
exemptions. Despite the protection the ECPA gives to individuals from
government surveillance conducted without a court order, from unauthorized
third parties and from communications service providers for interception and
use of protected signals, the numerous exceptions leave open very numerous
opportunities for electronic surveillance. For example, the ECPA reuires few
privacy rights for employees particularly when their communications are
conducted on their employer’s networks and employees agree or are notified that
privacy expectations are limited.
Title
II of the ECPA contains the Stored Communications Act (SCA) which addresses the
accessibility of communications in an “electronic
communications system,”[88] that is during storage, rather than their interception
during transit. Electronic communications service[89]
providers are generally prohibited from disclosing contents[90]
of an “electronic communication”[91]
other than to the intended recipient. Thus, the privacy of users’ content is
protected while in the custody of an Internet service provider (ISP) or online
service provider (OSP).[92]
The SCA has three major mechanisms to implement user privacy while balancing
government access: (1) a general prohibition against the ISP/OSP divulging
stored user content,[93]
(2) requirements for government law enforcement access to stored user content
through ISP/OSP[94] either
with a warrant[95] or with
delayed notice,[96] and (3)
provisions for national security letters.[97]
The
SCA is not limited to common carriers, so private employers and government
entities that provide computer networks are electronic communications services.
For example, corporations and public entities that provide their members,
employees or clients with Internet access on an electronic communications system
are governed under the SCA.[98]
However, mere maintenance of an Internet commerce website is not an electronic
communications service sufficient to trigger SCA duties.[99]
The protected content may also be held in remote storage, such as when
outsourced to a traditional ISP which are generally designated as a “remote
computing service.”[100]
However, the limited nature of “electronic storage”[101]
as envisioned in 1986 as a form of temporary cache, may severely limit the
protections of the SCA because they are in temporary storage for such short
times. Indeed, the term likely causes confusion, particularly when the user is
an employee and as it is more common today that the employer provides
electronic communication services. Due to the considerable latitude enjoyed by
employers under the ECPA exceptions discussed below, such communications can be
exposed to the employer if notice or an agreement effectively destroy any
expectation of privacy. For example, many cookies are persistent, so while some
are possibly protected when in temporary storage (e.g., “session cookies”),
most are nevertheless stored permanently.[102]
The
nature of information is classified in three, sometimes overlapping categories,
under the ECPA and SCA. First, there is basic subscriber information[103]
which must be divulged to the government without notice under an administrative
subpoena or otherwise using a warrant, court order or with the subscriber’s
consent.[104]
Second, there is a broader definition of records, including the basic
subscriber information above, but not content. This category includes “other
information pertaining to a subscriber to or customer of such service” which
must be divulged under court order or warrant procedures.[105] Third, “content” is another category.[106]
Eviscerating
Any/All Reasonable Expectations of Privacy under the ECPA Exceptions
While
it would appear on initial examination that electronic surveillance by private-sector
employers and ISPs is generally prohibited by ECPA, these constraints are
relaxed significantly under three important ECPA exceptions: (1) consent from
the party surveilled, (2) service providers to ensure service adequacy and (3)
electronic communications service provider in the “ordinary course of
business.” These three exceptions define the considerable distinction between
the more constrained electronic surveillance privileges of government and the
broader degrees of freedom permitted the private sector.
The first ECPA exception permits electronic
surveillance by a party to the communication or when one of the parties to the
communication has given prior consent to the interception.[107] The
consent exception is explicated in Watkins v. L.M. Berry & Co.[108] in which employees were informed that
company policy permitted their landline telephone calls would be monitored. The
a company policy was arguably business-related because it did not extend to
monitoring employees’ personal phone calls.
The employer’s mere disclosure of the policy constituted sufficient
assent such that it constituted consent to monitor under the ECPA. However, the
consent extended only to business calls and dnot to personal calls.[109] This
notice-triggered consent is actually a form of implied consent, that was
limited only to business-related calls. No consent can be implied from mere
notice to employees about monitoring personal calls because this would
constitute overreaching.[110]
Knowledge of the capability of monitoring
alone cannot be considered implied consent.[111]
Furthermore,
the employer’s conundrum is exacerbated because monitoring is not permitted to
determine which calls might be business related.[112]
In Deal v.
Spears,[113]
the employer claimed implied consent from previous announcements that the
employer might need to start a monitoring program in order to deter employees’
personal calls. The employer had installed an extension of the business
phone in the employer’s home to facilitate monitoring. The employer claimed that
the employees knowledge of this fact should constitute an implied consent.[114] Nevertheless, the 8th Circuit
refused to imply consent because the monitoring was hypothetical when announced
to employees.[115]
The consent cases illustrate that consent is implied
if the monitoring policy implemented, not simply threatened hypothetically, and
the employer has a legitimate business reason for monitoring. Electronic communication beyond landline
telephony, such as through the employer’s e-mail system, used extensively today
and primarily for work related activities, will increasingly expose employees
to monitoring. Indeed, courts may find business purposes a higher priority than
employee privacy given the difficulties of harassment, trade secret theft and
other potential employee misbehaviors.
Interceptions are permissible under the second ECPA
exception for communication system
providers, their officers, agents or employees and for switchboard operators.[116]
The interception and use of electronic communications is permissible in the
normal course of business while engaged in an activity which is “incident to
the rendition of the service or for the protection of the rights or property of
the provider.”[117] The
exemption is extended for stored communications to “the person or entity
providing a wire or electronic communications service.”[118]
Additionally, disclosure is permissible, inter
alia:
to a person employed or authorized or whose
facilities are used to forward such communication to its destination…as may be
necessarily incident to the rendition of the service or to the protection of
the rights of property of the provider of that service.”[119]
There may persist uncertainties in defining “providers.”
In Andersen Consulting LLP v. UOP[120] the employer
maintaining an internal e-mail system is not a “provider” if the employer’s
e-mail system is separate from the Internet and the employer does not otherwise
provide Internet services. An employer operating an internal e-mail system has a
right to monitor e-mail system usage to prevent personal or non-work related
activities.
Employers providing the means for communications,
like transmission through an employer’s internal system, can make the employer a
provider. In Flanagan v. Epson America, Inc.,[121] the court stated that:
there simply is no ECPA violation if ‘the person or
entity providing a wire or electronic communications service’ intentionally
examines everything on the system.[122]
The
exception may also be available for employers monitoring of e-mail transmitted
through a public service e-mail provider if the employer uses the service only
for internal communication.[123] The
use of internal systems or common carriers is a factor for consideration in
determining provider status.
The provider exception is also justified when monitoring
is needed to maintain adequate service.[124] In Simmons v. Southwestern Bell Telephone
Co.[125]
the telephone company monitoring of employees calls on telephones reserved for
customer calls was held “incidental to the rendition of its services.”[126] However,
such monitoring of phones reserved for employee personal calls would have been
outside the ECPA exemption.[127] An
employer providing the service does not have an unlimited exemption, the
monitoring must be related to business purposes.
The employer exempt as a provider, puts other employers
using outside service providers at a disadvantage.[128] The
provider exception’s purpose is further revealed by the ECPA’s definition of
electronic storage: “for the purpose of
back-up protection.”[129] A
provider needs access to back-up messages for system restoration following a
system failure. The provider exception should protect employers only when they
perform functions similar to a service provider and not for employment
monitoring or personal reasons. The emphasis on business purposes as
justification leave employees with the least privacy protection when they communicate
over an employer-provided system.
The business-extension exception excludes from ECPA liability
certain outsourced services from a service provider:
(a) any telephone or telegraph instrument, equipment
or facility, or component thereof,
(i) furnished to the subscriber or user in the
ordinary course of business and being used by the subscriber or user in the
ordinary course of its business or furnished by such subscriber or user for
connection to the facilities of such services and used in the ordinary course
of its business.”[130]
The
business extension exception would appear on first blush to focus primarily on the
workplace environment (context) rather than on the content. Factors to consider
include notification by the employer and legitimate business interest
justifying the monitoring policy.[131] Unlimited
monitoring is likely unreasonable.[132] The
employer’s proffered reasons in making any decision on necessity are examined. Satisfying
the notice requirement will likely assist the employer in escaping liability.[133] The
content will be important because business communications are afforded less
privacy protection than are personal communications.[134]
Two methods assist in classifying an interception as
within the business extension exception. First, the context approach uses
factors such as the employer’s legitimate business interest justifying the
interception and the sufficiency of notice to employees of the employer’s
interception.[135]
Second, the content approach examines the communication nature as personal or
business.[136]
In United States v.
Harpel[137] the employer failed to
satisfy the business extension exception because legitimate business
justifications and adequate notice to the employees were both absent. However,
in James v. Newspaper Agency Corp.,[138]
the exception was satisfied where the employer’s monitoring device was
installed on telephones for interaction with customers and the public. The monitoring
was justified to protect employees from abusive calls and for instructing
employees.
The Eighth Circuit has a two part business extension
test developed in Deal v. Spears.[139]
Interception equipment provided to the subscriber by the phone company is distinguished
from that deployed by the subscriber. Permissible interception must be in the
ordinary course of business.[140]
The intercepting device was purchased at a store so the exception did not cover
the device.[141] The employer went beyond its business
interests by monitoring a majority of personal calls, even though some were
business related.[142]
Another case rejecting a legitimate business interest is Sanders v. Robert
Bosch Corp.,[143]
where the employer installed a voice logger, which secretly recorded all
phone conversations. The employer argued its fear of bomb threats justified the
interception. However, the bomb threat probability was too remote to justify
the interception and in failing to notify employees, the employer exceeded the
exception.[144]
The content approach requires a distinction between business
and personal communication. Watkins held that the employer must
demonstrate a “legal interest” in the subject matter of the intercepted call so
employer monitoring of personal employee calls is never “in the ordinary course
of business except to the extent necessary to guard against the unauthorized
use of the telephone or determine whether a call is personal or not.”[145] Monitoring
becomes unacceptable after a call is determined to be personal for the
employee. In Watkins, the
conversation monitored concerned an employee’s interview for another job so it
was unacceptable monitoring. Of course, employer’s have a business
interest in departing employees. Nevertheless, this is not the type of legal
interest envisioned under the ECPA because it was not detrimental to the legal
interest of the employer.[146] By
contrast, Briggs v. American Air Filter Co.,[147] allowed an interception without
consent under the business extension exception because the employer had a
legitimate concern about its legal interests and because only the business
portion of the call was monitored.[148]
New technologies may fall under either the content
or context approach. When the context approach is used, factors such as
notification and work environment will be examined. When the content analysis is
used, the subject matter of the electronic communications will be targeted. Employers
may intercept communication until the point that a determination is made that
the conversation is personal and not business related. There is also
interpretive flexibility as to what constitutes business-related vs. personal
matters and some matters impacting the employer may not be within the allowable
business purpose as further restrict as only legitimate legal interests.[149]
New technologies may complicate application of the
content approach. Consider that monitoring phone calls is different from
monitoring an e-mail or examining stored computer content. Some of the time the
purpose of e-mail is apparent when the subject line content is accurate. Of
course, employees may game the system with regular and intentionally mislabeled
e-mails. As with pager subjects, pre-arranged coded messages may actually be
the content even when they appear in subject lines.
Consider another advantage of exhaustive electronic
communication interception: key word search can distinguish vulnerable messages
from protected messages before closer examination. The presence of specific key
words or phrases may distinguish personal from business-related messages. The
device surveilled must be one used in the ordinary course of business. Limiting
surveillance to the employer’s e-mail system or search of stored messages on a
company owned computer strengthens the employer’s qualification for the exception.
Great difficulties can be expected as employees migrate to their own personal
cell phones, ISP e-mail systems bypassing the employer’s system and many other
personal devices (e.g., PDAs). How would an employer rightfully access such
communications? While keystroke capture programs and server logs might provide
technical access to email and website use using the employer’s system, it is
hard to imagine how wireless device interception can be justified.
Nevertheless, in the financial services industry prohibitions on such personal
devices may be taking hold. New laws, regulatory enforcement (e.g., SEC),
caselaw interpretations expanding the three ECPA exceptions, changes in
industry standards (e.g., NASD, NYSE) and/or employee consent could eventually
result in the employee’s use of personal communications devices migrate to
become equivalent to employer provided equipment and systems. Nevertheless, the
employee’s reasonable expectation of privacy is likely to be compared to the employer’s
business justification and the legitimate business needs.
ECPA Exceptions under the Fourth Amendment
The 4th Amendment does not apply to constrain
electronic surveillance by private sector actors unless the activities are
under the color of law or become intimately connected to government action such
that they constitute state action. State action is typically required for
protected individuals to invoke many protections under the bill of rights.[150] Simmons held that:
It is clear that, whatever the source of the right, the protection is
only as against government intrusions into a person’s privacy. The defendant
herein is certainly not an arm of the government and is not “responsible under
the Fourth Amendment as (a) government bod(y).”[151]
Generally, the
state action trigger is commencement of litigation by or against the private
entity in its defense of activities that are wholly private, require no state
action and therefore are beyond the reach of constitutional rights that only
constrain government action. Occasionally, the state action question arises in
law enforcement involvement or regulatory review by a government agency and also
protects private action that is required by valid state regulation.[152]
Fourth Amendment rights apply to private sector employees under only
limited circumstances. For example, there is sufficient state action for
protected parties to invoke fundamental rights when the private employer acts
under color of federal or state law as a result of the direction of government
regulations or law enforcement officials.[153] Constitutional provisions may also apply to
private employers when acting as government bodies or substantially undertaking
governmental functions. Outside these
limited circumstances, an employer may not be engaging in state action so the 4th
Amendment’s protections may be inapplicable relieving the private sector entity
of exposure to suit for violation of the 4th Amendment. While in most
situations, government searches and seizures require a warrant supported by
probable cause, by contrast, an employer’s electronic search and seizure may
not require a warrant nor probable cause if exempted from wiretap laws.[154]
However, in O’Connor v. Ortega[155] a reasonable expectation of
privacy required, a factor in 4th
Amendment protections. Ortega was training in a hospital’s psychiatric
residency program but was suspected of improprieties and placed on
administrative leave pending investigation. During Ortega’s absence, hospital
officials searched his office and seized personal items from his desk and file
cabinets. Ortega had a reasonable expectation of privacy in his office. The
hospital’s search was not subject to the 4th Amendment because the work
environment has “special needs” beyond the need for law enforcement.
Searches and seizures of employee’s effects by government employers or
by supervisors of a private employers’ property are generally subject to 4th Amendment
restraints. In certain workplace environments and considering the “operational
realities of the workplace,”[156] it is sometimes unreasonable
for public employees to have an expectation of privacy, such as when the
intrusion is made by a supervisor rather than a law enforcement official.[157] Therefore, the reasonableness of employee
expectations of privacy in the workplace is determined ad hoc, on a
case-by-case basis.[158] Some work-related reasons may
reduce expectations of privacy. Nevertheless, Ortega “had a reasonable
expectation of privacy at least in his desk and file cabinets.[159]
The Ortega standard loosens
the probable cause and warrant requirement so that it depends on the context
within which the search takes place, and requires balancing the public
employees’ legitimate expectation of privacy against the government’s need for
supervision, control, and the efficient operation of public employees in the
public-sector workplace.[160] The 4th Amendment standard is not applicable
when “the burden of obtaining a warrant is likely to frustrate the governmental
purpose behind the search.”[161] Requiring a public-sector
employer to obtain a warrant and requiring probable cause for searches of
work-related matters often would impose burdens on public employers. Therefore,
the individual government employee’s privacy interests in the context of
non-investigatory, work-related purposes, as well as for investigations of
work-related misconduct, are judged by the standard of “reasonableness under all
the circumstances.”[162] Under the reasonable expectation of privacy test, the government, when
acting in its employer role rather than in a law enforcement role, is exempt
from the 4th Amendment.
Several factors may be relevant in determining whether a government
employee has a reasonable expectation of privacy in the thing or area searched.
For example, the courts have examined such predictable factors as the
employee’s rights to an “exclusive use” of his/her work area, the degree to
which the employee’s work area is open to the public, and, significantly,
whether or not the employee was “on notice” that her/his office, desk, or
locker was subject to employer searches.[163] In Schowengerdt v. General Dynamics Corp.,[164] a civil service engineer
employed by the U.S. Navy:
Would enjoy a reasonable expectation of privacy in areas given over to
his exclusive use, unless he was on notice from his employer that searches of
the type to which he was subjected might occur from time to time for
work-related purposes.[165]
The conclusion
in Ortega has driven lower courts to adopt
different standards for law enforcement as compared with employment settings
even in the public sector. In police searches, a search is presumed to be
unreasonable unless the officer has both probable cause and a warrant. By
contrast, searches conducted in the employment context, like Ortega, conclud that probable cause and
a warrant would frustrate legitimate governmental aims.
The work-related search by a public employer of its employees’ offices,
desks, or file cabinets, have no 4th Amendment protection. Neither a warrant
nor a probable cause requirement applies to employer searches “for
non-investigatory, work-related purposes, as well as for investigations of
work-related misconduct,”[166] a case-by-case inquiry is
required and such searches “do not violate the 4th Amendment.”[167]
Fourth Amendment rights may be waived by the search subject’s consent
to a search even when the law enforcement officer has not followed the standard
procedures.[168] The consent exception has
two factors: first, the burden to prove voluntary consent is on the searching
entity and second, the person consenting must know they have an option to
refuse. Consent is not voluntary when
the officer asserts his official status and thus makes the individual feel
forced to consent. Similar to the consent exception of the ECPA, a consent is
valid when the search target signs an employer’s monitoring policy, because
this provides sufficient notice of search practices.[169]
Receipt by third parties of the communication in question may limit the
target’s reasonable expectation of privacy as illustrated in United States
v. Charboneau.[170] The FBI monitored the e-mail messages sent by
the defendant to a child pornography “chat room.” Generally e-mails have a
reasonable expectation of privacy barring interception by police without a
warrant supported by probable cause. However, once that message is received,
like a written postal letter, the sender loses a reasonable expectation of
privacy.[171] Similarly, an e-mail message sent to the
public at large in a “chat room” loses privacy protection.[172]
The probable cause requirement is not defined in the
4th Amendment but rather, a historical development is relevant:
in determining what is probable cause . . . [w]e are
concerned only with the question whether the affiant had reasonable grounds at
the time of his affidavit . . . for the belief that the law was being violated
on the premises to be searched; and if the apparent facts set out in the
affidavit are such that a reasonably discreet and prudent man would be led to
believe that there was a commission of the offense charged, there is probable
cause justifying the issuance of a warrant.”[173]
Probable
cause is determined according to “the factual and practical considerations of
everyday life on which reasonable and prudent men, not legal technicians, act.”[174]
Law enforcement, police, and administrative
enforcement personnel conduct searches for the primary purpose of obtaining
evidence for use in criminal or
other enforcement proceedings. By contrast, employers most frequently enter
employees’ private spaces for legitimate work-related reasons initially and
arguably unrelated to illegal conduct. The investigation in Ortega was conducted to determine
employee misbehavior, analogous to the investigation of a private employee who
allegedly sent harassing e-mails or visited inappropriate websites.
Ortega distinguishes misbehavior
violating civil law or workplace rules from criminal law enforcement matters,
only the latter requires a warrant. If an employer’s search of an employee’s
office, desk, phone lines, or computers for a work-related purpose, required a
warrant, this would
seriously disrupt the routine conduct of business
and would be unduly burdensome…[T]he common-sense realization [is] that
government offices could not function if every employment decision became a
constitutional matter.[175]
The probable cause standard breaks down in the
employment setting. Because of the “administrative search” exception, the
appropriate standard for such searches is a showing that reasonable legislative
or administrative standards for conducting an inspection are satisfied.[176] Both
public and private employers need to ensure that they operate effectively and
efficiently. Public employers are not criminal law enforcers. Public employers
have a direct and overriding interest in ensuring their agency’s work is
conducted properly and efficiently. Therefore, a probable cause requirement for
searches would impose too high of a burden on public employers.
Ortega’s public employment rule also affects privacy law for
private employees. An employee’s
expectation of privacy can virtually be eliminated by office regulations and
practices. No privacy right is created without such an expectation. For
instance, in Schowengerdt v. General Dynamics Corp., the court found
that a Navy civilian engineer’s expectation of privacy in his office or desk
was not objectively reasonable given the tight security measures, constant
searches, and surveillance of employees in his workplace.[177]
In Shields v. Burge, the Seventh Circuit analyzed the Ortega
reasonableness standard and established a continuum of work-related
justifications that legitimize workplace searches of varying degrees of
intrusiveness.[178]
Increasing workplace privacy arguably improves
employee productivity.[179] One clear conceptual link is that when
employees not knowingly burdened by constant mistrustful surveillance can
devote time and energy worrying about identifying and separating business
matters from personal matters to more productive matters.[180] Overuse of electronic surveillance by
employers may discourage employees from using the telecommunication or Internet
services provided by the employer. Over-monitored employees may opt for working
at home, using their own communications property (e.g., laptops, home-ISPs,
cellphones) increasing the employer’s barriers to effective monitoring.
Employees may choose alternative forms of communication that receive more
significant legal protection from employer interception and forego the benefits
of using employer supplied e-mail or Internet. This trend is clear nowadays
with the proliferation of private cell-phones, Blackberry and other personal
digital assistants (PDAs), text messaging, use of web-based instant messaging
(IM) or web-based e-mail clients, etc. Because employers can easily undermine
worker privacy, an increase in worker privacy under Federal Law would arguably benefit
both employers and employees by capturing the efficiency and productivity benefits
when workers feel secure in their privacy rights.
The standards for analysis in the employment context
under the private sector, under the 4th Amendment and for the public sector are
seemingly confusing and disparate. Nevertheless, they can be seen as having
similar if not identical elements. The “reasonable expectation of privacy” may
not protect employee privacy from employers surveillance because the employer
can unilaterally determine employees expectations. Such matters are seldom
negotiable except for key employees at the highest rank or who are the most
valuable. This problem negatively impacts both the public and private
employment settings.
Ignoring the 4th Amendment is justified
as too difficult for employers to apply in practice because they are uneducated
“in the niceties of probable cause.”[181]
However, this argument insults employer competency. Clearly, employers are
willing to tolerate this affront because the justification expands their
degrees of freedom. A warrant requirement might not be completely unworkable in
the workplace. There are normal exceptions to the warrant requirement, such as “exigent
circumstances” under which an employer, like law enforcement, might forgo a
warrant under these special circumstances.[182] Rather than eliminating it completely from
the workplace context, it should be considered on a case-by-case basis. Some
emergency situations involving public safety could justify searches, including
drug testing at the workplace, without probable cause or individualized suspicion.[183]
The 4th Amendment remains
influential as guidance in privacy cases, even in cases interpreting private
sector action. For example, the analysis for new and advanced technologies can be based on 4th
Amendment principles, particularly the reasonable expectation of privacy.
Consider The Sixth Circuit in, Warshak v.
A government seizure of e-mails from an ISP, without
either a warrant supported by probable cause, notice to the account holder to
render the intrusion the functional equivalent of a subpoena, or a showing that
the user maintained no expectation of privacy in the e-mail, amounts to [a 4th Amendment violation.][185]
This
case was brought under the SCA. Federal agents obtained an order directing
Warshak’s ISP to produce account information and e-mail contents.[186]
The SCA requires reasonable grounds for suspicion of criminal activity to
examine the contents of the e-mails, and therefore the order the agents
obtained was sufficient.[187]
The SCA requires only reasonable suspicion, however, and not full probable
cause. Thus, Warshak claimed that his 4th Amendment privacy rights were violated, even
though the federal law was followed. The Sixth Circuit concluded that
people “maintain a reasonable expectation of privacy in e-mails that are stored
with, or sent or received through, a commercial ISP.”[188]
The crux of the issue in Warshak appears to
be that the government need not use 4th Amendment probable cause standards when
a weaker standard is all that is required to compel the production of content
from ISP’s. However, the Sixth Circuit found that the reasonable expectation of
privacy covers e-mail message content. If the content’s substance was not
invaded fundamentally, such as where there was simply a scan for viruses or key
word search for particular subjects or inappropriate material, then there would
be no invasion of an individual’s “content-based” privacy interest.[189]
Thus the test for e-mail privacy is twofold. First, is the targeted data the
type routinely disclosed to 3rd parties? In which case, there was no
“reasonable expectation of privacy” and a subpoena was sufficient
authorization. Second, in the alternative, are the contents of communications
fully protected by the 4th Amendment? An effective answer to this query would
most clearly require the government to obtain a warrant supported by probable
cause. Arguably, if the workplace standard should be the same as under the 4th Amendment’s
right to privacy, then the federal law should be amended to require probable
cause. Individuals should not lose a reasonable expectation of privacy when
they give up their information to a third party common carrier, the same way
that they do not lose a reasonable expectation of privacy when giving mail to
the post office.
Shortly after Warshak, another case,
Towards
a Uniform Search & Seizure Standard
Fourth Amendment rights should apply to all forms of
electronic surveillance, consider that contents of electronic surveillance are
not equally protected. This exacerbates
problems, such as productivity losses and technophobia deterring the deployment
and reaping the benefits of advanced technologies. Electronic surveillance laws
have their origin in the 4th Amendment.
Surveillance law must be sufficiently flexible to
permit adequate response to emerging technologies. For most uses of electronic
surveillance, warrants supported by probable cause should be required. For administrative, school, and employment
searches, the Court has held that the 4th Amendment merely requires that a search be
“reasonable.” However, since the reasonableness standard has proven
weak in practice, it will not afford sufficient protection against the
potentially much more invasive use of electronic surveillance.
The future of electronic surveillance will create
hurdles as new technologies are developed and deployed. Employee privacy is at risk with technology
advancing at a faster pace than the law, so privacy interests are exposed to excessive
scrutiny at least initially. How will the balance of power between employees
and employers be maintained to safeguard employee privacy? Will privacy endure
by keeping the law as protective of employees as it is currently?[194] New technologies appear to expand employers’
monitoring capabilities more rapidly than the reasonable expectation test of
privacy has evolved to protect employee’s privacy.[195]
New technology bestows employers with numerous
benefits, efficiency and effectiveness advancements from e-mail, cell phones,
and other forms of communication. The fact that these technologies require
substantial investments and employers continue making these investments
provides powerful evidence that employers view technology as increasing
employee productivity and producing cost savings when compared with traditional
communications.[196]
Postal mail is given the highest protection against
unauthorized opening.[197] If employees consider their e-mail messages
to be private and use e-mail to send private messages to co-workers, their
intent is frustrated when employers claim electronic communications are solely intended
for business activities.
To adjust the current balance, it is suggested that
employers establish corporate policies and notify their employee of them.[198]
However, creating such policies is largely left to the employer’s discretion
unless a collective bargaining agreement is negotiated to specify workplace
privacy. This means that employer interests are more likely to be anticipated,
articulated and imposed than any protections of employee’s privacy. The problem
of secrecy may be eliminated, but the extent of the business justification or
the policy created is determined by the employer.[199]
Monitoring of new technology communication devices
may also discourage employees from using the services provided to them. In the
absence of privacy protection, employees may choose alternative forms of
communication if they realize these alternative devices are afforded higher protections from intrusion.[200] Employers
risk efficiency gains with employee aversion to technology.
Case law and statutes balance employees’ privacy
expectations against the employers’ business justifications. This may endow employers
with extensive power when they choose to create policies that narrow privacy
expectations by changing work environments. Hence, a standard must be created
to keep employers within boundaries and protect the privacy interests of
employees.
Concluding
Observations
Without explicit constitutional or statutory
guidance, courts are burdened with employee privacy claims. The ECPA has been
outpaced by electronic monitoring in the workplace, since the original intent
was to prevent law enforcement from overreaching. Case law seems to re-enforce
a reasonableness standard, but without more precise guidance the balance
between privacy and business interests remains unclear. Because of the rapid
growth of electronic communications employee privacy rights are in decline.
State law and Federal law provide protection based
on balancing the employee’s privacy expectation against the employer’s business
justifications for intruding upon the employee's privacy. This is an inadequate
approach to protect employee privacy because employers have the upper hand to change employee expectations
and thus conduct invasive monitoring practices.
The 4th Amendment right to privacy should extend to
the private sector, with exceptions, such as those already in place, that
ensure a heightened level of privacy security in the workplace. Both
interpretations of federal statutes and constitutional law use analogous
balancing approaches, it is asymmetrical for privacy to disappear in the
private sector.
[1] Professor of Information
Sciences and Technology,
[2] See generally Solove, Daniel J., A Brief History of Information Privacy Law, ch.1 in Proskauer on Privacy, Christopher Wolf,
editor (Practising Law Institute, 2006).
[3] See generally Bagby, John W., The
Public Policy Environment of the Privacy-Security Conundrum/Complement, Ch.
XII, pp.195-213 appearing in Strategies And Policies In Digital Convergence,
editor:
[4] Justice Blackman famously
stated in Roe v. Wade “The
Constitution does not explicitly mention any right of privacy,” 410
All people are by nature free and independent and
have inalienable rights. Among these are
enjoying and defending life and liberty, acquiring, possessing, and protecting
property, and pursuing and obtaining safety, happiness, and privacy.
Cal.Const.
Art.I, §1. The second balances open government, as required in the activities
of
(3) Nothing in this subdivision supersedes or
modifies the right of privacy guaranteed by Section 1 or affects the
construction of any statute, court rule, or other authority to the extent that
it protects that right to privacy, including any statutory procedures governing
discovery or disclosure of information concerning the official performance or
professional qualifications of a peace officer.
Cal.Const.
Art.I, §3, §§(3). The third creates various individual rights similar to the
federal bill of rights, including the right against unreasonable search and
seizure and the right of privacy. However,
(24) In criminal cases the rights of a defendant to
equal protection of the laws, to due process of law, to the assistance of
counsel, to be personally present with counsel, to a speedy and public trial,
to compel the attendance of witnesses, to confront the witnesses against him or
her, to be free from unreasonable searches and seizures, to privacy, to not be compelled to be a
witness against himself or herself, to not be placed twice in jeopardy for the
same offense, and to not suffer the imposition of cruel or unusual punishment,
shall be construed by the courts of this State in a manner consistent with the
Constitution of the United States.
Cal.Const.
Art.I, §24.
At least nine other state constitutions specifically
mention privacy rights generally, e.g.,
[5]
This Constitution, and the
Laws of the United States which shall be made in Pursuance thereof; and all
Treaties made, or which shall be made, under the Authority of the United
States, shall be the supreme Law of the Land; and the Judges in every State
shall be bound thereby, any Thing in the Constitution or Laws of any State to
the contrary notwithstanding.
[6] See e.g., Marbury v. Madison, 5 U.S. 137 (1803) and see generally Goebel, Jr., Julius, Antecedents and Beginnings to 1801, History of
the
[7] Union Pacific R. Co. v. Botsford, 141
[8] Stanley v.
[9] Terry v. Ohio, 392
[10] Griswold v.
[11]
[12] Meyer v.
[13] Palko v.
[14] Roe v. Wade, 410
[15]
[16] These are components of the
broad and complex concept of privacy, perhaps usefully designated here as
“privacy interests.” See generally
Bagby, John W., The Public Policy
Environment of the Privacy-Security Conundrum/Complement, Ch. XII,
pp.195-213 appearing in Strategies And Policies In Digital Convergence,
editor:
[17] See e.g., Abrams v. United
States, 250 U.S. 616 (1919) (J. Homes dissent).
[18]
[19]
[20]
[21] The term “privacy interests”
is used to attempt a conceptual breakdown of the more complex and multi-faceted
term, “privacy.” For example, Webster defines privacy as “withdrawn from
company or public view, secrecy, one’s private life or personal affairs.”
Indeed, some commentators show concern that it may not be useful to employ the
term “privacy” because it is “so complex, so entangled in competing and
contradictory dimensions, [and] so engorged with various and distinct
meanings…” Post, Robert C., Three
Concepts of Privacy, 89 Geo.L.J. 2087 (2001). The privacy interests
discussed in this report may be best defined by reference to the interests
explicitly protected by the statutes, as explained in the legislative history,
holdings of key court interpretations, privacy regulations and interpretive
administrative decisions that are cited and examined in depth in this report.
[22] Under the absorption
doctrine, the 14th Amendment applies the 5th Amendment
protections to state action. See e.g.,
Fairman, C., Does the Fourteenth Amendment Incorporate the Bill of Rights?
2 Stan. L. Rev. 5 (1949), see also, Williams v.
[23] CITE The right of
self-incrimination does not protect the contents of papers or many other
documentary records because recordkeeping is not a compelled act of
self-incrimination. See infra
discussion of self-incrimination aspects of electronic communications.
[24] CITES-cases articles For
example, the criminally accused have no 5th Amendment protections
when required to submit to the taking of various biometric samples (e.g.,
fingerprints, voiceprints, tissue for DNA testing, blood, urine, hair
follicles). CITES!
[25]
[26] Limitations have grown in
domestic relations and family law cases such as the valid exception to
confrontation in cases involving vulnerable victims (e.g., child abuse), the
secrecy of divorce records, and sealing the public records in classes of cases
where there is public policy justification for secrecy (e.g., national
security, trade secrets), but see infra
discussion of the Foreign Intelligence Surveillance Act (FISA) proceedings.
[27]
[28] Griswold v.
[29]
[30] See e.g., James Madison, “Federalist #45” (Jan. 26, 1788) and James
Madison, “Federalist #46” (Jan. 29, 1788) in The Federalist Papers, accessible at http://thomas.loc.gov/home/fedpapers/fed_45.html
and http://thomas.loc.gov/home/fedpapers/fed_46.html
[31] See e.g., Mass. v. Alger, 61
[32]
[33] See e.g., Felix Frankfurter, Memorandum on 'Incorporation' of
the Bill of Rights Into the Due Process Clause of the Fourteenth Amendment,
78 Harv. L. Rev. 746 (1965).
[34] Carpenter v.United States,
484 U.S. 19 (1987); Ruckelshaus v.
Monsanto Co., 467
[35] Arguably
the EU Data Protection Directive and the national laws passed thereunder create
privacy rights that resemble property rights of the subject individual. See e.g., Directive 95/46/EC of the
European Parliament and of the Council of October 24, 1995, The Protection
of Individuals with Regard to the Processing of Personal Data and on the Free
Movement of such Data, available at http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm.
[36] Semayne's Case, 77
[37] See, e.g., United States v. Chadwick, 433
[38] U.S. Const. amend. IV.
[39] General Motors Leasing Corp. v. United States, 429
[40] United States v. Hoyos, 892 F.2d 1387, 1392 (9th Cir. 1989), cert.
denied, 489 U.S. 825 (1990),
Some key interpretation of probable cause include:
(1) consent to the search given by the targeted individual, Chapman v. United States, 365 U.S.
610 (1961) (landlord’s consent
insufficient to authorize unwarranted search of tenant’s premises), Stoner v. California, 376 U.S. 483
(1964) (hotel clerk’s consent insufficient to authorize unwarranted search of
guestroom), Camara v. Municipal Court,
387 U.S. 523 (1967), Frazier v. Culp,
394 U.S. 731, 740 (1969) (authority to consent to search), Marshall V.
Barlow's, Inc., 436 U.S. 307 (1978) (); (2) exigent circumstances, United
States v. McConney, 728 F.2d 1195, 1199 (9th Cir.), cert. denied, 469 U.S. 824 (1984) (“Those circumstances that would
cause a reasonable person to believe that entry (or other relevant prompt
action) was necessary to prevent physical harm to the officers or other
persons, the destruction of relevant evidence, the escape of a suspect, or some
other consequence improperly frustrating legitimate law enforcement efforts”), United
States v. Reed, 935 F. 2d 641 (4th Cir.), cert. denied, 502 U.S. 960 (1991) (exigency determined by urgency,
time needed to obtain warrant, risk evidence will be removed or destroyed,
physical risks at the location, suspect’s knowledge that law enforcement is in
pursuit, and/or ease of evidence destruction); (3) good faith; and (4) searches
incident to a lawful arrest, Chimel v.
California, 395 U.S. 752 (1969) (warrantless search permissible if
attendant to lawful arrest and limited to “lunge area” immediately surrounding
suspect).
[41] Weeks v. United States, 232 U.S. 383 (1914) (effective application
of 4th Amendment requires exclusion of tainted evidence); Mapp v. Ohio, 367 U.S. 643 (1961)
(applying exclusionary rule to the states). Some later cases have weakened the
exclusionary rule, see e.g., Nix v. Williams, 467 U.S. 431 (1984)
(inevitable discovery doctrine); United
States v. Leon, 468 U.S. 897 (1984) (the exclusionary rule generates
“substantial social costs”).
[42] Katz v.
[43] See infra discussion of statutory limitations on electronic
surveillance in particular and on searches and seizures in general by private
sector parties in section ___ and text accompanying notes __ to __.
[44] See Swire, Peter P., The
System of Foreign Intelligence Surveillance Law, 72
[45] Olmstead v.
[46] Prohibition was required by
the 18th Amendment,
[47] Rough adjustment for
inflation of the $2 million in 1928 to 2007, using an online calculator
resulted in a 12 fold increase to $24,321,520.47, see United States Department of Labor, Bureau of Labor Statistics,
Inflation calculator, accessible at http://data.bls.gov/cgi-bin/cpicalc.pl
[48] E.g., Weeks v.
[49] Olmstead v.
[50] Olmstead v.
[51] Olmstead v. United States, 277
U.S. at 476, finding support from Boyd v.
United States, 116 U.S. 616 (1886) and Ex
parte Jackson, 96 U.S. 727 (1877) to insulate information in document form
or sealed letters and packages in the mail as protected under the 4th
Amendment.
[52] Olmstead v.
[53] Pub. L. No. 416, (June 19,
1934) 48 Stat. 1064, 73rd Cong. Codified
as 7 U.S.C. § 605.
[54] Katz v.
[55] See e.g.,
[56] Various financial privacy
laws impose substantive privacy rights, empower several federal agencies and
every state insurance regulatory agency to regulate financial privacy, require
custodial duties for personally identifiable information (PII) and limit the
use of PII. For example, the Federal Trade Commission’s (FTC) privacy oversight
is enabled by various laws, most notably: (1) the Fair Credit Reporting Act,
Pub. L. 91–508, title VI, § 601, Oct. 26, 1970, 84 Stat. 1128, 15 U.S.C. §1681
et. seq. (2005), (2) the Fair and Accurate Credit Transactions Act, Pub. L. 108-159,
Dec. 4, 2003, 117 Stat. 1952, 15 U.S.C. §1681 et seq (2005) and (3) the privacy
provisions of the Financial Modernization Act, popularly known as the
Gramm-Leach-Bliley Act (GLB), Pub. L. 106-102, Nov. 12, 1999, 113 Stat. 1443.
15 USC §§6801-6809 (2005).
Although the leading GLB privacy
regulator is the FTC, various other Federal Functional Regulators (FFR) are
also empowered to regulate privacy in all sectors of financial services,
including the Securities and Exchange Commission (SEC), Commodity Futures
Trading Commission (CFTC), Federal Reserve Board (Fed.), Comptroller of the
Currency, Federal Deposit Insurance Corporation (FDIC), Office of Thrift
Supervision (OTS), and the National Credit Union Administration (NCUA). The FTC
enforcement case law is developing privacy rights and PII custodial duties
precedents more clearly than any of the other FRRs. See generally Bagby, John W., Common
Law Development of the Duty of Information Security in Financial Privacy Rights,
working paper presented at the Fourth
Annual Forum on Financial Information Systems and Cybersecurity: A Public
Policy Perspective, Smith School of Business, Univ. Maryland, May 23,
2007 accessible at http://faculty.ist.psu.edu/bagby/Pubs/CommonLawEfficiency-CustodyDutyInfoSecurity1.pdf
(arguing FTC is predominant privacy regulator in U.S.).
[57] Health Insurance Portability
and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (“HIPAA”),
42 U.S.C. § 1320d-6 (2005). HIPAA authorizes the Department of Health and Human
Services (HHS) to regulate healthcare privacy, extensive and detailed
regulations were issued in early 2000, 45 C.F.R. §§5(b), 164 (2006).
[58] Traditional telecommunications
carriers and their sub-contractors are generally required to maintain customer
privacy under various statutes and regulations of the Federal Communications
Commission (FCC). Indeed, the first federal wiretap law was an integral
component of the initial comprehensive regulatory scheme that created the FCC
and subjected telecommunications carriers to pervasive economic and technical
regulation. Federal Communications Act of 1934, 47 U.S.C. §§151 et.sec.
[59] See supra note 49, Bagby, John W., Common Law Development … (discussing common law development of
custodial duty to secure PII under: (1) §5 of FTC Act as an unfair or deceptive
trade practice, (2) under Gramm/Leach/Bliley in which PII “safeguards” are
required and (3) as limits imposed by regulations requiring management of data
retention under the FTC’s “disposal rule”)
[60] The Children's Online
Privacy Protection Act of 1998, 15 U.S.C. 6501-6508 (2005) authorizes FTC
rulemaking that contributes to the definition of PII custodial duties, 16
C.F.R. §312 (2005).
[61] For example, Mapp v. Ohio, 367 U.S. 643, 659 (1961)
(evidence obtained in searches and seizures violating 4th Amendment
is inadmissible in state court criminal trials, 4th Amendment’s
right to privacy enforceable against the States); Griswold v. Connecticut, 381 U.S. 479 (1965) (Connecticut
contraceptive prohibition violates specific constitutional guarantees from the
Bill of Rights from which penumbras emanate that help give them life and
substance and various guarantees that create zones of privacy); Omnibus Crime
and Control and Safe Streets Act of 1968, Pub.L. 90-351; 82 Stat. 197 codified as 18 U.S.C. §§ 2510–22
(expanding existing wiretapping protections).
[62] Search and seizure statutes
and caselaw strengthened through and until the 1960s and 1970s. However, by the
late 1970s and throughout the 1980s, the pendulum began to swing back,
restoring some advantages to law enforcement. This movement is generally
recognized as weakening the 4th Amendment in various search and
seizure contexts; Warden v. Hayden,
387 U.S. 294 (1967) (overturned “mere evidence” rule of Gouled v. United
States, 255 U.S. 298 (1921)); Smith
v. Maryland, 442 U.S. 735 (1979) (no 4th Amendment protection
from pen register archive of dialed phone numbers); Zurcher v. Stanford Daily, 436 U.S. 547 (1978) (no 4th
Amendment violation if law enforcement has probable cause to believe criminal
evidence likely from search of third party); California v. Greenwood, 486 U.S. 35 (1988) (no 4th
Amendment violation of search and seizure of trash left in the open at the
curb); Florida v. Riley, 488 U.S. 445
(1989) (no reasonable expectation of privacy in law enforcement observation of
greenhouse contents during overflight). See
generally Solove, Daniel J., A Brief
History of Information Privacy Law, §1:4.3 in Proskauer on Privacy, Christopher Wolf, editor (Practising
Law Institute, 2006) (discussing erosion of 5th Amendment
prohibition against production of target’s documents held by various third
parties).
[63] 18 U.S.C. §1084(a) (2005)
provides:
(a) Whoever
being engaged in the business of betting or wagering knowingly uses a wire
communication facility for the transmission in interstate or foreign commerce
of bets or wagers or information assisting in the placing of bets or wagers on
any sporting event or contest, or for the transmission of a wire communication
which entitles the recipient to receive money or credit as a result of bets or
wagers, or for information assisting in the placing of bets or wagers, shall be
fined under this title or imprisoned not more than two years, or both.
The statute requires “notice and disconnection” of
such lines by FCC-regulated common carriers when informed by law enforcement.
Furthermore, carriers are exempt from civil liability for such disconnections.
(d) When any
common carrier, subject to the jurisdiction of the Federal Communications
Commission, is notified in writing by a Federal, State, or local law
enforcement agency, acting within its jurisdiction, that any facility furnished
by it is being used or will be used for the purpose of transmitting or
receiving gambling information in interstate or foreign commerce in violation
of Federal, State or local law, it shall discontinue or refuse, the leasing,
furnishing, or maintaining of such facility, after reasonable notice to the
subscriber, but no damages, penalty or forfeiture, civil or criminal, shall be
found against any common carrier for any act done in compliance with any notice
received from a law enforcement agency…
[64] Boyd v.
[65] The FBI agents in Katz
generally followed warrant standards, Katz
v. United States, 389
Based upon their previous visual observations of the
petitioner, the agents correctly predicted that he would use the telephone
booth for several minutes at approximately the same time each morning. The
petitioner was subjected to electronic surveillance only during this
predetermined period. Six recordings, averaging some three minutes each, were
obtained and admitted in evidence. They preserved the petitioner's end of
conversations concerning the placing of bets and the receipt of wagering
information.
Katz v. United States, 389
On the single occasion when the statements of
another person were inadvertently intercepted, the agents refrained from
listening to them.
Katz v. United States, 389
Decisions interpreting the 4th Amendment
make search and seizure unreasonable per
se when conducted outside the judicial process and without prior judicial
approval. Jones v.
Nevertheless, skirting mandatory judicial oversight
(checks and balances) and retroactive approval of a previously conducted
warrantless search has been condoned for national security purposes under FISA
and its revisions, see e.g., Foreign
Intelligence Surveillance Act (FISA) Act, Pub.L. 95-511, codified as 50 U.S.C. § 1801 et seq., as amended by various
statutes including, inter. Alia., Protect America Act of 2007, S.1927, 110th
Cong. 1st Sess. (validating warrantless electronic surveillance for
national security without approval by FISA courts).
[66] Katz v.
[67] Katz v. United States, 389
[68]
[69] Katz v.
[70]
[71] Omnibus Crime Control and
Safe Streets Act of 1968, (Title III) June 19, 1968, Pub.L. 90-351, 82 Stat.
197, codified as 18 U.S.C. §§2510 –
22.
[72] See generally Susan
Freiwald, Online Surveillance:
Remembering the Lessons of the Wiretap Act, 56
[73] Electronic Communications
Privacy Act of 1986, Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848, codified as 18 U.S.C. §2510, et.seq.
(2005).
[74] Various revisions, notably the USA Patriot Act, have addressed
technical advances as well as changes in national priorities, see e.g., Pub. L. 99–508, title II, §
201[(a)], Oct. 21, 1986, 100 Stat. 1861; amended Pub. L. 100–690, title VII, §§
7038, 7039, Nov. 18, 1988, 102 Stat. 4399; Pub. L. 103–322, title XXXIII, §
330003(b), Sept. 13, 1994, 108 Stat. 2140; Pub. L. 103–414, title II, § 207(a),
Oct. 25, 1994, 108 Stat. 4292; Pub. L. 104–132, title VIII, § 804, Apr. 24,
1996, 110 Stat. 1305; Pub. L. 104–293, title VI, § 601(b), Oct. 11, 1996, 110
Stat. 3469; Pub. L. 104–294, title VI, § 605(f), Oct. 11, 1996, 110 Stat. 3510;
Pub. L. 105–184, § 8, June 23, 1998, 112 Stat. 522; Pub. L. 107–56, title II,
§§ 209(2), 210, 212 (b)(1), 220 (a)(1), (b), Oct. 26, 2001, 115 Stat. 283, 285,
291, 292; Pub. L. 107–273, div. B, title IV, § 4005(a)(2), div. C, title I, §
11010, Nov. 2, 2002, 116 Stat. 1812, 1822; Pub. L. 107–296, title II, §
225(h)(1), Nov. 25, 2002, 116 Stat. 2158.
[75] 18 U.S.C. §§2510-22 (2005).
[76] 18 U.S.C. §§2701-12 (2005).
[77] 18 U.S.C. §§3121-27 (2005).
[78] 18 U.S.C. §2511 (2005).
[79] 18 U.S.C. §2511 (1)(a) (2005).
[80] 18 U.S.C. §2511 (1)(b) (2005).
[81] 18 U.S.C. §2511 (1)(c) (2005).
[82] 18 U.S.C. §2511 (1)(d) (2005).
[83] 18 U.S.C. §2511 (1)(e) (2005).
[84] 18 U.S.C. §2511 (5) (2005).
[85] 18 U.S.C. §2511 (5)(b) (2005).
[86] 18 U.S.C. §2520 (2005).
[87] 18 U.S.C. §2515 (2005).
[88] 18 U.S.C. § 2701(14) (2005)
defines “electronic communications system,” as “any wire,
radio, electromagnetic, photooptical or photoelectronic facilities for the
transmission of wire or electronic communications, and any computer facilities
or related electronic equipment for the electronic storage of such
communications.”
[89] 18 U.S.C. § 2701(15) (2005)
defines “electronic communications service” as “any
service which provides to users thereof the ability to send or receive wire or
electronic communications.”
[90] 18 U.S.C. § 2510(8) (2005)
content includes “any information concerning the substance,
purport, or meaning of that communication;.”
[91] 18 U.S.C. § 2701(12) (2005)
defines electronic communications as “any transfer of signs, signals, writing,
images, sounds, data, or intelligence of any nature transmitted in whole or in
part by a wire, radio, electromagnetic, photoelectronic or photooptical system
that affects interstate or foreign commerce, but does not include-
(A) any wire or oral
communication;
(B) any communication made
through a tone-only paging device;
(C) any communication from a
tracking device; or
(D) electronic funds transfer
information stored by a financial institution in a communications system used
for the electronic storage and transfer of funds.
[92] See e.g., Theofel v. Farey-Jones, 341 F.3d 978, 982 (9th
Cir. 2003).
[93] 18 U.S.C. §2702(a)(1)
(2005).
[94] 18 U.S.C. §2703 (2005).
[95] 18 U.S.C. §2703(b)(1)(A)
(2005).
[96] Notice may be delayed with
an administrative subpoena or under court order, 18 U.S.C. §2703(b)(1)(B)(i
& ii) (2005).
[97] 18 U.S.C. §2709 (2005).
[98] Andersen Consulting LLP
v. UOP, 991 F.Supp. 1041, 1042 (N.D. Ill. 1998) (internal eMail system
triggers duties under SCA).
[99] In re JetBlue Airways
Corp. Privacy Litig., 379 F. Supp. 2d 299, 307 (E.D.N.Y. 2005) (holding
that maintaining website for transmission of electronic communications with
customers does not cause the operator to constitute an electronic communications
service provider).
[100] 18 U.S.C. §2711(2) (2005) defines the term “remote
computing service” as “the provision to the public of computer storage or
processing services by means of an electronic communications system.”
[101] 18 U.S.C. §2510(17) (2005)
the term “electronic storage” is limited to two situations: (A) cache and (B)
backup:
“electronic storage” means-
(A) any temporary,
intermediate storage of a wire or electronic communication incidental to the
electronic transmission thereof; and
(B) any storage of such
communication by an electronic communication service for purposes of backup
protection of such communication.
[102] In re Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497,
511-12 (S.D.N.Y. 2001) (cookies persistent when stored on hard drives, not
within “electronic storage” definition, thus outside SCA’s protection).
[103] 18 U.S.C. §2703(c)(2)
(2005), this includes the subscribers “name; address; local and long distance
telephone connection records, or records of session times and durations; length
of service (including start date) and types of service utilized; telephone or
instrument number or other subscriber number or identity, including any
temporarily assigned network address; and means and source of payment for such
service (including any credit card or bank account number).”
[104] 18 U.S.C. §2703(c)(1)
(2005).
[105]
[106] 18 U.S.C. §2510(8) (2005).
[107] 18 U.S.C. §2511(2)(d) (2005).
[108] Watkins v. L.M.
Berry & Co., 704 F.2d 577 (11th Cir. 1983).
[109]
[110]
[111] Id. But see, Simmons v. Southwestern Bell Tel. Co., 452 F. Supp. 392, 396 (W.D.
Okla. 1978) (implying consent by employee’s personal call on phone lines
reserved for business use from previous warning and the availability of other
phone lines for employees’ personal use).
[112]
[113] 980 F.2d 1153 (8th Cir. 1992).
[114]
[115]
[116] 18 U.S.C. § 2511(2)(a)(i)(2005) provides:
It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.
[117]
[118] 18 U.S.C. § 2701(c)(1) (1988).
[119] 18 U.S.C. § 2702(b)(4) & (5) (2005).
[120] Andersen
Consulting LLP v. UOP, 991 F. Supp. 1041 (N.D.Ill. 1998).
[121] No. BC007036, slip op. at 5-6 n.1 (Cal. Super.
[122]
[123] Michele C. Kane, Electronic Mail and Privacy,
Prac. L. Inst. Pats. Copyrights Trademarks Literary Prop. Course Handbook
Series,S, Oct.-Nov. 1993, at 419, 438.
[124] Gnatt, supra
note 7 at 354.
[125] 611 F.2d 342 (10th Cir. 1979).
[126]
[127]
[128] Gnatt, supra
note 7 at 356 (citing Julia T. Baumhart, The Employer's Right to Read
Employee E-mail: Protecting Property or Personal Prying, 8 Lab. Law. 923,
932, 937 (1992).)
[129] 18 U.S.C. §2510(17)(B) (1988).
[130] 18 U.S.C. § 2510(5)(a) (1988).
[131] See generally
Martha W. Barnett & Scott D. Makar, In
the Ordinary Course of Business": The Legal Limits of Workplace
Wiretapping, 10
[132] See Deal v. Spears, 980 F.2d 1153, 1158 (8th. Cir.
1992) (employer's interest in catching thief did not justify recording
of 22 hours of primarily personal phone calls).
[133] See, James v.
Newspaper Agency Corp., 591 F.2d 579, 581 (10th Cir. 1979) (upholding
interceptions based on facts that employer provided full notice and that
interceptions were for legitimate business purposes of providing training,
instruction, and protection against abusive calls); Harpel, 493 F.2d 346 (holding unlawful employer's interception of
telephone conversations, partially because employer did not provide any notice
of monitoring).
[134] See Briggs v.
American Air Filter Co, 630 F.2d 414, 420 (5th Cir. 1980) (employer not
liable for interception where time and scope limited as necessary to intercept only
the portion of call employee discussed business with a competitor).
[135] See Gnatt,
at 385; also see Dichtner and
Burkhardt, at 32.
[136]
[137] 493 F.2d 346 (10th Cir. 1974).
[138] 591 F.2d 579, 581 (10th Cir. 1979).
[139] 980 F.2d 1153, 1157 (8th. Cir. 1992).
[140]
[141]
[142]
[143] 38 F.3d 736 (4th Cir. 1994).
[144]
[145] 704 F.2d at 582-83.
[146]
[147] 630 F.2d 414, 419 (5th Cir. 1980).
[148]
[149] 704 F.2d at 582-83.
[150] Simmons,
452 F. Supp. 392 at 394-95.
[151]
[152] Consider the state action exemption under antitrust in
which the normally prohibited private collusive action is actually protected
where the state law requires the collusive action, price fixing or other
non-competitive market structure, see
e.g., Parker v. Brown, 317 U.S.
34 (1943); California Liquor Dealers v.
Midcal Aluminum, 445 U.S. 97 (1980).
[153] See Skinner v. Railway Labor Executives’ Ass’n, 489
[154] O’Connor
v. Ortega, 480 U.S. 709, 720-722 (1987) (dicta that requiring employers to
obtain a search warrant before conducting a search would be unworkable, stating
that “because work-related searches promote efficiency, employers should have
greater latitude to conduct such searches.”).
[155]
[156]
[157]
[158]
[159]
[160] 480
[161] Camara v. Municipal Court, 387
[163] Id. at 717-18; United States v. Taketa, 923 F.2d 665,
672-73 (9th Cir.1991) (no 4th amendment violation in a warrantless search of the
office of an officer of the Nevada Bureau of Investigations).
[164] Schowengerdt
v. General Dynamics Corp., 823 F.2d 1328 (9th Cir.1987).
[165]
[166] 480
[167] 480
[168] Amos
v.
[169] Watkins,
704 F.2d 577.
[170]
[171] 979 F. Supp at 1184.
[172]
[173] Dumbra
v.
[174] Brinegar
v.
[175] 480
[176] See
[177] Schowengerdt
v.
[178] Shields v. Burge , 874 F.2d 1201,
1208-09 (7th Cir. 1989).
[179] Louis Harris & Associates, Inc. &
Dr. Alan F. Westin, The Dimensions of Privacy:
A National Opinion Research Survey of Attitudes Toward Privacy at 32-41
(1981) (reasoning that employers should recognize that employee productivity is
linked to workplace privacy).
[180] See Robert B. Fitzpatrick, Privacy
Issues in Surveillance, Search, and Monitoring of Employees, C669
A.L.I.-A.B.A. Course Study 23, 36 (1991) (noting that monitoring induced and
stress-related symptoms among employees have been estimated to cost U.S.
businesses $50 to $75 billion annually).
[182] Vale v. Louisiana, 399 U.S. 30, 34
(1970) (stating that “[t]he burden rests on the State to show the
existence of such an exceptional situation”).
[183]
[184] Warshak
v.
[185]
[186]
[187] Id
at 3 stating “Therefore the standard
necessary to obtain an order under the SCA — that the government introduce
“specific and articulable facts showing that there are reasonable grounds to
believe that the contents” of the e-mail to be seized “are relevant and
material to an ongoing criminal investigation” — is permissible as the
functional equivalent of a subpoena given the subject’s ability to contest the
order in court. Because this standard is lower than the probable cause standard
necessary to obtain a search warrant, it is sufficient to justify a warrantless
search only in instances where notice is provided to the account holder.”
[188]
[189]
[190] United States v. Forrester, No.
05-50410 (9th Cir. filed July 7, 2007).
[191] Smith v.
[192]
[193]
e-mail and
Internet users, like the telephone users in Smith, rely on third-party
equipment in order to engage in communication…e-mail to/from addresses and IP
addresses constitute addressing information and reveal no more about the
underlying contents of communication than do phone numbers.
Note that the court does not extend this analysis to more
intrusive surveillance methods, stating that
surveillance
techniques that enable the government to determine not only the IP addresses
that a person accesses but also the uniform resource locators (“URL”) of the
pages visited might be more constitutionally problematic. A URL, unlike an IP
address, identifies the particular document within a website that a person
views and thus reveals much more information about the person's Internet
activity.
[194] Communications Technology: New
Challenges to Privacy, 21 J.
[195] Gnatt, supra
note 7, at 417 (citing David H. Flaherty, Protecting
Privacy in Surveillance Societies 4 (1989)).
[196] Michael F. Rosenblum, The Expanding
Scope of Workplace Security and Employee Privacy Issues, 3 DePaul Bus. L.J.
77, 96 (1990).
[197]
[198] Michele C. Kane, Electronic Mail and
Privacy, Prac. L. Inst. Pats. Copyrights Trademarks Literary Prop. Course
Handbook Series,S, Oct.-Nov. 1993, 438 (stating clear policies minimizes
unfortunate surprises and potentially avoids negative publicity that might
result from an employee's invasion of privacy action).
[199] Glenn Rifkin, The Ethics Gap: Despite
Growing Attention, Many IS Managers Say, “It's not my job,” Computerworld,
Oct. 14, 1991, at 83.
[200] Id.;
See United States v. Van Leeuwenm, 397