The Privacy of E-Mail

Since the widespread adoption of the Internet by the general public, electronic correspondence has grown to staggering levels: The research firm The Gartner Group estimated that in 2001, more than 5.5 trillion e-mails were sent worldwide, or roughly 15 billion messages per day. The research analyst group International Data Corporation predicts that by 2006, the daily e-mail count will quadruple, to something in the range of 60 billion messages. By contrast, the U.S. Postal Service handled roughly 200 billion pieces of mail for all of 2001. ^[10]

E-mail is rapidly becoming the predominant form of business communication. The advantages are self-evident: speed, convenience, low cost, ease of use, the elimination of phone tag, and so forth. But e-mail is, to put it mildly, a double-edged sword: Indiscreet workplace e-mail writers are, to borrow a clich , the road kill of the information superhighway. Hardly a week goes by without new stories of employees who have been fired as a result of management disapproval of their workplace correspondence. According to the American Management's Association's most recent annual workplace survey, roughly one-half of all employers in this country periodically review their employees' e-mails, and one-third of all businesses have fired someone for inappropriate use of company e-mail or improper Web surfing.

To understand the role that e-mail is playing in employment and the ease with which it can be monitored, it's useful to take a closer look at this incredibly popular form of communication.

Searching Electronic Mail

Much of the misconception regarding e-mail privacy stems from the way it mirrors the characteristics of other types of communication: It's a written communication, which implies the privacy of first-class mail, and it's person-to-person and virtually instantaneous, which suggests the privacy of a telephone conversation. Unfortunately, e-mail lacks the privacy protection given to either form of communication.

To begin with, the mere fact that an e-mail is a written communication from one person to another person (or a group of people) accords it no particular protection. Only letters that are sealed, stamped, and deposited in a U.S. Postal Service mailbox are entitled to the privacy protection offered by federal law. Since e-mail doesn't remotely conform to postal regulations, it has roughly the same privacy protection enjoyed by postcards, and no one would rationally consider a postcard sent through the mails to be a private document. But when it is mailed in a sealed envelope, even the raunchiest "You're Turning Forty" birthday card has more legal protection than the most sensitive or profound e-mail.

Telephone calls also offer employees greater privacy protection than e-mails. The Electronic Communications Privacy Act (ECPA), which Congress adopted in 1986, divides electronic communications into two categories: stored communications and communications in transit. Electronic communications that are in transit are entitled to roughly the same protection accorded voice communication—that is, an employer cannot intercept them or record them (subject to certain exceptions). But unlike voice communication, which is almost always live, e-mail is almost always stored in one fashion or another. ^[11] As long as an employer is searching a stored collection of e-mail, it can poke and pry at will.

The potential storage sites for your e-mails are myriad. Every e-mail program contains an option to copy the messages you send to a "sent" folder on your computer, and most computer users either purposely choose to have their messages saved or are oblivious to the fact that the program is doing so automatically. As we've seen, assuming that you've been given notice of the possibility of searching, your company can search the files on your computer at its discretion, and that includes the contents of your "sent" folder, your inbox, your "draft" folder, and anything else that it thinks might be interesting.

Even if you don't save copies of your e-mail on your computer, the normal operation of a corporate network creates other storage opportunities. When you click "send" on your office network computer, for instance, your e-mail program typically forwards your e-mail to the network mail server, which breaks the message into packets and sends them over the Internet toward their destination. For the purposes of the Electronic Communications Privacy Act, the e-mail's arrival at the network mail server is the equivalent of an airport layover. Even if the retransmission of your e-mail is virtually instantaneous, its brief stop in the network mail server constitutes "storage" for the purposes of employer investigation and review.

In some workplaces, incoming and outgoing employee e-mail is stored on a mail server, which the company copies each evening onto another hard drive or backup tape. Tape archives are typically kept for a finite period of time (usually thirty days or so), but it's not uncommon for e-mails that are months or even years old to be retrieved from archives. How long a particular company maintains its electronic archives depends on its own retention policy; companies need to balance a number of competing concerns including data integrity and protection, the ability to review the electronic behavior of their employees, and the legal exposure they risk by having months and months of electronic materials on file. ^[12]

E-Mail Firings and Other Tales of Electronic Woe

Undoubtedly, Michael Smyth never intended to carve himself out a permanent place in the battle over workplace privacy rights. Nonetheless, his name is inextricably linked with one of the first federal court decisions regarding the privacy of e-mail. In October 1994, Smyth, a regional operations manager for the Pillsbury Company in Philadelphia, received some e-mails from his supervisor on his home computer. The e-mails originated on an internal e-mail system set up and maintained by Pillsbury, and Smyth's responses traveled across the same system on their way back to his supervisor.

During this e-mail exchange, Smyth ridiculed Pillsbury's sales management, threatened to "kill the back-stabbing bastards," and referred to a holiday party at Pillsbury as a "Jim Jones Kool-Aid affair." A company executive who reportedly saw a copy of that message in an office printer undertook a thorough review of all of Smyth's e-mails, and on February 1, 1995, Smyth was fired by Pillsbury "for transmitting what it deemed to be inappropriate and unprofessional comments over defendant's e-mail system." Smyth sued to regain his job, arguing that Pillsbury had explicitly promised that all e-mails would remain privileged and confidential. In fact, the District Court found that Pillsbury had also promised that e-mails "could not be intercepted and used by defendant against its employees as grounds for termination or reprimand."

The court agreed that Pillsbury had broken its promise to Smyth, but held that he had no claim against the company nonetheless. ^[13] Its language starkly underscores the limited privacy rights that employees have in their e-mail messages:

... unlike urinalysis and personal property searches, we do not find a reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management. Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost ... even if we found that an employee had a reasonable expectation of privacy in the contents of his e-mail communications ... we do not find that a reasonable person would consider the defendant's interception of these communications to be a substantial and highly offensive invasion of his privacy ... by intercepting such communications, the company is not ... requiring the employee to disclose any personal information about himself or invading the employee's person or personal effects. Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.

Far more than the telephone, e-mail underscores the tension between an employee's work and his personal life. While most employees would agree that it would not be appropriate to spend large amounts of time making personal phone calls in the office, it's more difficult to see the harm in dashing off a few quick e-mails to family and friends. From the employer's perspective, however, personal e-mails are more problematic than personal telephone calls: The time required to send even a "quick" e-mail adds up over the course of the day, and even more distressingly, an inappropriate e-mail can later play a starring role in litigation against the company.

It was precisely those types of concerns that have led hundreds, if not thousands, of companies to fire employees for improper use of e-mail. Here are just a few examples, drawn from mid-1999 to late 2000:

• In Michigan, Dow Chemical fired twenty-nine employees and suspended forty-two others for sending pornographic or "violent" images over the company e-mail system.

• After a review of its employee e-mail archives, The New York Times fired twenty-three workers for distributing pornography and dirty jokes by e-mail.

• Xerox fired twenty-two people from its Virginia office for sending offensive e-mails.

• The St. Louis brokerage Edward Jones & Co. fired eighteen employees and warned forty-one others about sending pornography across the company e-mail system.

By now, employers can rely with confidence on the long line of court decisions that have resolved the tension between the company's property and employee privacy interests in favor of businesses. Whatever common law interests in privacy you may think you have in your electronic communications are superseded by the fact that your employer owns and operates the system over which the e-mail travels.

^[10]Kendra Mayfield, "Neither Rain nor Hail nor E-Mail," Wired.com (June 7, 2001). The postal service claims that e-mail is not a threat, because many of the messages sent by e-mail (jokes, chain letters, multilevel marketing schemes, and so on), would not have been sent by regular mail anyway. Nonetheless, current predictions are that first-class mail levels will fall an average of 2.5 percent per year from 2003 to 2008. Id. Clearly worried about the impact that e-mail is having on first-class mail, the postal service has floated various plans to charge for the delivery of secure e-mail. None of these plans has borne fruit, however, as the evolution of e-mail technology has vastly outstripped the postal service's ability to design and implement a viable system.

^[11]Voice mail raises some interesting questions, but is generally considered to fall under the definition of "wire communications," which makes it subject to antiwire-tapping laws.

^[12]While it is obviously illegal to destroy evidence of possible wrongdoing during litigation, companies are generally not penalized if potentially relevant evidence was destroyed during routine archive maintenance.

^[13]Ironically, Smyth and Pillsbury agreed to a settlement of Smyth's lawsuit against the company on the same day that the District Court dismissed the suit. The court's order, however, was entered before notice of the settlement was filed with the court.