Judge: Charles Weiner
How would the case have been different if:
Discussion of Smyth v Pillsbury:
Contract v Tort: Judge held that corporate eavesdropping is not offensive. Duh. (Could it be offensive because the company had promised not to??)
Judge says Smyth lost because email was "utilized by entire company" and Smyth's emails were "voluntary".
Were they? What does this have to do with anything? The use of the
word "voluntary" is in contrast to mandatory urinalysis cases.
From the decision:
"Reasonable expectation of privacy" does not mean the search is "offensive". Only searches that are "offensive" would allow legal action regarding firing of an "at-will" employee.
Judge: Pillsbury's actions did not "tortiously" (that is, in violation of some tort, or general non-contractual duty) invade privacy.
unstated by judge: prevention of sexual harassment as
justification. This provides a legitimate "motive" for corporations to
read all employee email. The judge did state
Arguably, though, the Smyth kind of talk between "buddies", with the self-image projected to fit that context, is EXACTLY what some interpretations of privacy are about. Not all context is "professional".
What if Pillsbury recorded spoken water-cooler or bathroom conversation?
What the heck is a "reasonable expectation of privacy"??? "In the absence of a reasonable expectation of privacy, there can be no violation of the right to privacy."
Could Smyth have sued for DAMAGES, instead of reinstatement?
Could Smyth have sued for contractual
obligations?
Footnote to judge's ruling: ["estoppel" is eh-STOP-uhl]
Jurisdiction problems: what if one party to an email lives in a state that grants statutory privacy protections? This problem comes up all the time with phone calls:
Worldcom case: Plaintiffs were Kelly Kearney and Mark Levy;
they worked for a company acquired by Worldcom. Their calls were
recorded in Georgia, but plaintiffs were calling from California, which
forbids recording without notification of ALL parties.
Massachusetts case: jurisdiction depends on where wiretapping
physically took place, not where the speakers were.
How does telephony relate to email?
What is our
expectation of privacy?
What about use of, say, a personal gmail account while at work? If employer monitors transactions with gmail.com? If employer obtains email from google directly?
Loyola policy: luc.edu/its/policy_email_general.shtml
(discussed below)
Persistence: email sticks around, although people USE it as if it were like the phone.
Dr Parle Paul, MD, would take home discarded hospital equipment. He would sell it or send it to clinics in Yugoslavia, his homeland. He got permission to take five discarded refrigerators. Unfortunately, he apparently did not have the RIGHT permission.
Oops.
He was fired, and filed suit in state court for reinstatement and for defamation.
A jury trial resulted in a verdict in Paul's favor, both for damages and
reinstatement.
Superior court affirmed. The appellate court reversed the reinstatement
order.
From the appellate decision:
Equitable estoppel is not an exception to employment at-will. The law does not prohibit firing of an employee for relying on an employer's promise.
Exceptions to the [at-will firing] rule have been recognized in only the most limited curcumstances, where discharges of at-will employees would threaten clear mandates of public policy. [some such: racial/ethnic discrimination, whistleblowing, refusal to commit illegal acts, unionizing, ...]
Look at this another way. Smyth and his lawyers knew that he could be fired for any reason, regardless of Pillsbury's promises to the contrary.
Smyth was asking for application of the TORT of invasion of privacy to be applied. A "tort" is essentially a common-law right that has been breached, as opposed to a contractual right. Tortious invasion of privacy exists, but the standards are high and privacy must be a reasonable exception.
In court cases, you can't add 30% of an argument for equitable estoppel and 70% of an argument for tortious invasion of privacy to get 100% of a case. ONE argument must be 100% sound.
Bottom line, there is "no reasonable expectation of privacy for work email" and they can read it even if they promise not to.
That last part fits in with longstanding law regarding employment-at-will.
The main issue is really the "no reasonable expectation" part, since that blocks civil tort suits. Even if "reasonable expectation" is highly subjective.
Privacy on University electronic mail systems [1997-1998] http://www.luc.edu/its/policy_email_general.shtml
In the section subtitled "Privacy on University electronic mail systems", seven reasons are given why someone else might read your email:
The University community must recognize that electronic
communications
are hardly secure and the University cannot guarantee privacy.
The University will not monitor electronic mail messages as a
routine matter.
But the University reserves the right to inspect, access, view,
read and/or disclose an individual's computer files and e-mail
that may be stored or archived on University computing networks
or systems, for purposes it deems appropriate. There may arise
situations in which an individual's computer files and e-mail
may be inspected, accessed, viewed, read and/or the contents
may be revealed or disclosed. These situations include but are
not limited to:
Some possible protections (not actually implemented):
Protection against items 5,7: If your email is examined because we believe your account has been compromised, any contents implicating you on other matters and associated with your legitimate use of your account will NOT be held against you (except in cases of ????)
Protection against 1: If your email is examined accidentally or as part of routine system maintenance, any contents implicating you on any matters will not be held against you (exceptions???)
While these would not be enforceable for staff, as at-will employees,
they would be for
Legit: 2, 3 [maybe], 4 [but what grounds for suspicion?] Item 6 could be clearer that outside investigations must be part of law enforcement;
Generally, most employer monitoring falls under one of these. Note that the "provider" exception is a specific feature of ECPA; ownership of the hardware does not create a general right of access and in particular ownership of a telephone system does not create a right to eavesdrop.
Phone surveillance in the workplace
Keystroke monitoring
Location monitoring
Do computers empower workers, or shackle them?
While we're on the topic of ECPA, there is:
Title I, covering electronic communications in transit (USC
Title18 Chapter 119)
Title II, the Stored
Communications Act. (USC
Title 18 Chapter 121)
The latter has much less stringent restrictions. Debate continues as to
the appropriate category for email messages.
ECPA amended the Wiretap Act of 1968.
Bradford Councilman ran a website that listed rare books; he also
gave email accounts (actually aliases) to booksellers within the domain
"interloc.com" (this might be comparable to amazon.com giving email
aliases to their associated private sellers, or even ebay). However,
Councilman examined these dealer emails in order to develop a
competitive strategy (these emails would show what rare books were in
demand, for example; apparently the real target was amazon.com).
In the case US v Councilman, the government prosecuted Councilman for interception of email in violation of the EPCA/Wiretap Act. Councilman argued that he only examined the email as it was stored on servers temporarily while being routed to its final destination, and that accessing stored documents did not constitute "interception" for the purposes of the Wiretap Act. The District Court and a 3-judge panel of the Appellate Court agreed with Councilman's theory. In 2005, however, the First Circuit court ruled en banc that, yes, EPCA in-transit rules did apply to data stored temporarily on disks (filesystems) as well.
Note that the issue here is not
government access to electronic communications.
Note also that the status of email as it sits in storage remains
contentious.
Email differs technically from voice in that as email is forwarded to its destination the full message sits briefly on various intermediate servers. Phone servers store at most a few bits of a voice stream at a time. The First Circuit ruled very definitively that, despite the appearance that email was being stored, the practical understanding was that it was in transit, and as such was protected. This is a good example of the courts rejecting a "technical" argument for the "big picture"; note, however, that the first two courts to hear the case agreed with the technical argument.
The full First Circuit decision is at http://www.ca1.uscourts.gov/pdf.opinions/03-1383EB-01A.pdf
This was a case involving government compliance with EPCA. Warshak was a spammer promoting "Enzyte" for "natural male enhancement." He was a suspect in a (different) fraud case. The government got an order from a US Magistrate asking for his email records. The emails were turned over to him.
Eventually Warshak found out about this:
Warshak: get a search warrant!
US: all we need is
subpoena (much weaker)
Are subpoena rules for email overly broad?
US argument: users of ISPs don't have a reasonable expectation of
privacy.
This is clear for employer-provided email, though there's no reason to suppose loss of privacy extends to the government.
But what about commercial email? Here's an imaginary Yahoo Terms-of-service by Mark Rasch, from securityfocus.com/columnists/456/3 :
Because a customer acknowledges that Yahoo! has unlimited access to her e-mail, and because she consents to Yahoo! disclosing her e-mail in response to legal process, compelled disclosure of e-mail from a Yahoo! account does not violate the Fourth Amendment.
The point here is that because Yahoo has access to your email, the gov't
thinks that all your email should be treated just like any other
commercial records. You have no "expectation of privacy".
The government argued that this case was like the 1976 US v Miller
case, where bank
records were found NOT to be protected. However, bank records are
pretty clearly different from email. For one thing, under the
"transaction" theory of privacy, bank records belong to the bank, as well as to you. Email does not belong, in any sense, to your
ISP.
Stored Communications Act, part of ECPA
email stored 180 days or less: gov't needs a warrant
more than 180 days: warrant, subpoena, or court order
See http://www.usdoj.gov/criminal/cybercrime/ECPA2701_2712.htm
§2703 (a): less than 180 days (b): more than 180 days
Warshak was arguing that the government should need a warrant for ANY of his email.
District court:
Warshak won. (Quote from full 6th circuit decision)
3-judge panel of 6th circuit appellate court: Warshak won, June 2007.
The decision was far-reaching, not specific to
the facts at hand. The decision was by a 3-judge panel. From the ruling:
October 2007: 6th circuit agrees to en banc review (whole court)
July 2008: full court ruled that the case was not "ripe": broad question was not ready to be addressed.
The ripeness doctrine serves to "avoid[] . . . premature adjudication" of legal questions and to prevent courts from "entangling themselves in abstract" debates that may turn out differently in different settings.
Conventional wisdom as to why the supreme court is not likely to hear the case: they would have to find that the case was "ripe", and they are much more likely to wait for a case where "ripeness" is more evident. (See Eugene Volokh, volokh.com/posts/1176832897.shtml) Traditionally, the courts consider 4th-amendment cases "after the fact".
All gmail is read at google. Just not necessarily by people. Does this matter?
What if Councilman had had automated software read the email, and
this software then updated Councilman's book-pricing lists? Is this
different from what gmail does, or the same?
What if google searched gmail for inside stock tips, and then
invested?
What could google do with
the information it learns about you?
And is there a special concern if this kind of information became
available directly? For example, if employers could look up your
magazine subscriptions?
Original reading: Simson Garfinkel,
Adopting Fair Information Practices
to Low Cost RFID Systems.
Overall survey of active v passive rfid tags.
Why they might remain attached to purchased items.
RFID tags in identification cards
Differences between RFID and bar codes. In one sense, both types
work by being "illuminated" by a source of electromagnetic radiation.
In practice, most ordinary materials are not opaque to RFID
frequencies, and more information can be stored.
creeping incursions: when do we take notice? Is there a feeling that this "only applies to stores"? Are there any immediate social consequences? Is there a technological solution?
How do we respond to real threats to our privacy? People care about SSNs now; why is that?
Are RFID tags a huge invasion of privacy, touching on our "real personal space", or are they the next PC/cellphone/voip/calculator that will revolutionize daily life for the better by allowing computers to interact with our physical world?
Imagine if all your clothing displays where you bought it: "Hello. My
underwear comes from Wal*Mart"
(Well, actually, no; RFID tags don't take well to laundering.)
RFID tags on expensive goods, signaling that I have them: iPods, cameras, electronics
Loyola RFID cards
RFID v barcodes: unique id for each item, not each type readable remotely without your consent
"Kill" function
Active and passive tags
Are there ways to make us feel better about RFID??
Garfinkel's proposed RFID Bill of Rights:
Users of RFID systems and purchasers of products containing RFID tags
have:
What about #3 and I-Pass?
Serious applications:
Technological elite: those with access to simple RFID readers? Sort of like those with technical understanding of how networks work?
2003 boycott against Benetton over RFID-tagged clothing: see boycottbenetton.com: "I'd rather go naked" (who, btw, do you think is maintaining their site? This page is getting old!)
Some specific reasons for Benetton's actions:
Is the real issue a perception of control? See
Guenther
& Spiekermann Sept 2005 CACM article, p 73 [not assigned as
reading]. The authors developed two models for control of RFID
information on tagged consumer goods:
Is there a "killer app" for RFID? Smart refrigerators don't seem to be it.
I-Pass is maybe a candidate, despite privacy issues
(police-related) Speedpass
(wave-and-go credit card) is another example. And cell phones do allow
us to be tracked and do function as RFID devices. But these are all
"high-power" RFID, not passive tags.
What about existing anti-theft tags? They are subject to some of the same misuses.
Papers: Bruce Eckfeldt: focuses on benefits RFID can bring. Airplane luggage, security [?], casinos, museum visitors
Does RFID really matter? When would rfid matter?
RFID:
tracking people within a fixed zone, eg
tracking within a store:
entry/exit tracking
profiling people
cell-phone tracking: when can this be done?
inducements to waive privacy? having to take products to "kill" counter , or losing warranty/return privileges
RFID shopping carts in stores: scan your card and you get targeted ads as you shop. From nocards.org:
"The other way it's useful is that if I have your shopping habits
and I know in a category, for instance, that you're a loyal customer
of Coca Cola, let's say, then basically, when I advertise Coca Cola
to you the discount's going to be different than if I know that you're
a ... somebody that's price sensitive." Fujitsu representative Vernon
Slack
explaining how his company's "smart cart" operates.
RFID MTA hack? We'll come to this later, under "hacking". But see http://cs.luc.edu/pld/ethics/charlie_defcon.pdf
(especially pages 41, 49, and 51) and (more mundane) http://cs.luc.edu/pld/ethics/mifare-classic.pdf.
See also http://getyouhome.gov
US passports have had RFID chips embedded for some years now. In the
article at http://news.cnet.com/New-RFID-travel-cards-could-pose-privacy-threat/2100-1028_3-6062574.html,
it is stated that
Homeland Security has said, in a government procurement notice posted in September [2005?], that "read ranges shall extend to a minimum of 25 feet" in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, "the solution must sense up to 55 tokens."
The notice, unearthed by an anti-RFID
advocacy group, also
specifies: "The government requires that IDs be read under
circumstances that include the device being carried in a pocket, purse,
wallet, in traveler's clothes or elsewhere on the person of the
traveler....The traveler should not have to do anything to prepare the
device to be read, or to present the device for reading--i.e., passive
and automatic use."
The article also talks, though, about how passports (as opposed to
the PASS cards usable for returning from Canada or Mexico) now have
RFID-resistant "antiskimming material" in the front (and back?) cover,
making the chip difficult to read when the passport is closed.
Currently, passport covers do provide moderately effective shielding.
Furthermore,
the data stream is encrypted, and cannot be read without the possession
of appropriate keys. An article in the December 2009 Communications of
the ACM by Ramos et al
suggested that the most effective attack would be to:
see http://cpsr.org/issues/privacy/ssn-faq/
Privacy Act of 1974: govt entities can't require its use unless:
SSN and:
There had been a trend against
using the SSN for student records; some students complained that no
federal law authorized its collection for student records and therefore
state schools could not
require it. Alas, while this idea was gaining traction Congress
introduced the Hope education tax credits and now it is required that students give their SSN
to colleges. Even if they don't intend to claim the credit.
What exactly is identity theft?
National Identity Card:
What are the real issues?
tracking?
matching between databases?
Identity "theft"?
Starting on page 85, there's a good section in Baase on stolen data;
see especially the table of incidents on page 87. What should be done
about this? Should we focus on:
Matching:
Should the government be able to do data mining on their databases?
In particular, should they be able to compare DBs for:
Government and e-privacy:
What if FACIAL RECOGNITION were to really take off? What would be the consequences? There are all those cameras already.
Most arguments today against facial recognition are based on the idea that there are too many false positives. What if that stopped being the case?
What about camera evidence of running lights or speeding?
E-bay privacy - Ebay has (or used to have) a policy of automatically opening up their records on any buyer/seller to any police department, without subpoena or warrant.
This one is quite remarkable. What do you think? Is this ethical?
HIPAA (Health Insurance Portability & Accountability Act) has had a
decidedly privacy-positive effect here.