Final Project for Information Systems 296
taught by Howard Besser


Electronic Mail: Privacy Issues in Cyberspace


by Jorge Enrique Barreto,11/14/96

jorge@bishop.berkeley.edu



Introduction
E-mail disadvantages
Is E-mail privacy possible at the work place?
Company's point of view
Downside of monitoring E-mail at the work place
Options to keep information private
Conclusions
References


Introduction

There is an increase in awareness regarding the individual privacy of people using electronic mail in terms of expected exclusive access and account usage. This awareness stems from the fact that privacy protection of e-mail is currently less well defined than other forms of communication. Also, there exists an illusion of privacy created by having a password to access ones' e-mail account. The fact, though, is that very few people have a good understanding about how computer and computer networks actually work, and the options available to safeguard their electronic information. Some of the typical personal problems people should be aware of when using e-mail arise from the technology itself as well as the current legal framework. For example, if you send an e-mail message to an individual and for some reason it bounces back, the mail can be seen by system administrators and operators who can read messages in spool files at local sites. Also, if the "FINGER" command is available on the system, anyone can access the following about you: e-mail address, name, location logged in, if you are currently on the computer and if so for how long, etc5. But, what is most important for people to realize is that many companies consider individual's e-mail at work to be corporate property, and are entitled to do so under the 1986 Electronic Communications Privacy Act (ECPA)5.

Unfortunately most people learn just how vulnerable their e-mail is only when their employer catches them sending sensitive information or potentially embarrassing notes to someone else. People using and communicating via e-mail need to learn just how susceptible to snooping their information is to those who want to get a hold of it. Communicating through cyberspace without taking the proper measures is insecure. In 1994, for example, a Pillsbury employee, believing that his e-mail communications were confidential, sent an e-mail message to a co-worker referring to his employers as "back-stabbing bastards"2. His manager read this information and the company fired him. The employee, claiming wrongful discharge, sued the company, but apparently to no avail because as he found out, most of these cases are decided in favor of the employers.

E-mail disadvantages

The privacy inherent in ordinary e-mail is almost nonexistent. And as such, it's often compared to the privacy inherent in postcards, unlocked file cabinets, faxes, etc. E-mail is the most significant mechanism of communication transfer over the network for the on-line community. E-mail is by default encoded in ASCII (American Code for Information Interchange), the lowest common denominator of computer codes7. Thus, ordinary e-mail does not provide inherent privacy since virtually every computer in the world has the capacity of reading ASCII code. It makes very little difference whether you use a secret password to access your e-mail account or send your e-mail directly to a friend or individual at a particular e-mail address. Ordinary unencrypted e-mail is fair game to anyone with the desire, the access, and the computer knowledge to access it and read it.

For instance, people usually do not think about sending their credit card, or ATM pin number on a postcard. The same reasoning should apply for proprietary business information, personal or potentially embarrassing information, important correspondence, or anything else you would not want floating around in the public domain. Yet that is exactly what most people manage to do every day when they include this type of information in their e-mail messages. It is only when something terribly wrong happens that people begin to pay close attention to the importance of e-mail security. Ordinary e-mail users are usually surprised to learn how vulnerable their "private" communications are to interception and compromise3.

Nobody understands the vulnerability of e-mail privacy better than former Marine Colonel Oliver North. In 1986, during the Iran-Contra conflict, one would have expected that a security-conscious high-ranking officer with access to the Director of Central Intelligence and the President to really understand a simple fact of computer security: the fact that back-up tapes of all information on his system were made everyday by computer system administrators. North thought that by hitting the "Delete" key on his computer terminal would get rid of any electronically stored messages or files that might have been evidence of his crimes 3. But he missed minor detail completely, and the documents stored on those back-up tapes helped the government convict him on criminal charges. Even though late, Oliver North learned an invaluable lesson in the privacy of electronic communications we all need to learn.

Is E-mail privacy possible at the work place?

People awareness on the privacy issues of computer electronic mail have increased in recent years due, in part, to the fact that the privacy protection of e-mail today is less well defined than other forms of communication, i.e. postal or telephone. Also, people are learning that having a password to access your e-mail account creates nothing more than an illusion of privacy, even though there are laws that protect our e-mail messages from civilian interception. The Electronic Communications Privacy Act (ECPA) of 1986, protects e-mails from being monitor as long as they are sent over a public domain. However, this privacy Act does not insure that your e-mail messages will not be stolen, it merely allows the government to make it a federal offense so that people are held responsible for their wrong-doing. There are penalties for those who break the law by reading someone's e-mail without his/her consent. For instance, people can be fined and spent up to two years in prison if they are caught trying to make money off information they have obtained illegally. This applies to everyone, including people in the government, with three major exceptions: 1) a computer system administrator maintaining an e-mail system, 2) a government agent with the proper court order and a reasonable suspicion of wrong-doing, and 3) your employer whenever they want to3.

What this really means is that anyone using electronic mail is vulnerable to snooping. Although one may think that the biggest threat to us are those computer hackers with the knowledge to invade your privacy by intercepting your e-mail. It turns out that the biggest snoopers are private businesses that maintain in-house electronic communications networks. The law that restricts government e-mail snooping without a valid court order and prohibits civilians from intercepting e-mails transmitted over public networks, specifically excludes employers, who can legally read their employees' e-mail whenever they consider it appropriate. Today, many computer security experts believe that international companies are monitoring employees' e-mail just to keep their right to do so, while others monitor employees' e-mail just out of conflicting interests.

Company's point of view

Does a company have the right to snoop on your "private" e-mail whether is send over the company-owned computer system or over a public computer network? Some companies think so and argue that they have the right to monitor employees' e-mail because they own the equipment. In fact in 1993, when e-mail was not as popular as it is today, a survey of more than 300 private businesses revealed that 22% of them were eavesdropping on employees' computer files, voice mail, e-mail, or other networking communications3. In larger companies (1000 employees or more), the amount of electronic eavesdropping on employees increased to 30%. The survey was conducted by Macworld magazine, which estimated based on these numbers that 20 million Americans or more may be electronically monitored on the job. Unfortunately, most of these people learn just how vulnerable their e-mail is only when their boss catches them sending an embarrassing note to a co-worker.

Other reasons why companies might choose to monitor your e-mail are to: 1) prevent employee harassment, 2) gauge employee productivity, 3) investigate thefts or espionage, 4) review employee's performance, 5) look for missing data or illegal software, and last but not least , 6) prevent use of the e-mail system for personal purposes2. Regardless of the reasons for which employers monitor your e-mail activities, if they catch you sending electronic messages that he/she finds detrimental to the company, you will be fired. Most private businesses argue that because they own the equipment (i.e. computer network, PC, etc.), they also have the right to own the messages send over the network or stored in the computer at work. However, Zimmermman, the creator of Pretty Good Technology (PGP), disagrees while posing the following question: "If I use a company pen to write a love letter to your wife, does that mean they can read it?"2

While my answer to Zimmerman's question would be an enormous "NO," the fact of the matter is that courts have up to now decided in favor of most of the employers in cases dealing with the wrongful firing of an employee because his/her employer read e-mail messages that were deemed damaging to the company. One of the cases is still in litigation and is perhaps the most interesting, not only because it involves an employer finding evidence that an employee had sent sensitive information about the company to another employee at another company via e-mail over the public computer Network. .

Eugene Wang was vice president of computer languages at Borland in late of 1992, when he abruptly resigned to take a job with the company's Silicon Valley competitor, Symantec. Borland officials searched Wang's e-mail files stored in the company-owned computer and found e-mail "messages to Symantec CEO Gordon Eubanks allegedly containing top-secret Borland data, such as marketing plans, product release dates, and most potentially damaging of all, details of Borland's game plan against Symantec. Wang and Eubanks were indicted on criminal felony charges involving theft of trade secrets."3 However, Wang and Eubanks answered the charges by accusing Borland of violating their privacy under the ECPA of 1986, since they claim that their e-mail messages were transmitted over the MCI Public Network. The problem for Borlad is that without having the e- mail evidence, their case against Wang and Eubanks disintegrates.

What this case really shows is that employees should not assume they have some sort of privacy when they use a public Network to communicate via e-mail. People in general should refrain from sending messages that can potentially cause the employee an embarrassment, to lose the job, and/or to get arrested.

Perhaps one of the most compelling arguments pose by many companies today is what EFF cofounder, Mitch Kapor, wrote in Forbes shortly after the Borland- Symantec case came into the spotlight. "Whatever they do," he wrote, "they have to confront the reality of the enormous power of digital media. In an age when a company's most valuable property may be intangible -- the source code for a software package, for example -- an e-mail account may amount to an unlocked door on a warehouse."3

Downside of monitoring E-mail at the work place

While most companies agree that there should be some sort of monitoring to make sure employees do what they are supposed to do at work, they have not yet come to a common standard, nor they have designed guidelines for proper monitoring at the work place. Nonetheless, companies eager to gain control over electronic communications systems are adopting policies (i.e. written policies) to inform employees that e-mail is for company use only. That is, they should expect to be monitored at all times. Intel Corporation, for example, monitors employees e-mails to make sure it is being used for Intel business only. Apple, on the the hand, has adopted an explicit policy of not monitoring employees' electronic mail3.

While most privacy supporters recognize that employers should keep some sort of monitoring over their employees electronic mail, some limits are essential, not only because it is a privacy issue but also because it is good for business in general9. Some analysts argue that a downside to monitoring employees' private information is that it creates the perception that you are not to be trusted at work. Aside from creating low moral among employees, monitoring employees activities at work "creates feelings of surveillance and stress" according to Columbia University professor Alan F. Westin, a leading privacy expert and industry consultant on privacy issues. What all of this amounts to is that it leads to the creation of an unhealthy work environment8.

The question then is, what can employers do to strike a balance between their legitimate monitoring needs and the legitimate privacy needs of employees? As I mentioned earlier, one of the solution is to adopt company policies that clearly statement just how the company intends to monitor the employees' e-mail system. That is, what exactly is the company's privacy policy regarding electronic mail. Most companies, however, are probably like Borland, which did not have any privacy policy at the time the Wang incident occurred and still has no policy today.

While some limits seem essential, some companies do not seem to want to compromise on this issue. They either monitor their employees' electronic mail activities completely or they chose not to do it at all.

Options to keep information private

Encryption technology is perhaps the best way to secure your electronic information. When you encrypt an e-mail using public-key technology such as PGP (Pretty Good Privacy), Mailsafe, and Tech-Mail, no one but the person intended to receive the message can read it4. As a full-featured privacy program, PGP is as strong or stronger than any other encryption program available to the general public. Users probably can not do better than PGP in terms of security, but they can do better in terms of ease of use because PGP is a no-frills program. It's not just another pretty interface. PGP uses public-key cryptography that "empowers people to take their privacy into their own hands," says Zimmermman, creator of this freeware program. PGP is not only freeware, but its public-key technology is becoming a crucial technology in the protection of privacy in our increasingly connected society. That is, with encryption people can communicate securely over an insecure network such as the Internet6.

This technology will almost certainly keep your messages from being read by the wrong people, but be aware because companies can legally prohibit encryption technologies from being used in their e-mail systems. Some of the arguments for this policy are that it prevents people from divulging valuable information easily as well as it allows company official to access important information in case of an emergency. For example, says an employer, "what happens if an employee encrypts important company documents, and then dies? How will the company get the vital information2.

Conclusions

Companies need to adopt more policies to inform employees about their privacy rights regarding e-mail usage. Perhaps during orientation people can be advised and educated on the privacy issues surrounding -e-mail usage at work. They can properly be educated to fully understand the advantages and disadvantages of using this medium of communication. Usually, people who use e-mail have options to safeguard their electronic information, but are not aware of those options. However, the present effort devoted to companies to educate employees on this issue is minimum, thus truly undermining the concept that "knowledge is power." And... if you do not believe it, just ask Oliver North!

References

[1]Electronic Privacy on the Internet, The Electronic Frontier Foundation, 1996.

[2]Samuels, P. D.; Who's Reading your E-mail? Maybe the Boss, New York Times, May 12, 1996.

[3] Tools For Privacy, Smart Publications, 1995.

[4]The Encryption Solution, Smart Publications, 1995.

[5]White, V. A.; Ehical Implications of Privacy in Electronic Mail, Proceedings of Technical Conference in Telecommunications R&D in Massachusetts, University of Massachusetts Lowell, October 25,1994.

[6]Meeks, B. N.; Jacking in from the Narco-Terrorist Encryption Port CyberWire Dispatch, 1995

[7]Angell, D. and Heslop, B.; The Elements of E-mail Style, Addison Wesley, Reading, MA 1994.

[8]Halberstam, J. ; Everyday Ethics, Penguin Books, New York, NY, 1993

[9] Rotenberg, M. ; Protecting Privacy, CompuServe Cethics, August 1994.