www.giac.org




Electronic Privacy in the Private Sector Workplace
Category: Law, Investigations, and Ethics
Author: Bruce Cantrell
Date Added: February 6th, 2007
View as PDF | Download Paper

Introduction

Is there an expectation of privacy in electronic communications? What are the laws and rules that govern this process? This article seeks to answer these questions. The purpose of this article is to provide the CISSP candidate with definitive information on navigating the uncertain and dynamic issues of electronic privacy in the workplace. To do this, we explore the fourth amendment and the Electronic Communications Protection Act, which form the basis of the electronic workplace expectation of privacy. Much of the information used for this paper is extracted from the United States Department of Justice's Computer Crime and Intellectual Property Section (CCIPS) Criminal Division Manual: "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" July 2002.

The CCIPS manual is a plethora of rules and regulations to obtain evidence, and many sections are devoted to electronic search and seizure written for law enforcement officials. These concepts are essential for you to understand, so that you know what you can and cannot do legally in the workplace and how you can cooperate with law enforcement officials.

The following areas covered in the CCIPS:

Fourth Amendment Law and the ECPA

The Fourth Amendment protects citizens from unreasonable searches and seizures by the government, stating: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The following four issues extracted from the CCIPS manual provide specific information that affects a computer security professional:

1. Reasonable expectation of privacy in computers as storage devices

To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container, such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant. This is because they are also prohibited from opening a closed container and examining its contents in the same situation. The courts have held that "Individuals may lose Fourth Amendment protection in their computer files if they lose control of the files." (1)

An important line of Supreme Court cases states that individuals generally cannot reasonably expect to retain control over mere information revealed to third parties, even if the senders have a subjective expectation that the third parties will keep the information confidential. Because computer data is "information," individuals who send data over communications networks can lose Fourth Amendment protection in the data after it reaches the intended recipient. (1)

2. Private searches

The Fourth Amendment does not apply to searches conducted by private parties who are not acting as agents of the government.

The Fourth Amendment "is wholly inapplicable to a search or seizure, even an unreasonable one, affected by a private individual not acting as an agent of the Government or with the participation or knowledge of any governmental official." As a result, no violation of the Fourth Amendment occurs when a private individual acting on his own accord conducts a search and makes the results available to law enforcement. For example, in United States v. Hall, 142 F.3d 988 (7th Cir. 1998), the defendant took his computer to a private computer specialist for repairs. In the course of evaluating the defendant's computer, the repairman observed that many files stored on the computer had filenames characteristic of child pornography. The repairman accessed the files, saw that they did in fact contain child pornography, and then contacted the state police. The tip led to a warrant, the defendant's arrest, and his conviction for child pornography offenses. On appeal, the Seventh Circuit rejected the defendant's claim that the repairman's warrantless search through the computer violated the Fourth Amendment. Because the repairman's search was conducted on his own, the court held, the Fourth Amendment did not apply to the search or his later description of the evidence to the state police (1).

Importantly, the fact that the person conducting a search is not a government employee does not always mean that the search is "private" for Fourth Amendment purposes. A search by a private party will be considered a Fourth Amendment government search "if the private party act[s] as an instrument or agent of the Government" (1)

3. Exceptions to the warrant requirement in cases involving computers

Warrantless searches that violate a reasonable expectation of privacy comply with the Fourth Amendment if they fall within an established exception to the warrant requirement. Cases that involve computers raise questions relating to how these "established" exceptions apply to new technologies. (1) Though there are several areas of consent, one of specific importance to the computer security profession is the right to consent of system administrators.

Every computer network has a system administrator or system operator to manage it. Their job is to keep the network running smoothly, monitor security, and repair the network when problems arise. System operators have root level access to the systems they administer, which effectively grants them master keys to open any account and read any file on their systems. When investigators suspect that a network account contains relevant evidence, they may feel inclined to seek the system administrator's consent to search the contents of that account. (1)

As a practical matter, the primary barrier to searching a network account pursuant to a system administrator's consent is statutory, not constitutional. System administrators typically serve as agents of "provider[s] of electronic communication service" under the Electronic Communications Privacy Act (ECPA). Note that the ECPA is discussed in detail below. The ECPA regulates law enforcement efforts to obtain the consent of a system administrator to search an individual's account. Accordingly, any attempt to obtain a system administrator's consent to search an account must comply with ECPA. (1)

To the extent that ECPA authorizes system administrators to consent to searches, the resulting consent searches typically comply with the Fourth Amendment. Most fundamentally, individuals retain no reasonable expectation of privacy in the remotely stored files and records that their network accounts contain. (1)

The company might grant the system administrator of the company network full rights to access employee accounts for any work-related reason, and the employees might (or might not) know that the system administrator has such access. In circumstances such as this, the system administrator likely has sufficient common authority over the accounts to be able to consent to a search. (1)

4. Private sector workplace searches

The rules for conducting warrantless searches and seizures in private-sector workplaces generally mirror the rules for conducting warrantless searches in homes and other personal residences. Private company employees generally retain a reasonable expectation of privacy in their workplaces. As a result, searches by law enforcement of a private workplace usually requires a warrant, unless the agents can obtain the consent of an employer or a co-worker with common authority. (1)

Although most non-government workplaces support a reasonable expectation of privacy from a law enforcement search, agents can defeat this expectation by obtaining the consent of a party who exercises common authority over the area searched. In practice, this means that agents can often overcome the warrant requirement if they obtain the consent of the target's employer or supervisor. Depending on the facts, a co-worker's consent might suffice as well. (1)

Private-sector employers and supervisors generally enjoy a broad authority to consent to searches in the workplace.

ECPA--THE ELECTRONIC COMMUNICATIONS PRIVACY ACT of 1986

The stored communication portion of the ECPA, 18 U.S.C. §§ 2701-2712, creates statutory privacy rights for customers and subscribers of computer network service providers. It regulates how the government can obtain stored account information from network service providers, such as ISPs. It was enacted to respond to the lack of protection that the United States provides; it prohibits the intentional or willful interception, accession, disclosure, or use of one's electronic communication. The ECPA defines electronic communication as "any transfer of signs, signals, writing, images, sound, data, or intelligence of any nature transmitted in whole or in part by wire, radio, electromagnetic, photoelectric, or photocell system that affects interstate commerce." However, the ECPA has three major exceptions: consent, liability, and ordinary course of business.

The Patriot Act

Though not specifically discussed here, the Act modified 12 laws, including the ECPA, and gave law enforcement greater powers to track and intercept communications. Though it has been incorporated in into the CCIPS manual, it did not make major changes to the expectation of privacy in the workplace.

What Does this All Mean?

Now that we have looked at the law, let's look at the business reasons for monitoring, and the importance of company policy on monitoring.

Business Reasons

Employers have obvious reasons for wanting to monitor their employees. Guarding trade secrets is an essential element of many businesses. Another reason is to avoid liability for certain wrongs, such as harassment and discrimination cases, where employers are typically held liable for acts that their supervisory employees committed, regardless of whether or not the employer was aware of the harassment.

In a web posting by the 'Lectric Law Library, it stated that "Courts will weigh the reasonableness of the employee's expectation of privacy against the business interest of the employer in monitoring the communication. The courts have held that legitimate business interests permit employers to intercept communications." (2)

'Lectric Law Library also states: "Monitoring has limits. Employers cannot monitor employee telephone conversions. In addition, mail carried through the U.S. postal service is protected". (2)

The Importance of Company Policy

Based on the above information, your company policy is critical. The courts have supported that employer monitoring of employee activities on a company owned computer network is legal. However, there are essential actions a company must take to remove as much of the uncertainty as possible. First, you must have a clearly written policy on the rules for use of your computer network and effectively communicate the policy to your employees. It must include a clear statement on monitoring of employee activities and the conditions of monitoring. You must display log on banners on your work stations, servers, and networking infrastructure devices, such as routers, switches, and firewalls. Your policies should address the circumstances under which private searches can be conducted. Define who has the right to grant access to employee files.

The CCIPS manual indicates that systems administrators, supervisors, and employers and in some cases co-workers have the right to consent. Depending on your company's workplace culture, you might want to clearly delineate who has the right to consent in the workplace environment. Appropriate procedures that the legal department has approved are useful to support the process. Executive management should review and approve your policies to ensure that your policy reflects your company's work culture. This is an important step and these individuals are most likely corporate officers that have legal responsibilities for due care and due diligence. Make sure your legal department reviews and approves the policy. The members of this department must face the courts if there are issues.

Do What You Say, and Say What You Do!

Mark Rasch, in his Security Focus article, "Employee Privacy, Employer Policy," (3) reviewed two legal cases that look at court decisions that limited employers right to monitor because of the disconnect "between what companies say and what they do."

"First, the disconnect between what we say our policy is, and what we actually do. Second, the equally vast disconnect between what employees say is their expectation of privacy, and how they act. While empirically we may know that the employer could monitor us, we would likely be offended if our cubicle were wired, our keystrokes logged and captured, and our cell-phone conversations recorded, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable.

"In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications."

A Question of Balance

Mr. Rasch advocates the following:

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights. Something along the lines of 'we don't ordinarily monitor what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. (3)

This position is supported in an article posted by the 'Lectric Law Library. "Where privacy is an issue, employees and employers can create a more productive work environment if they work together to jointly develop a Policy Statement that balances the legitimate interests of both the employer and the employees." (2)

Summary

In general, we can conclude that employees and employers have a reasonable expectation of privacy in the workplace from the government given the protection of the Fourth Amendment. However, these Fourth Amendment rights do not apply to the relationship between the employer and the employee. The courts have generally held in favor of the employer to monitor employee computer network activities with in the limits stated in the ECPA. The proper use and application of company policy can add significant weight to the employer's ability to monitor--to the point of extinguishing all employee rights to privacy. However, as Mr. Rasch asked in his article, "But do we want to, or need to extinguish all privacy rights?" I believe there is a balance that should be achieved between the employers need to protect themselves from loss of proprietary information and liability and privacy, which most Americans value. Employers should protect themselves, but they should also be vigilant to reflect the company's work relationships and culture in their policies.

Disclaimer: This article should not be construed as legal advice. It is provided for information only.

References

1. United States Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) Criminal Division Manual "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." July 2002. http://www.cybercrime.gov/s&smanual2002.htm#_IA_

2. 'Lectric Law Library. http://www.lectlaw.com.

3. Employee Privacy, Employer Policy Mark Rasch, 2006-10-31

Security Focus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as a lawyer specializing in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Additional Reading

http://cyber.law.harvard.edu/privacy/Module3_Intronew.html

CCIPS APPENDIX A: Sample Network Banner Language Appendix A.

The wiretap statute, 18 U.S.C. §§ 2510-2522, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (and generally known as "Title III").

^ Top
Number of certified professionals: 29,895
SANS Security West 2010