Dispelling the Myths of Email Privacy, Security
Heavily cited throughout the breathtaking federal indictment against former Chicago Public Schools chief Barbara Byrd-Bennett are emails outlining the alleged kickback scheme tied to the controversial $20.5 million no-bid contract awarded to SUPES Academy.
“I think those emails reflect greed,” U.S. Attorney Zachary Fardon told reporters Thursday as he announced the indictment. “I think they reflect a public official who compromised her integrity and the integrity of her professional responsibility by looking to line her own pockets.”
But some attorneys say the emails also reflect a general naivety about the privacy of email and just about everything we do online, whether it’s an “off the record” Gchat conversation or a simple Internet search. And even if Byrd-Bennett had deleted the emails—which she allegedly discussed doing after news broke of the federal probe—they don’t exactly disappear into oblivion.
Tonight we’ll talk about the misconceptions and myths of email with Jeffrey Cramer, a former federal prosecutor who now heads the Chicago office of security firm Kroll.
What are some of the top myths or misconceptions you hear about email use?
Once you send an email, it’s no longer in your possession. The recipient of the email is free to do what her or she chooses to do with it, and there are usually several copies of that particular message in numerous places between the person who sends it and the person who receives it.
The myth is email is private. There’s not a whole lot of email privacy unless you take steps to ensure privacy, [like] sending an encrypted message.
Another thing is the idea that the government is able to look at your email. There’s a very old law on the books, the federal Stored Communication Act, and that has built into it the idea that the government cannot without special permission— a warrant or court order— cannot get email stored on a server (say an Internet service provider’s server). The government can’t get that without a warrant. After six months pass, it assumes if those messages are still on that server, the government is free to get at those emails without a warrant. The 1980s era law has not kept up with the modern realities of people using cloud services and Gmail accounts as storage mechanisms.
Not a lot of people know about that 180-day magical window. Once those 180 days pass and those messages are still on the server, there’s a lot less privacy protection on those messages than a newer message.
What do you think about that disconnect between myths and realities?
I think it’s broader than email for one. The way the law protects electronic communications doesn’t just specify email as subject to protection. The legal framework applies to Facebook messages or more modern messages sent by Snapchat or Kik or other modern social media platforms where people communicate electronically.
There were some cases across the country in which employers were told they did violate the law by accessing an employee’s email if it’s personal even if it’s accessed using a work computer.
As for the disconnect, I think a lot of people take for granted when they send something that it’s not going to make it any further than the intended recipient; most of the times that’s the case. It’s only when there’s a reason—a data breach or some other reason—for it to be made public it becomes apparent. Just in late 2014 for example, there was the big data breach involving Sony. We saw in that situation where you have these thoughts and communications, and you know the sender intended them to be private and never communicated publicly, yet these messages were nefariously acquired and all of the information was made available for the public to see. Where we see the huge disconnect between expectations and reality is the actual potential for reality. A lot of people don’t think those things through.
Can an employer legally monitor an employee’s email, both work related and private email accounts?
Definitely their work-related email. That is pretty clear, and it’s good practice for employers to make it part of the onboarding process to communicate to an employee that with any work-related email he or she should not have any expectation of privacy in the content you distribute using a work email system. All of that information belongs to employers.
It’s much more difficult of a situation if an employee uses a work computer to access their Gmail or Yahoo accounts. In that situation, it’s not as clear if the employer has authorization because the employee has the expectation of privacy, and they do not expect the employer to log on to another server somewhere else. There were some cases across the country in which employers were told they did violate the law by accessing an employee’s email if it’s personal even if it’s accessed using a work computer. It’s hard to draw a bright line.
There are several cases along these lines; the typical fact pattern is an employee uses his or her work email to engage in certain privileged or personal communications that don’t involve the employer. For example, let’s say I use my work email to communicate with my doctor or use work email to communicate with my real estate attorney—confidential communications—it has nothing to do with my work. One trap that employees fall into is using work-related email accounts for those purposes.
The essential trap people should be aware of is sending emails that don’t involve their line of work for private conversations. The risk isn’t a data breach. The risk is they lose their privileged nature, and you run the risk of losing the privileged status of a communication with your therapist, doctor, lawyer, priest—the different relationships the law recognizes as privileged if you use your work email.
What about email disclaimers? You know the ones that say the “email is private or confidential” and advises unintended recipients to delete them. Is there any legal weight to those statements?
I’ve never seen a case that turns on the legitimacy or validity of that language. My sense is you see it in communications today, particularly with many professionals like lawyers and accountants. The reason they’re there is people are afraid to defect from the norm of expecting to see that on email communications coming from certain professions.
That’s not going to create a legal mechanism that protects the sender if [an email] inadvertently gets sent and falls into the wrong hands of someone who you don’t want to have it … The general rule is if I inadvertently send something to my archrival and my email has that disclaimer, it’s not going to undo the fact that I disclosed that information. I think [disclaimers] are much more a fixture, or phenomenon of cultural norms than they are anything that have true legal significance or hold up and protect someone.
What are some tips or things you’d like people to take away from this interview?
I’d like to underscore the idea that email is just one part of this. Compared to 5 to 10 years ago, there are so many ways to communicate digitally, and these rules apply broader than your Gmail account or your AOL account or whatever email you use. These concerns apply to Twitter messages, Facebook messages, Snapchat. These rules and concerns apply across the board rather than just email.
To critically preserve the privacy or confidentiality of critically important information, one can convey that information in [another] way other than email. For example, my wife was going to start a new gig and needed to transmit a W-9 to the law firm she’s doing work for and that [form] has her Social Security number. A lot of people wouldn’t think twice about sending a PDF copy of their W-9, which has their Social Security number on it. Now there’s a copy of the PDF in your sent messages, a copy of it somewhere on the server and in the other party’s email box … Consider other ways to deliver sensitive information other than email.
Interview has been condensed and edited.