6 October 1999. Thanks to Anonymous.
For Air Force electronic publications: http://afpubs.hq.af.mil/pubs/majcom.asp?org=AF
Lieutenant Colonel LeEllen Coacher
Lieutenant Colonel Coacher (B.S., Northern State College; J.D., University of South Dakota School of Law) is the Chief, Special Law Branch, General Law Division, Office of the Judge Advocate General. She is a member of the South Dakota Bar.
... Most workplaces rely on computers for some aspect of their mission and many organizations depend upon electronic mail (e-mail) for a majority of their daily communication. ... However, while it may not violate a user's reasonable expectation of privacy for a systems administrator to search stored communications, additional invasions by law enforcement agents, "must be tested by the degree to which they exceed the scope of the private search." ... Using the three-tiered Ortega analysis, it is clear that systems protection monitoring is a legitimate workplace search. ... If, however, the systems administrator uses a tool to monitor unopened e-mail stored as electronic files on a computer server, the legal issues must be evaluated under Title II of the ECPA. ... Such monitoring is a legitimate and reasonable intrusion into the electronic communication and any inadvertently discovered evidence may be disclosed to law enforcement authorities. ... However, the systems administrator would be able to intercept an electronic communication and to access the content of stored communications for systems protection purposes. ... The operational realities of the Air Force workplace lead to the conclusion that there is no expectation of privacy for the purposes of systems protection monitoring, though there may be an expectation the content of communications will otherwise be protected. ...
[Contents added by Cryptome.]
SUMMARY
Computers have become an integral part of today's Air Force. Most workplaces rely on computers for some aspect of their mission and many organizations depend upon electronic mail (e-mail) for a majority of their daily communication. Internet sites, whether accessible to the public, to military users only, or that are in some other way protected through access controls, also are used frequently to communicate and gather information. As Air Force dependence on computers and electronic communication grows, there is a corresponding need to guard the communications systems against attack or misuse, making asset protection a crucial part of the Air Force mission.
Because of the increasing importance of computer resources as a method of communication, it is important to define the legal issues surrounding the use of these government-provided resources. We must consider what steps are necessary to protect the information contained on our computers from unlawful intrusion and review. We must also look at the legal parameters surrounding the legitimate use of government resources. The need to ensure governmental systems are being used only for authorized purposes must be balanced against the need to recognize the protected nature of certain types of communications. The Government has an interest in ensuring government-provided resources are not abused or used for any illegal or improper purpose.
A way of ensuring that government computer systems are protected and that the resource is being used properly is through monitoring. While it is important to remember that "monitoring" means different things, in this context the term describes both the interception of transmitted messages and the act of accessing information stored on a computer or server. The reasons for accessing information or communications can also have an impact on the meaning of the term.
One example of monitoring is when the Air Force monitors to ensure operational security (OPSEC). The Telecommunications Monitoring and Assessment Program (TMAP) was established to conduct OPSEC monitoring [*156] under very specific requirements designed to protect an individual's privacy while ensuring operational security is not compromised. n1 Under this program, elements of the Air Intelligence Agency monitor communications to determine if sensitive or classified information, transmitted over an unsecured system, could have an adverse impact on United States or allied operations. n2 For those involved with TMAP, the term monitoring encompasses intercepting, recording, and analyzing the content of specific conversations or electronic communications.
____________________
n1 Air Force Instruction 33-219, Telecommunications Monitoring and Assessment Program (TMAP) (1 June 1998) [hereinafter AFI 33-219].n2 Id. P2.
Another instance of monitoring communications occurs for law enforcement purposes. When conducting this type of monitoring, which can include wiretapping or electronic surveillance, n3 a law enforcement agency or organization intercepts and records the content of a communication in order to determine if the communication constitutes evidence of a crime. Such monitoring must be based on consent of one party to the communication or authorized by court order, valid warrant, or search authorization supported by probable cause. Within the Air Force, nonconsensual surveillance for law enforcement also requires processing a request for a court order or warrant through the General Counsel of the Air Force. n4 Consensual interceptions, on the other hand, require approval of the Commander of the Air Force Office of Special Investigations (AFOSI). n5
____________________
n3 See Omnibus Crime Control and Safe Streets Act, 18 U.S.C. §§ 2510-2520 (1988)n4 Air Force Instruction 71-101, Criminal Investigations, vol. 1, P3.3.1 (1 August 1977) [hereinafter AFI 71-101].
n5 Id. vol. 1, P3.3.3. There are, however, some limitations on the authority of the commander of the Air Force Office of Special Investigations (AFOSI/CC) to approve consensual interceptions. For example, the AFOSI/CC must obtain Air Force General Counsel's approval before authorizing any surveillance involving a General Officer or a member of the Senior Executive Service, their family members, and Air Force Academy cadets, staff, and faculty. General Counsel approval is also required when there is an allegation of a violation of a national security law, procurement fraud in excess of $ 1,000,000, an investigation of sexual activity between consenting adults, and when the investigation involves any "significant" matter likely to receive extensive media coverage. See id. at ch. 3.
While OPSEC and law enforcement deal with the content of the communication, a third type of monitoring ensures that the operating system is functioning properly, that only authorized users are accessing the system, and that the resource is not being misused or abused. This is known as systems protection monitoring. The importance of systems protection monitoring cannot be overstated. Performed by system administrators, this is the Air Force's first line of defense against system malfunction and, more importantly, unlawful intrusions into our communications networks. Dr. John J. Hamre, the Deputy Secretary of Defense, has emphasized the importance of ensuring our [*157] information systems are protected. In a commentary by Lieutenant General William Donahue, the Air Force Director of Communications and Information, Dr. Hamre is quoted as saying,
"We are entering a period when one individual, or small groups of individuals, are able to wage war on our entire country. The cyber attacks of last year highlight the threat we face and to be brutally candid, I view hackers and crackers as the enemy and the insider hacker as a traitor in information warfare." n6
Lieutenant General Donahue also recognized the need for systems protection by trained professionals.
As the Air Force faces the growing danger of cyber attacks, our greatest countermeasures are vigilance, awareness, education and professional network management. We have professionalized our networks through the deployment of detection, management and protection tools. The key to their effectiveness is well-informed, well-trained network professionals and users. n7
____________________
n6 Lieutenant General William Donahue, Special Month Focuses on Cyber Responsibilities (23 January 1999) <http://www.af.mil/news/Jan1999/n19990126_990123.html> (quoting Dr. John J. Hamre, Deputy Secretary of Defense).n7 Id.
System protection monitoring may take several forms: reading the full text of every file on a computer or server, using a computer program to retrieve the content of files meeting certain parameters or containing certain keywords, listing files or messages by file name or header information, and tracking the number of files or messages passing through a certain point. Whatever the method used, the procedure is invasive and, as a result, privacy concerns become an issue.
This article will begin with a discussion of the Fourth Amendment's application to systems protection monitoring. To do so, we must consider whether the law recognizes an expectation of privacy in the data created or maintained on governmental computer systems. As one commentator has said, whether in the private sector or the governmental sector, "a person's right to privacy is violated only when the person has a reasonable expectation of privacy." n8 In addition to the Constitutional issues, there are other considerations that must be addressed when examining the legal and policy aspects of systems protection monitoring. For example, the Electronic Communications Privacy Act (ECPA) n9 extended the federal wiretap laws to include interception and accession of electronic forms of communication. This [*158] article will address whether the ECPA's protections apply to a systems administrator's monitoring of computer-based communications. Finally, this article will explore whether there is a need to extend certain protections to specific types of privileged communications or information, to what extent the information discovered during monitoring may be used, and whether current policy is sufficient to handle the new technology of electronic communication.
____________________
n8 Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 HARV. J.L. & TECH. 345, 403 (1995).n9 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, Title I, § 101, 100 Stat. 1848 (1986) (codified at 18 U.S.C. §§ 2510-2521 (1988)).
When a systems administrator accesses information stored on a government server or computer, that act is, to some degree, invasive. The initial question is whether such an action constitutes a search. Whether this is a search depends upon whether there is an expectation of privacy in the communication n10 and upon the purpose of the invasion. n11 As the Supreme Court said in United States v. Montoya de Hernandez, n12
The Fourth Amendment commands that searches and seizures be reasonable. What is reasonable depends upon all of the circumstances surrounding the search or seizure and the nature of the search or seizure itself. . . . The permissibility of a particular law enforcement practice is judged by "balancing its intrusion on the individual's Fourth Amendment interests against its promotion of legitimate governmental interests." n13
____________________
n10 O'Connor v. Ortega, 480 U.S. 709, 715 (1987) (acknowledging that a physician employed by government hospital had a reasonable expectation of privacy in his office).n11 United States v. Monroe, 50 M.J. 550 (A.F.C.C.A. 1999).
n12 473 U.S. 531 (1985).
n13 Id. at 537 (citing New Jersey v. T.L.O., 469 U.S. 325, 337-42 (1985); quoting United States v. Villamonte-Marquez, 462 U.S. 579, 588 (1983); Delaware v. Prouse, 440 U.S. 648, 654 (1979); Camara v. Municipal Court, 387 U.S. 523 (1967)).
The Fourth Amendment to the Constitution guarantees persons will be protected against unreasonable searches and seizures. n14 An individual's Fourth Amendment rights are violated only if governmental officials "infringed on 'an expectation of privacy that society is prepared to consider reasonable.'" n15 In other words, not all privacy interests are constitutionally protected. n16 When looking at whether an Air Force member or employee has a constitutionally protected interest in their electronic communications, the important questions are whether there is an expectation of privacy protected by the Fourth Amendment and whether that expectation is "one that society recognizes as [*159] reasonable." n17 If either prong of this test is not met, there can be no reasonable expectation of privacy. n18
____________________
n14 Ortega, 480 U.S. at 715.n15 Id. (quoting United States v. Jacobson, 466 U.S. 109, 113 (1984)).
n16 United States v. Roberts, 747 F.2d 537 (9th Cir. 1984) (residents of a house on a shared, unobstructed private road had no expectation of privacy in the road, despite posting signs indicating that the road was private).
n17 Jacobson, 466 U.S. at 113; see also United States v. Neal, 41 M.J. 855, 860 (A.F.C.C.A. 1994) (citing Smith v. Maryland, 422 U.S. 735, 740-41 (1979)); California v. Ciraolo, 476 U.S. 207, 211 (1986). The United States Court of Appeals for the Armed Forces specifically addressed whether the originator of an e-mail message has a reasonable expectation of privacy in United States v. Maxwell, 45 M.J. 406 (1996). The court found that the originator of an e-mail message transmitted on a nongovernment, proprietary communications system had a reasonable expectation of privacy that police officials will not intercept the message without a warrant based on probable cause. Id. at 417. The court also realized that the reasonableness of an originator's expectation of privacy will "depend in large part on the type of e-mail involved and the intended recipient." Id. at 419.
n18 United States v. Curry, 46 M.J. 733 (N.M.C.C.A. 1997); see also United States v. Horowitz, 806 F.2d 1222, 1225 (4th Cir. 1986).
In 1987, the Supreme Court addressed workplace searches and seizures in O'Connor v. Ortega and concluded that the Fourth Amendment applies when government employers or supervisors search for or seize an employee's private property. n19 This is true even if the private property is located in a government-provided office. n20 The Court recognized that "government offices are provided to employees for the sole purpose of facilitating the work of an agency. The employee may avoid exposing personal belongings at work by simply leaving them home." n21
____________________
n19 Ortega, 480 U.S. at 715.n20 Id. at 717.
n21 Id. at 725.
Although the Court found that the Fourth Amendment applies when the government is also an employer, the Court acknowledged that what is considered a reasonable expectation of privacy differs according to the context of the case, especially when the search is done within the workplace. n22 The Court defined "workplace" as those areas and items related to work and generally within the employer's control, though "not everything that passes through the confines of the business address can be considered part of the workplace . . . ." n23 Items that are purely personal and have no connection to the employment relationship are not subject to standards for a workplace search. Hallways, offices, desks, and file cabinets are part of the workplace and remain so even though an employee may have placed personal items in or on them. n24
____________________
n22 Id. at 725-26.n23 Id.
n24 Id. at 716. In the context of the typical Air Force workplace, the distinction between government property and personal property is quite clear. A government-provided computer is still, generally, within the employer's control. The employee may not take the computer when transferred or reassigned. Many data files are maintained on a local area network server. Hard copies of the data files are often filed in the employer's official files. Finally, there are statutory requirements for a governmental employer to maintain electronic records. See 44 U.S.C. § 2902 (1988). Thus, government-provided computer resources, such as computer equipment and e-mail services, would fall within the definition of workplace.
[*160] Besides making a distinction between workplace and personal items, the Court also made a distinction between intrusions by law enforcement and intrusions by supervisors. While employees may have a reasonable expectation of privacy against workplace intrusions by law enforcement personnel, when supervisory personnel are responsible for the intrusion "operational realities of the workplace . . . may make some employees' expectations of privacy unreasonable. . . ." n25 The Court stressed that, "the employee's expectation of privacy must be assessed in the context of the employment relation." n26 Whether or not an employee believes his work area is private, that belief must be objectively assessed based on actual workplace practices and procedures. For example, the existence of a legitimate regulation, such as a systems protection regulation, which reduces an employee's expectation of privacy by allowing monitoring, would reduce the employee's expectation of privacy. The same could be said of a policy against unauthorized personal use of computer resources, n27 or as the Court said, "some government offices may be so open to fellow employees or the public so that no expectation of privacy is reasonable." n28
____________________
n25 Ortega, 480 U.S. at 717.n26 Id.
n27 Id.
n28 Id. at 718.
In Ortega, the Court found that, given the operational realities of Dr. Ortega's workplace, Dr. Ortega had a reasonable expectation of privacy in items contained in his desk and file cabinets. This finding was based on evidence that Dr. Ortega did not share his desk or file cabinets with other employees, he had occupied the office for seventeen years, he kept personal correspondence in the office, including correspondence from patients unconnected to his employer hospital, and that items related to his employment were kept outside the office. Especially telling for the Court was that everything seized from the office was returned to Dr. Ortega. Finally, the Court relied on the absence of a regulation or policy discouraging employees from storing personal papers and effects in their desks or filing cabinets. n29
____________________
n29 Id. at 719.
Although the Court found that Dr. Ortega had a reasonable expectation of privacy in his workplace, the analysis did not end there. The Court also found it necessary to "determine the appropriate standard of reasonableness applicable to the search." n30 In order to make this determination, the Court balanced "the nature and quality of the intrusion on the individual's Fourth Amendment interests against the importance of the governmental interests alleged to justify the intrusion." n31 The Court held that "in the case of searches [*161] conducted by a public employer, we must balance the invasion of the employees' legitimate expectations of privacy against the government's need for supervision, control, and the efficient operation of the workplace." n32
____________________
n30 Id.n31 Id. (citing United States v. Place, 462 U.S. 696, 703 (1983)).
n32 Id. at 719-20.
After conducting this balancing test, the Court found that a supervisor's "work-related" noninvestigatory search of an employee's office, desk, or filing cabinets is reasonable under the Fourth Amendment. n33 This is because a supervisor's intrusion is "focused primarily on the need to complete the government agency's work in a prompt and efficient manner." n34 A requirement for a warrant to intrude into an office, desk, or file cabinet for a work-related purpose is unduly burdensome when the intrusion is incident to the business of the governmental agency. n35 Additionally, there is no need to find probable cause before a work-related search. n36 "To ensure the efficient and proper operation of the agency, therefore, public employers must be given wide latitude to enter employee offices for work-related, noninvestigatory reasons." n37
____________________
n33 Id. at 723.n34 Id. at 721. Interestingly, the Court's determination in this regard was the subject of contention that resulted in Ortega's plurality opinion. Justice Scalia, writing separately, disagreed with the plurality opinion as to the importance of the searchers identity. Id. at 731 (Scalia, J., concurring). Whether a supervisor or law enforcement authorities performed the search is immaterial. The only issue was whether the search itself was reasonable under the circumstances. Id. As will be discussed, the distinction between a search by an employee or supervisor and one done by law enforcement can be significant when compliance with the ECPA is the issue. See infra Part III.
n35 Id. at 722.
n36 Id.
n37 Id. at 723.
The Court reached the same conclusion when considering investigative searches for work-related employee misconduct. n38
Public employers have a direct and overriding interest in ensuring that the work of the agency is conducted in a proper and efficient manner . . . Therefore, a probable cause requirement for searches of the type at issue here would impose intolerable burdens on public employers. The delay in correcting the employee misconduct caused by the need for probable cause rather than reasonable suspicion will be translated into tangible and often irreparable damage to the agency's work, and ultimately to the public interest. n39
Thus, a workplace search does not violate the Fourth Amendment as long as the inception and the scope of the intrusion are reasonable. n40
[*162] Ordinarily, a search of an employee's office by a supervisor will be "justified at its inception" when there are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct, or that the search is necessary for a noninvestigatory work-related purpose such as to retrieve a needed file. n41
____________________
n38 Id. at 724.n39 Id.
n40 Id. at 726.
n41 Id.
Ortega demonstrates that a three-tiered analysis is necessary to determine whether a workplace search violates the Fourth Amendment. The first question concerns the employee's reasonable expectation of privacy considering the "operational realities" of the workplace. n42 In determining whether an expectation of privacy is reasonable, the courts have not "developed a routinized checklist that is capable of being applied across the board, and each case therefore must be judged according to its own scenario." n43 The following factors are to be considered: whether the employee has exclusive use of the workplace, the extent to which others had access to the workplace, the nature of the employee's duties, whether the employee had notice that the workplace was subject to search, and the reason for the intrusion. n44
____________________
n42 Id. at 717.n43 Vega-Rodriguez v. Puerto Rico Telephone Company, 110 F.3d 174, 178 (1st Cir. 1997).
n44 See id. at 179 (citations omitted). The purpose for the intrusion was also important to the Air Force Court in its decision in Monroe. United States v. Monroe, 50 M.J. 550, 559-60 (A.F.C.C.A. 1999). Noting that their methods were not important, the court indicated the crucial issue was that the systems administrators' "actions were well within their official duties. They were doing what they had a responsibility to do in order to insure the base network was operating at maximum efficiency, and all of their actions were taken to achieve that end." Id.
The second prong of the analysis evaluates the reasonableness of the invasion of an employee's Fourth Amendment interest when balanced against the importance of the governmental interests justifying intrusion. n45 The Court found that when the governmental interest is either work-related or an investigative search for work-related employee misconduct, reasonable suspicion is sufficient grounds to justify the search. n46 Of course, what constitutes reasonable suspicion may differ with the conduct under examination and the specific facts of the case.
____________________
n45 Ortega, 480 U.S. at 719.n46 Id. at 723-24.
The final tier focuses on whether the search was reasonable at its inception and whether the scope of the intrusion was related to the circumstances that justified the search. n47 When there are grounds to suspect work-related misconduct or when the supervisor needs access for a noninvestigative purpose, the search is reasonable at its inception. Similarly, when the search is limited to meeting the need for the search, the scope of the search is reasonable.
____________________
n47 Id. at 726.
[*163] The Ortega analysis has been applied to other cases involving workplace searches. For example in Schowengerdt v. United States n48 the Ninth Circuit applied the Ortega analysis to conclude that under the operational realities present in Schowengerdt's workplace, there was no reasonable expectation of privacy in papers found in a credenza. n49 Schowengerdt was a civilian engineer working on classified projects for the Navy. The facility in which he worked was searched frequently to determine if classified information was properly protected. Schowengerdt was well aware of these searches, nevertheless he placed a sealed manila envelope in his credenza containing evidence of multiple bisexual affairs. The envelope was labeled, "Strictly Personal and Private. In the event of my death, please destroy this material as I do not want my grieving widow to read it." n50 Even though the label indicated Schowengerdt had a subjective expectation of privacy in the material inside the envelope, the Ninth Circuit found that the environment in Schowengerdt's workplace, including searches for security purposes and the need for a security clearance to perform his duties, objectively removed any reasonable expectation of privacy. n51
____________________
n48 944 F.2d 483 (9th Cir. 1991).n49 Id. at 488.
n50 Id. at 485.
n51 Id. at 488-89.
More to the point, an Ortega analysis was recently applied to nonwarranted intrusions into stored e-mail. In United States v. Simons, n52 the Eastern District of Virginia considered an appeal from an employee of the Foreign Bureau of Information Services, a component of the Central Intelligence Agency (CIA). The employee was convicted of various violations of child pornography statutes based on his Internet activity while at work. The system administrator, while examining the agency's firewall log to familiarize himself with the system, discovered evidence that the employee was accessing child pornography sites while at work. Upon noticing the log was unusually large, the systems administrator searched the log using the keyword "sex." He believed that if the firewall log contained indications of inappropriate activity, a search for the word "sex" would likely disclose such activity. n53 The keyword search found a significantly large number of "hits" n54 traceable to defendant's [*164] workstation that indicated the result of intentional, rather than casual or accidental, Internet cite searches. n55 The systems administrator could also tell by looking at the names of the web sites that they had no relevance to any business purpose. n56 The systems administrator disclosed the results of his discovery to his supervisor, who asked the systems administrator to access the employee's workstation computer to see if the employee had downloaded any pornographic pictures or files. The systems administrator did so, using the computer located in the systems administrator's office. He determined that over one thousand pornographic files had been downloaded. The systems administrator then made a copy of the hard drive on the computer in the employee's workstation and provided it to CIA special investigators to review. CIA investigators subsequently called the FBI, which obtained a search warrant for the employee's office, including the computer and the contents of its drives. n57
____________________
n52 29 F. Supp. 2d 324 (E.D. Va. 1998).n53 Id. at 326.
n54 A "hit" is a single request from a web browser for a single item from a web server. Hits are often used as a very rough measure of load on a server -- a web site might get 300,000 hits per month. Because each hit can represent anything from a request for a tiny document (or even a request for a missing document) to a request that requires some significant extra processing (such as a complex search request), the actual load on a machine from a single hit is almost impossible to measure. Mattise Enzer, Glossary of Internet Terms (visited April 15, 1999) <http://www.matisse.net/files/glossary.html#D> [hereinafter Enzer, Internet Terms].
n55 Simons, 29 F. Supp. 2d at 326.
n56 Id.
n57 Id.
The employee sought to suppress the evidence, arguing that the systems administrator's activities constituted illegal searches in violation of the employee's Fourth Amendment rights. n58 The district court disagreed, holding that the agency's policy limiting the Internet to official purposes and giving notice that audits may be done on unclassified networks was sufficient to eliminate any reasonable expectation of privacy the employee had regarding his Internet use. n59 Since the employee had no reasonable expectation of privacy, the court found the searches were permissible under the Fourth Amendment. n60 The court went one step further, holding that even if the employee did have a reasonable expectation of privacy, the systems administrator's activity in examining the firewall logs, n61 viewing the employee's work station computer, and copying the computer's hard drive were both justified at their inception and reasonable in scope. n62 The justification in this regard rested on the fact that it [*165] was the systems administrator's duty to monitor Internet use and that the use of the word "sex" was a reasonable way to reveal inappropriate workplace activity. n63
____________________
n58 Id.n59 Id. at 327.
n60 Id. The district court in Simons noted that Ortega stood for the proposition one could have a reasonable expectation of privacy in the desk and cabinets located in their office but that a public employee's expectation of privacy can be reduced by the practices of the office. Id. The court went on to describe the policies and procedures that affected Simons' expectation of privacy, eventually concluding he did not have one. Id.
n61 Id. The court also questioned whether the systems administrator's keyword search was a search within the meaning of the Fourth Amendment. Id. at 328. A firewall is a combination of hardware and software that separates a network into two or more parts for security purposes. Enzer, Internet Terms, supra note 54.
n62 Simons, 29 F. Supp. 2d at 328.
n63 Id.
Like the CIA employee in Simons, the privacy rights of military members may be subjected to an overriding need to recognize the demands of discipline and duty. n64 The Air Force Court of Criminal Appeals addressed a military member's expectation of privacy in a "personal" e-mail account on a government server in United States v. Monroe. n65 In Monroe, the accused had an e-mail account on his personal computer located in his on-base dormitory. The account was provided to military members at this overseas location for official and authorized purposes. Authorized purposes included limited personal use to send and receive morale messages to and from friends and family. n66
____________________
n64 United States v. Curry, 46 M.J. 733, 739-40 (N.M.C.C.A. 1997) (citing Parker v. Levy, 417 U.S. 733 (1974); Middendorf v. Henry, 425 U.S. 25 (1976); Schlesinger v. Councilman, 420 U.S. 738 (1975)).n65 50 M.J. 550 (A.F.C.C.A. 1999).
n66 Id. at 554.
The systems administrator responsible for this government system noticed fifty-nine e-mail messages in the directory where e-mail is stored before being sent to the receiving mailbox. If a message is too large or if there is a defect in the message, the directory will store rather than forward them. A large number of stored messages will slow the system. In order to determine why so many messages were "stuck" in the system, the administrator and his supervisor opened several of the messages. They discovered that they were addressed to the accused's mailbox and were from newsgroups with sexually orientated names. n67 The administrators moved the messages to another directory, and determined that over half contained graphic images that upon closer inspection were found to be sexually explicit photographs of women. In order to find out if the accused requested the images or was simply the victim of a prank, the administrators accessed the accused's e-mail account. Upon opening one of the messages sent to the originator of the fifty-nine e-mail messages, the two administrators saw a reminder from the accused to "send the file." n68 Concluding that the accused was not a victim, the administrators disclosed this information to the commander. n69 After reporting the systems problem, the systems administrators then gave investigators from the AFOSI two diskettes containing the image files, printouts of two e-mail messages from the accused to the newsgroup, and a memo for record detailing their discovery of the files. n70 [*166] The AFOSI investigators used this information to obtain a search authorization and then searched the accused's dormitory room and seized all computer-related items. n71
____________________
n67 Id.n68 Id.
n69 Id. at 555.
n70 Id.
n71 Id.
At trial, the accused challenged the activities of the systems administrators, arguing that they exceeded the scope of their duties by opening any of the original fifty-nine e-mail files. The accused asserted that the systems administrators had opened an "investigation" on him and that while he may have consented to monitoring, he had not consented to being investigated. n72 The Air Force court disagreed. It found that the accused had no reasonable expectation of privacy in files lodged in the government server. n73 Additionally, the court concluded that there was no reasonable expectation of privacy in the e-mail box, "at least as regards his superiors and the [systems] administrator and his/her supervisors." n74 The court went on to note that even if the accused had some expectation of privacy, the systems administrators could access the material in the e-mail box, as long as they acted within the scope of their official duties. n75 The court thought it important that, "they were doing what they had a responsibility to do in order to insure the base network was operating at maximum efficiency, and all their actions were taken to achieve that end." n76 Because they were operating within the scope of their duties, the systems administrators did not become agents of law enforcement. n77
____________________
n72 Id. at 556-57. The system was properly bannered with a warning indicating that use of the system would be considered consent to monitoring. Id. at 559. For an example of such a banner and a discussion of this issue, see infra footnotes 95-98 and accompanying text.n73 Monroe, 50 M.J. at 558. The court reasoned that:
Using the analogy of a work area desk and the precedents applicable thereto and the facts of the instant case, we believe appellant's e-mail box within the EMH was most comparable to an unsecured file cabinet in his superiors' work area in which an unsecured drawer was designated for his use in performing his official duties with the understanding that his superiors had free access to the cabinet, including his drawer.Id. at 559.
n74 Id.
n75 Id. at 559-60.
n76 Id. at 560.
n77 Id.
In both Simons and Monroe, the systems administrator's actions were permissible because they were acting within the scope of their responsibility to protect their respective systems. Additionally, in Simons and Monroe the systems administrators notified appropriate law enforcement authorities and turned over the information they had obtained once it became clear there had been some criminal activity. The significance of the actions of the systems [*167] administrators rests with the Supreme Court's distinction between a workplace search and a search outside of the workplace n78 and the distinction between a private search and one conducted by law enforcement authorities. n79 The activities of a workplace systems administrator that are within the scope of his or her responsibility to protect an employer's system are more analogous to a private search and, therefore, permissible. n80 However, while it may not violate a user's reasonable expectation of privacy for a systems administrator to search stored communications, additional invasions by law enforcement agents, "must be tested by the degree to which they exceed the scope of the private search." n81
____________________
n78 Ortega, 480 U.S. at 716.n79 United States v. Jacobsen, 466 U.S. 109, 114-15 (1984) (Fourth Amendment does not require warrant before law enforcement agent removes trace amount of unknown substance from damaged package obtained by private shipping company in order to conduct chemical tests to determine identity of the substance). Justice Scalia's disagreement as to the identity of the searcher resulted in Ortega's plurality. Ortega, 480 U.S. at 731 (Scalia, J., concurring). See supra note 34.
n80 Monroe, 50 M.J. at 560.
n81 Jacobsen, 466 U.S. at 115.
A government employee using a government computer has no expectation of privacy with regard to information uncovered by systems administrators acting within the scope of their duties. The same employee also runs the risk the systems administrator will disclose information gained in the pursuit of that purpose to law enforcement authorities. n82 The Fourth Amendment only becomes an issue if law enforcement authorities desire to extend the scope of the search to obtain additional information or seize evidence. For this they must obtain a warrant or search authorization. n83
____________________
n82 Id.; accord Securities and Exchange Commission v. Jerry T. O'Brien, Inc., 467 U.S. 735 (1984) (noting that there is no Fourth Amendment protection for one who communicates confidential information to a third party who later discloses that information to law enforcement authorities); United States v. Miller, 425 U.S. 435, 443 (1976) (recognizing that an individual risks disclosure to government authorities of confidential information given to a third party).n83 Walter v. United States, 447 U.S. 649 (1980); Jacobsen, 466 U.S. at 115.
Although not the basis of the decision, the court in Monroe could also have reasoned that military members have a reduced expectation of privacy in anything subject to command-directed inspection. In United States v. Muniz, n84 the United States Court of Military Appeals (now the United States Court of Appeals for the Armed Forces) found that the accused had no reasonable expectation of privacy in the locked drawer of a government-owned credenza in the accused's government office. n85 The court noted that:
The credenza, like any other item of government property within the command, was subject at a moment's notice to a thorough inspection. . . . [*168] That omnipresent fact of military life, coupled with the indisputable government ownership and the ordinarily nonpersonal nature of military offices, could have left [the accused] with only the most minimal expectation-or hope-of privacy in the drawer vis-a-vis his commander. n86
This diminished expectation of privacy "must be distinguished from an unquestionably greater expectation of privacy" the military member ordinarily would enjoy as a citizen of the United States. n87 Indeed, the simple fact that inspections are a necessary part of life in the military has resulted in a reduced expectation of privacy in a berthing area on a naval vessel and in an unsealed open box, marked with the accused's name, when the box is located in the vessel's common area. n88
____________________
n84 23 M.J. 201 (C.M.A. 1987).n85 Id. at 206.
n86 Id. (citing United States v. Middleton, 10 M.J. 123 (C.M.A. 1981)).
n87 Id.
n88 United States v. Battles, 25 M.J. 58 (C.M.A. 1987); see also United States v. Neal, 41 M.J. 855 (A.F.C.C.A. 1994) (questioning whether a military accused had a reasonable expectation of privacy in an open wall locker located in a common area of the dormitory room the accused shared with another member).
Monitoring a computer-related information system such as Monroe's e-mail account could be analogized to an authorized inspection. Generally, an inspection permits limited intrusions for defined purposes when there is a special need, beyond that of law enforcement, making the warrant requirements for a search impracticable. n89 Within the military, an inspection is recognized as a tool for a commander to evaluate and ensure his assets are secure and his unit is able to accomplish the mission. An inspection is considered "incident of command" and part of the commander's responsibility. n90 However, a commander's authority to inspect is not completely unfettered. Inspections must be reasonable. n91 The primary reason for an inspection must focus on the security, military fitness, or good order and discipline of the commander's organization. n92 Finally, an inspection can never be used as a subterfuge for a search. n93 When a systems administrator monitors an information system, he or she ensures the system is secure, that it is not being misused, and that the system can perform its mission. n94 In other words, the systems administrator [*169] inspects the system. As long as that inspection is focused on systems protection or has some similar purpose, the systems administrator's activities would be considered valid.
____________________
n89 Montoya de Hernandez, 473 U.S. at 541-42; (concluding that border search of woman suspected of alimentary canal drug smuggling was reasonable); New Jersey v. T.L.O., 469 U.S. 325, 342 (1985) (determining that warrantless search of schoolchildren based on reasonable suspicion did not violate the Fourth Amendment). See also United States v. Cortez, 449 U.S. 411, 417 (1981); Terry v. Ohio, 392 U.S. 1 (1968).n90 MANUAL FOR COURTS-MARTIAL, United States [hereinafter MCM], Military Rules of Evidence 313 (1998 ed.) [hereinafter Mil. R. Evid.]; United States v. Jackson, 48 M.J. 292, 293 (1998).
n91 Jackson, 48 M.J. at 294.
n92 Id.
n93 Id.
n94 Air Force Instruction 33-115, Network Management vol. 1, PP6.4.3.4.5, 6.4.3.4.8 (1 June 1998) [hereafter AFI 33-115].
Another important aspect of the Monroe case was the court's reliance on "the fact that all users of the system received notice that the system was subject to monitoring each time they logged on." n95 Although not specifically mentioned by the court, this notification was based on Air Force Instruction 33-219, which provides general notification to all Air Force members that telecommunications systems or devices provided by the Department of Defense (DoD) for conducting official government business are subject to monitoring. n96 Telecommunications devices include computers attached to a network. The instruction also puts Air Force computer users on notice that simply using a government-owned computer system constitutes consent to monitoring. The same provision also requires a log-on banner on all computers that reads:
This is a Department of Defense computer system for authorized use only. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate against unauthorized access, and to verify security procedures, survivability and operational security. Using this system constitutes consent to monitoring. All information, including personal information, placed on or sent over this system may be obtained during monitoring. Unauthorized use could result in criminal prosecution. n97
The banner makes no distinction between intercepting communications and accessing stored communications. The net effect of this banner is to eliminate any argument that a military member could subjectively believe communications to or from his computer would remain private. n98
____________________
n95 Monroe, 50 M.J. at 558.n96 Air Force Instruction 33-219, Telecommunications Monitoring and Assessment Program (TMAP) P13 (1 June 1998) [hereinafter AFI 33-219].
n97 Id. PA2.3.5 (emphasis added).
n98 See Monroe, 50 M.J. at 558 (finding no reasonable expectation of privacy in e-mail system containing banner giving notice that system may be monitored).
An argument could be made that this notice, coupled with the user's affirmative decision to continue using the government-provided computer resource, constitutes actual consent to monitoring. n99 Finally, the computer is owned by the government and provided to the member or employee only to facilitate government-related business. Even though in some limited circumstances a person may have an expectation of privacy in property owned by another, n100 the fact that a computer and hard drive are government property, [*170] provided only for official use, would cause a reasonable person to question whether a user's expectation of privacy was reasonable.
____________________
n99 See infra Part III.A.n100 See United States v. Salazar, 44 M.J. 464, 467 (1996).
Using the three-tiered Ortega analysis, it is clear that systems protection monitoring is a legitimate workplace search. First, the operational realities of the Air Force workplace puts users of Air Force communications systems on notice and obtains their consent to systems protection monitoring. This notice and consent eliminate any expectation of privacy in the communication being monitored to determine the health and welfare of the communication system. n101 Secondly, the intrusion caused by systems protection monitoring is reasonable when balanced against the governmental interest in protecting our communications systems from misuse and abuse. Ensuring the integrity of our communications systems and the information transmitted over those systems is of vital national importance. With the increase in hackers and the potential for system denial attacks, n102 the need for systems protection is tremendous. The type of monitoring done by systems administrators is reasonable considering this overriding governmental interest in information protection. Finally, systems protection monitoring is reasonable in its inception because there is a well-defined need to protect our communications systems and the monitoring is limited to that necessary to protect the system.
____________________
n101 Similarly, there is no expectation that a communication will not be monitored for operational security purposes. See AFI 33-219, supra note 96. Of course, although there is no expectation of privacy relative to systems protection there may be an expectation of privacy for other reasons. See Ortega, 480 U.S. at 723.n102 Hackers are individuals who attempt to break into a computer system or to, in some other way, attempt to damage a computer system. System denial attacks are intentional actions by an insider or outsider that causes an information system to fail either permanently or temporarily. Air Force Office of Special Investigations, Computer Crime Investigator's Handbook (forthcoming Summer 1999).
In 1986 Congress enacted the Electronic Communications Privacy Act n103 "to bring new communication technologies under the umbrella" of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 n104 "to protect against the unauthorized interception of electronic communications." n105 The legislative history of the ECPA also indicates the purpose of the law is "to update and clarify federal privacy protections and standards in light of dramatic changes [*171] in new computer and telecommunications technologies." n106 Indeed, the ECPA was designed to confer an expectation of privacy to electronic and wire communications, and it generally prohibits the interception or accession of electronic communication. n107
____________________
n103 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified at 18 U.S.C. §§ 2510-2521, 2701-2710, 3117, 3121-3126 (1988)).n104 Omnibus Crime Control and Safe Streets Act, 18 U.S.C. §§ 2510-2520 (1988).
n105 S. Rep. No. 99-541, at 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555. This section of the Omnibus Crime Control and Safe Streets Act is more commonly known as the Federal Wiretap Act and is codified at 18 U.S.C. § 2510 (1988). In addition, Title I of the ECPA has also come to be referred to as the Wiretap Act.
n106 S. Rep. No. 99-541, at 1.
n107 18 U.S.C. § 2511(1). The original version of the Federal Wiretap Act was passed by Congress after the Supreme Court in Katz v. United States, 389 U.S. 347 (1967) held the Fourth Amendment applied to a government interception of a telephonic communication. The original provisions of the Federal Wiretap Act was Congress' attempt to protect the privacy interests in business and personal communications and still permit authorized interceptions.
The ECPA consists of three distinct sections. The first section, often referred to as Title I, outlines statutory procedures for intercepting wire, oral, and electronic communications. n108 The second section, known as Title II, pertains to stored communications. n109 The final section, Title III, addresses pen registers and trap and trace devices. n110 Although designed to work together to provide "a fair balance between the privacy expectations of American citizens and the legitimate needs of law enforcement agencies," n111 the statutory provisions are confusing and difficult to interpret. As the Ninth Circuit Court of Appeals noted, "when the Fifth Circuit observed that the Wiretap Act 'is famous (if not infamous) for its lack of clarity,' . . . it might have put it too mildly." n112
____________________
n108 S. Rep. No. 99-541, at 3. The term "wire communications" is limited to voice communications. Because this article addresses electronic communications, there will be no attempt to discuss the interception of oral, voice, or voicemail communications. Nevertheless, much of the existing case law interpreting the ECPA addresses situations involving wire communications. The results of such case law have been extended, where appropriate to electronic communications.n109 Id. Title II of the ECPA (Pub. L. No. 99-508, Title II, § 201, 100 Stat. 1848 (1986)) is often called the Stored Communications Act, and was Congress's attempt to protect personal and proprietary information stored on computers, while still allowing law enforcement access to the information for legitimate reasons. Title II is codified at 18 U.S.C. § 2701 (1988). See United States v. Smith, 155 F.3d 1051 (9th Cir. 1998).
n110 S. Rep. No. 99-541, at 3. This section is not pertinent to the issues addressed in this article and will not be discussed.
n111 Id. at 5.
n112 Smith, 155 F.3d at 1055 (quoting Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)).
The legislative history of the ECPA indicates Congress intended the Act to cover e-mail transmissions, n113 but the complexity of the statutory language obscures that intention. A careful analysis of the meaning of the Act must begin with an understanding of its key terms. The statute defines an "electronic communication" in the following manner:
Any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, [*172] electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include --(A) any wire or oral communication;(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device (as defined in section 3117 of this title); or
(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds. n114
The definition of electronic communication includes transfers of information from one computer to another computer, such as a user downloading data from an Internet site, but does not include electronic storage. n115 In other words, "an electronic communication may be put into electronic storage, but the storage itself is not a part of the communication." n116
____________________
n113 See Gantt, supra note 8, at 351 n. 47.n114 18 U.S.C. § 2510(12).
n115 Bohach v. City of Reno, 932 F. Supp. 1232, 1235 (D. Nev. 1996).
n116 Id. at 1235.
The ECPA defines "electronic storage" as "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof, and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." n117 The Computer Crimes and Intellectual Property Section of the Department of Justice, which publishes the Federal Guidelines for Searching and Seizing Computers, interprets this definition to include only unopened e-mail messages on an e-mail server. n118
To understand the importance of this definition, it is critical to know how electronic mail works. Generally speaking, e-mail messages are not transmitted directly from the sender's machine to the recipient's machine; rather, the e-mail message goes from the sending machine to an e-mail server where it is stored (i.e., kept in "electronic storage"). A message is then sent from the server to the addressee indicating that a message for the addressee has been stored. The actual message remains on the server, however, until the addressee retrieves it by having a copy sent to his machine. Often, both the sender and receiver can delete the e-mail from the server.Section 2703 protects the electronic communication while it is stored in the server in this intermediate state. Once a message is opened, however, its [*173] storage is no longer "temporary" nor "incidental to . . . transmission," and it thus takes on the legal character of all other stored data. Therefore, the statute does not apply to all stored communications, such as word processing files residing on a hard drive, even when these files were once transmitted via e-mail. n119
The ECPA definition of electronic storage includes data on back-up storage tapes or disks when made to protect the communication. The computer crimes section of the Department of Justice has also addressed this issue stating, "When a sysop backs up the mail server to protect against system failure, all e-mails stored on the server will be copied. Thus, if the e-mail is later deleted from the server, the backup copy remains. The statute protects this copy as well." n120
____________________
n117 18 U.S.C. § 2510(17); see also Bohach, 932 F. Supp. at 1237. In that case, the court said, "The computer's storage of an electronic communication, whether that storage was 'temporary' and 'intermediate' and 'incidental to' its impending 'electronic transmission,' or more permanent storage for backup purposes was 'electronic storage.'" Id.n118 See also, Simons, 29 F. Supp. 2d at 329 (court held that e-mail retrieved from a government employees computer hard drive was not intercepted under the provisions 18 U.S.C. §§ 2515 and 2516, since nothing in the record indicated the e-mail was obtained while being transferred.)
n119 United States Department of Justice, Federal Guidelines for Searching and Seizing Computers (visited Jan. 29, 1999) <http://www.usdoj.gov/criminal/cybercrime/search_docs/sect5.htm#C>.
n120 Id. (citing 18 U.S.C. § 2510(17)(B)). A sysop is a shorthand term for systems operator or systems administrator.
Another important definition is that of "content." When applied to wire, oral, or electronic communications, the term content means "any information concerning the substance, purport, or meaning of that communication." n121 In other words, it is the information or the substance contained in the communication-what appears on the screen when the e-mail message is opened. It is important to distinguish between a communication's "contents" and its "context." Context refers to information about the electronic communication, including such things as the duration, size, and routing of the communication. This information is part of the electronic communication but does not necessarily appear on a computer screen. Depending on the tools used or the programming settings, a systems administrator may seek to monitor either content or context in order to protect the government system.
____________________
n121 18 U.S.C. § 2510(8).
Finally, the ECPA defines "intercept" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." n122 To fall within the definition of intercept, the acquisition of the electronic communication's content must be contemporaneous with its transmission. n123 The only concern revealed in the [*174] ECPA when intercepting an electronic message is with the acquisition of its content. The context of the message is not an issue. Indeed, the ECPA specifically allows a system provider to record a communication's context to protect the provider or the user from "fraudulent, unlawful or abusive use" of the provider's communication service. n124 This very narrow definition of intercept is important to the operation of the ECPA because whether the electronic communication was actually intercepted within the meaning of the Act has a determinative impact on which provision of the Act will apply to regulate the conduct.
____________________
n122 18 U.S.C. § 2510(4).n123 Steve Jackson Games, 36 F.3d at 460-61; accord, Wesley College v. Pitts, 974 F. Supp. 375, 387 (D. Del. 1997). According to the Ninth Circuit in Smith, 155 F.3d 1051, wire communications are treated differently than electronic communications. In Smith the court found that voice mail messages fall within the statutory definition of wire communication. A wire communication is defined in 18 U.S.C. § 2510(1) as "'any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection' and expressly includes within its scope 'any electronic storage of such communication.'" Id. at 1055. Since the definition of wire communications specifically includes stored information, the Ninth Circuit found that accessing and recording a stored voice mail message is considered an "intercept" even though the act of recording the stored voice mail message is not contemporaneous with its transmission. Id. at 1059. The court, however, refused to dispute the findings of the cases narrowly defining intercept as applied to electronic communications. The court said, "in cases concerning 'electronic communications'-the definition which specifically includes 'transfers' and specifically excludes 'storage'-the 'narrow' definition of 'intercept' fits like a glove; it is natural to except non-contemporaneous retrievals from the scope of the Wiretap Act." Id. at 1057.
n124 18 U.S.C. § 2511(2)(h)(ii).
In that regard, consideration must be given to whether the monitoring system intercepts the electronic communication during its transmission or, instead, accesses it from electronic storage.
There are stark differences between the procedural and substantive requirements of Title I [the Wiretap Act] and Title II [the Stored Communications Act]. While a governmental entity can obtain access to the contents of electronic communications that have been in storage less than 180 days without a warrant, . . . there are additional requirements under Title I for the interception of electronic communications . . . . Title I imposes limitations on the types of crimes that may be investigated . . . and the breadth and duration of the intrusion . . . . Title II does not. n125
Additionally, obtaining access to stored communications has substantially fewer procedural requirements than obtaining permission to intercept communications. n126
____________________
n125 Wesley College, 947 F.Supp. at 388 (statutory citations omitted).n126 Steve Jackson Games, 36 F.3d at 463.
Given the narrow definition of intercept, Title I's provision prohibiting the interception of electronic communications may not apply to e-mail transmissions. In fact, the interception must occur as the e-mail is being transmitted in order for Title I to apply. n127 For example, some systems administrators use a computer program or mechanical device on their system that immediately routes a copy of any e-mail message, including the content of the message, directly to an interceptor at the instant the e-mail is transmitted. n128 [*175] In these situations, the provisions of Title I would apply. If, however, the systems administrator uses a tool to monitor unopened e-mail stored as electronic files on a computer server, the legal issues must be evaluated under Title II of the ECPA. n129
____________________
n127 Id. at 461.n128 See Jarrod J. White, E-Mail@Work.Com: Employer Monitoring of Employee E-Mail, 48 ALA. L. REV. 1079, 1982 (1997).
n129 18 U.S.C. §§ 2701-2711; see also Bohach, 932 F. Supp. at 1236 n.3.
In addition to the determination of which part of the ECPA to apply, both Title I and Title II have three primary exceptions to the general rule prohibiting the interception or accession of electronic communications: (1) interception or accession based on prior consent; (2) to ensure adequate service; and (3) allowing the service provider access, if done in the ordinary course of business. In the context of the use of e-mail and the Internet, it is necessary only to review the applicability of the first two exceptions. The third exception, often called the telephone extension exception, n130 does not apply to computerbased communication. n131
____________________
n130 Williams v. Poulos, 11 F.3d 271, 280 (1993) (citing Campiti v. Walonis, 611 F.2d 387, 392 (1st Cir. 1979)).n131 See White, supra note 128, at 1086. To the extent the actions of the Air Force do not fall within the first two exceptions, it is unlikely the third exception will prove useful as a means to avoid the ECPA's prohibitions. The business use exception depends on the type of equipment being used to intercept communications and the reason for the interception. Under the ECPA, intercept means "acquisition of . . . communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4). But this definition excludes:
(a) any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business . . .18 U.S.C. § 2510(5)(a). Subsection (a)(i) has two prongs, both of which must be satisfied to qualify for the exception. Sanders v. Robert Bosch Corp., 38 F.3d 736, 740 (4th Cir. 1994). First, the equipment used must be a "telephone or telegraph instrument [or] equipment" furnished in the normal course of a providers business. Id. Second, the use of the device must fall within the ordinary course of the subscriber's business. Id. The first prong is immediately problematic. "The plain language of this section indicates that telephone or telegraph equipment is required for the exclusion to apply, and it is doubtful that courts will consider a modem (assuming one is even involved) to be telephone equipment." White, supra note 144, at 1086. Computers and similar devices used to monitor e-mail and Internet systems also do not constitute a telephone or telegraph instrument or equipment. See Robert Bosch Corp., 38 F.3d at 740 (noting that the first prong of the exception was not satisfied because a tape recording device was not a telephone or telegraph instrument or equipment). Thus, it is unlikely this exception could ever be used to justify the Air Force's attempt to monitor electronic communication.
[*176] A. Consent
Under the provisions of the ECPA, a party to a communication may consent to interception of the communication or to a third party's access to the stored communication. The consent provision in Title I reads, "It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception." n132 A similar provision in Title II permits a person or entity to disclose the contents of stored electronic communications when the originator, addressee, or intended recipient of an electronic communication gives lawful consent. n133
____________________
n132 18 U.S.C. § 2511(2)(c).n133 18 U.S.C. § 2702(b)(3). "A person or entity may divulge the contents of a communication. . . with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service." Id.
Lawful consent exists when "a person's behavior manifests acquiescence or a comparable voluntary diminution of his or her otherwise protected rights." n134 Consent may be actual or implied. A party provides actual consent by taking some affirmative action indicating his/her agreement for the content of a communication to be monitored or accessed. n135 Implied consent "is 'consent in fact' which is inferred 'from the surrounding circumstances indicating that the [party] knowingly agreed'" to the monitoring or accession. n136 In most instances, consent will be implied from "language or acts which tend to prove (or disprove) that a party knows of, and assents to, encroachments on the routine expectation that conversations are private." n137 Several factors are important in determining whether a person has consented to intercepting or accessing electronic communications: a written policy that explicitly permits monitoring, using modes of communication reserved for official or authorized use, banners providing notice that communications are monitored, and training programs informing users of the extent of monitoring. These factors may also constitute proof that continued use of an electronic communication, after receiving notice the communication is monitored, constitutes express consent to monitoring
____________________
n134 Griggs-Ryan v. Smith, 904 F.2d 112, 116 (1st Cir. 1990).n135 United States v. Willoughby, 860 F.2d 15 (2nd Cir. 1988).
n136 Griggs-Ryan, 904 F.2d at 117 (quoting United States v. Amen, 831 F.2d 373, 378 (2nd Cir. 1987)).
n137 Id. at 115.
Under most circumstances, use of a government computer constitutes actual consent to systems protection monitoring. As previously mentioned, Air Force computers are required to have a banner disclosing the possibility of [*177] monitoring, including monitoring "for management of the system." n138 This banner appears when the computer user logs onto the system. The user must affirmatively indicate understanding and acceptance of the banner's statement that "using this system constitutes consent to monitoring" and that "all information, including personal information placed on or sent over this system may be obtained during monitoring." n139 By clicking the "OK" button, the user gives consent to monitoring for all lawful purposes. n140
____________________
n138 AFI 33-219, supra note 96, at PA.2.3.5.n139 Id.
n140 See United States v. Monroe, 50 M.J. 550, 558-59 (A.F.C.C.A. 1999) (citing United States v. Maxwell, 45 M.J. 406, 417 (1996)).
Even if the act of accepting the conditions in the monitoring banner does not constitute actual consent, sufficient circumstances should exist to find implied consent for a number of reasons. Military members and civilian employees of the Air Force are aware that they are using government-provided computers during the course of their duties. Air Force instructions limit use of government communication resources to authorized and official purposes. n141 Furthermore, a government-provided computer is, generally, within the Air Force's control and does not accompany the member or employee upon reassignment. And finally, data files and e-mail messages are often maintained on a local area network or e-mail server to which the government computer is attached. Under these circumstances, it could be inferred that a military member or civilian employee has knowingly agreed to the monitoring. n142
____________________
n141 AFI 33-119, Electronic Mail (E-Mail) Management and Use P3 (1 March 1999) [hereafter AFI 33-119].n142 See Monroe, 50 M.J. at 558-59.
B. Provider Exception
The provider exception under both Title I and Title II focuses on the purpose of the interception and disclosure of the communication. If the purpose is to protect the system, the exception applies. Conversely, if there is another purpose behind the system provider's monitoring, the exception does not apply.
Title I statutorily created the provider exception for the interception of the content of electronic communications. The exception reads:
It shall not be unlawful under this chapter for an operator of a switchboard or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize [*178] service observing or random monitoring except for mechanical or service quality control checks. n143
The exception has two parts. First, a switchboard operator or employee of a provider of wire or electronic communications service is permitted to intercept, disclose, or use a communication that passes through the service, if done as a necessary incident of the service or to protect the rights or property of the provider. The second part limits public service providers to observation or random monitoring only for mechanical or service quality control checks.
____________________
n143 18 U.S.C. § 2511(2)(a)(i).
The term "electronic communication service" is defined in the statute as "any service, which provides to users thereof the ability to send or receive wire or electronic communications." n144 "Many commentators, including the Electronic Mail Association, interpret this provider exception broadly to exclude most private employers from ECPA liability for perusing and disclosing employee e-mail communications that were transmitted through employer provided e-mail systems that use an employer's internal computer system." n145 Thus, it seems the provider exception would apply to the Air Force, as it does to private employers who provide e-mail for their employees. n146 Moreover, the Air Force is not limited by the public provider clause because, while it does provide an e-mail system for official, authorized use, the system is not available for use "[by] the public." n147
____________________
n144 18 U.S.C. § 2510(15).n145 Gantt, supra note 8, at 359.
n146 The distinction between public and private communications is important, though far from settled. Although not directly applicable to 18 U.S.C. § 2511(2)(a)(1), the reasoning in Andersen Consulting v. UOP, 991 F. Supp. 1041 (N.D. Ill. 1998), is persuasive on the point of public versus private services. During other litigation UOP and their attorneys had disclosed the contents of e-mail communications to a newspaper. Andersen sued, claiming a violation of 18 U.S.C. § 2702. In reviewing a motion to dismiss, the court held Andersen failed to state a claim since it could not prove UOP was a provider of an "electronic communication service to the public" under 18 U.S.C. § 2702(a)(1). The court held that the phrase "to the public" limited the prohibition against disclosure found in 18 U.S.C. § 2702 to those providers who are is the business of providing electronic communications services. The court held that a provider of private e-mail systems, such as Andersen's system used by UOP during their business relationship, is not prohibited by 18 U.S.C. § 2702 from disclosing the contents of e-mail transmissions on their systems. But see Lopez v. First Union, 129 F.3d 1186 (11th Cir. 1997) (finding bank was a provider of an electronic communication service where complainant established a prima facie claim under 18 U.S.C. § 2702 of the ECPA when bank disclosed contents of electronic funds transfers pursuant to verbal instructions from government agency).
n147 Anderson Consulting, 991 F. Supp. at 1042-43. Despite the well-reasoned opinion in Andersen Consulting, the United States Court of Appeals for the District of Columbia in Berry v. Funk, 146 F.3d 1003 (D.C. Cir. 1998), did not care for a similar argument regarding the provider exception to wire communications. The government had argued that Congress, in making the last clause of the provision applicable only to public providers, had, by negative implication, intended that non-providers could monitor at will. The court found the government's construction "quite strained and unpersuasive." Id. at 1010. The court reversed summary judgment in favor of the government and remanded the case for further proceedings. Should the government argue that the last clause of this provision applies only to public providers, rather intending to allow anyone who is not a provider to monitor at will, the Court may be more accepting of the argument. Although the Air Force does contract for and use communications services provided by public carriers, the scope of this article focuses on monitoring of those systems provided by the Air Force for official use.
[*179] Although not directly applicable to electronic communications, a recent case illustrates the application of the exception. In Berry v. Funk, the United States Court of Appeals for the District of Columbia found the provider exception extremely limited when applied to wire communications. n148 The appellant complained that various members of the government violated his Fourth Amendment rights and the Wiretap Act by monitoring telephone calls he placed to another individual through the State Department's Operations Center. Known as the "Watch," this "round-the-clock communications center performed a variety of functions, such as generating briefings on world events and serving as a focal point for handling urgent crises." n149 The Watch also serves as a communications node, allowing senior members of the State Department to communicate with other officials. The Watch is able to monitor telephone calls made through its consoles. At the time, the Watch's operations manual did not permit monitoring calls between senior department officials, unless they first requested monitoring. State Department employees monitored Berry's calls to another individual.
____________________
n148 Berry, 146 F.3d 1003 (reviewing a grant of summary judgment in the court below).n149 Id. at 1005.
Disagreeing with the government's argument that the provider exception relieved Watch officers of civil liability, n150 the court found that monitoring telephone calls, in violation of existing policy, was not within the normal course of a Watch officer's employment. n151 Additionally, the court equated Watch officers with switchboard operators.
A switchboard operator is authorized to overhear (and disclose and use) only that part of a conversation "which is a necessary incident to the rendition of his service." We think it rather obvious from the statutory language that Congress recognized switchboard operators, when connecting calls, inevitably would overhear a small part of a call, but the exception permitting them to use that content is limited only to that moment or so during which the operator must listen to be sure the call is placed. . . . In short, the switchboard operator, performing only the switchboard function, is never authorized simply to monitor calls. n152
[*180] The court went on to distinguish switchboard operators from providers of a public communications service, holding that the provision "actually recognizes two exceptions, one for switchboard operators of all kinds, and the second for employees of public providers of wire communications." n153 Unlike switchboard operators, service providers might have a reason requiring them to monitor communications beyond that necessary to determine if a connection has been made, such as providing or protecting the service. The court reasoned that Congress recognized this additional obligation on the part of a public service provider when they fashioned the last part of the clause. n154 Under that language, the only permissible purpose for a provider of public communications to engage in service observation or to perform random monitoring is to check for mechanical or service quality control problems. n155
____________________
n150 Id. at 1010.n151 Id.
n152 Id. Despite this broad statement, the circuit court also recognized that there were some instances when an operator is permitted to stay on a line, for example when the operator hears something troubling like murder plans. See, e.g., Adams v. Sumner, 39 F.3d 933 (9th Cir. 1994); United States v. Axselle, 604 F.2d 1330 (10th Cir. 1979); United States v. Savage, 564 F.2d 728 (1977).
n153 Berry, 146 F.3d at 1010.
n154 Id.
n155 Id. The court ultimately found that the government was not entitled to summary judgment on appellant's claims under the ECPA. Id. at 1014. The Court vacated the grant of summary judgment and remanded the case for further proceedings. See also 18 U.S.C. § 2511(2)(a)(i).
The provider exception in Title II is even broader than that in Title I. The statute exempts "a person or entity providing a wire or electronic communications service" from the provisions prohibiting intentional access to stored electronic communications. n156 Moreover, the statute also permits a person or entity to disclose the contents of a stored communication, "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service." n157 These two provisions allow a service provider to access stored communications and to divulge the contents of those communications when it is necessary to do so to protect the system. n158
____________________
n156 18 U.S.C. § 2701(c)(1).n157 18 U.S.C. § 2702(b)(5).
n158 Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (Dist. Nev. 1996).
Monitoring communications for systems protection, which includes access to the content of e-mail messages, may be permissible under the Constitution and the ECPA under the circumstances described above. There are, however, certain policy considerations surrounding systems protection monitoring that impact the decision to intercept or access e-mail. The issues include questions about the extent of a system administrator's responsibility [*181] when evidence of a crime is inadvertently discovered, whether certain types of privileged communication can or should be protected, and what is in the best interest of the Air Force and the Department of Defense.
A. Inadvertently Discovered Evidence
When the provider of an electronic communication service inadvertently discovers information within an electronic communication that appears to pertain to the commission of a crime, the provider may disclose the content of that communication to a law enforcement agency. n159 This statutory provision is quite different from the ECPA provision restricting an investigative or law enforcement agency that discovers evidence of additional criminal activity during an authorized interception. n160 Section 2517(5) does allow disclosure and use of information concerning criminal acts other than those which were the subject of a wiretap court order obtained by law enforcement. n161 However, disclosure is permitted only after receiving permission from the court following a separate review to determine whether the interception complied with the initial court order. n162 Sections 2511(3)(b)(iv) and 2702(b)(6), on the other hand, allow disclosure of inadvertently discovered information pertaining to the commission of a crime as long as the disclosure is to law enforcement authorities. The ECPA's legislative history supports this theory. Discussing inadvertent discovery, the Senate Report stated:
If an electronic communications service provider inadvertently obtains the contents of a communication during transmission and the communication appears to relate to the commission of a crime, divulgence is permitted when such divulgence is made to a law enforcement agency. If the provider purposefully sets out to monitor conversations to ascertain whether criminal activity has occurred, this exception will not apply. n163
____________________
n159 18 U.S.C. §§ 2511(3)(b)(iv), 2702(b)(6).n160 18 U.S.C. § 2517(5). This applies, for example, in situations in which law enforcement officials have a search authorization for the computer files to look for a particular type of evidence and, during the search, they unexpectedly find evidence of another type of criminal activity.
n161 Id.
n162 See United States v. Williams, 737 F.2d 594 (7th Cir. 1984).
n163 S. Rep. No. 99-541, at 26 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3580.
Both provisions are based on the theory that information inadvertently discovered during the course of a legitimate intrusion, whether the communication is in progress or is electronically stored, is not an unreasonable invasion of privacy or an unlawful intrusion. n164 The legitimacy of an intrusion by law enforcement officials pursuing a warranted search can be easily tested [*182] by the court before the information is released or disclosed. n165 The legitimacy of disclosures of accidentally discovered evidence by a service provider is the more important issue where the Air Force is concerned.
____________________
n164 See Jacobsen, 466 U.S. at 116.n165 See United States v. McKinnon, 721 F.2d 19 (1983) (noting that Congress intended that evidence inadvertently discovered during an authorized search by law enforcement authorities be given retroactive judicial approval if the warrant was lawful and not a subterfuge and if the evidence was incidentally discovered). "Congress wished to assure that the government does not secure a wiretap authorization order to investigate an offense as a subterfuge to acquire evidence of a different offense for which the prerequisites to an authorization order are lacking." United States v. Southard, 700 F.3d 1 (1983) (noting that Section 2517(5) was nevertheless designed to permit the use of inadvertently discovered evidence different than that sought during a warranted search provided the court subsequently approves its use) (quoting United States v. Campagnuolo, 556 F.2d 1209, 1214 (5th Cir. 1977)).
The ECPA provisions permitting a service provider to disclose information to law enforcement authorities are less restrictive than those concerning disclosure of information relating to additional criminal activity discovered during an authorized interception. As noted previously, a provider of an electronic communication service may monitor communications to protect the system. Such monitoring is a legitimate and reasonable intrusion into the electronic communication and any inadvertently discovered evidence may be disclosed to law enforcement authorities. Again, this argument is supported by the ECPA's legislative history.
The exceptions to the general rule of nondisclosure provided in subsection (b) [of § 2702] fall into three categories . . . . The third category are [sic] disclosures to the government. In this area there are two types of disclosures. Those pursuant to a court order . . . and those disclosures undertaken at the initiative of the service provider in the exceptional circumstances when the provider has become aware of the contents of a message that relate to ongoing criminal activity. n166
In the military, where ultimate law enforcement authority rests with the commander, a case can be made that, in addition to law enforcement authorities, evidence of a crime inadvertently discovered on a military server may be disclosed to the commander.
____________________
n166 S. Rep. No. 99-541 at 37-38.
From both a policy and a legal perspective, it is important to preserve the distinction between systems protection and law enforcement. Although inadvertently discovered evidence may be disclosed, systems protection monitoring cannot be conducted to identify an individual's criminal activity. The systems administrator's responsibility is to protect the system. To the extent the purpose of monitoring shifts from protecting the system to uncovering criminal activity, the systems administrator becomes an agent of [*183] law enforcement. n167 Thus, after initial disclosure, further monitoring of communications to or from a particular individual or group of individuals, becomes a law enforcement activity and must comply with the requirements for law enforcement surveillance actions. n168 The decision whether there is sufficient information to proceed with a law enforcement investigation or whether to take action based on the evidence inadvertently discovered, should be based on factors outside the realm of systems protection.
____________________
n167 This was an important point for the Air Force court in Monroe. United States v. Monroe, 50 M.J. 550, 560 (A.F.C.C.A. 1999). Although not directly analogous, cases such as United States v. Duga, 10 M.J. 206 (C.M.A. 1981), are illustrative. In Duga, the Court of Military Appeals found statements made to the accused's friend, a policeman who was not acting on behalf of the Air Force when he questioned the accused, were admissible. See also, United States v. Sullivan, 38 M.J. 746 (A.C.M.R. 1993) (interception of cellular telephone conversation by neighbor was not the act of a government agent), aff'd, 42 M.J. 360 (1995).n168 See AFI 71-101, supra note 4, vol. 1, P3.3; Walter, 447 U.S. at 658.
B. Protected Communications
Systems protection monitoring also raises policy issues when the system is used to transmit protected communications. Protected communications include communications privileged under a rule of evidence or protected by statute or regulation. For example, communications between attorney and client should be protected in order to retain their privileged character. Communications containing medical information about a particular patient or certain mental health cases, such as drug and alcohol records, are protected. Protection for this kind of information does not cease simply because electronic communications are subject to monitoring. Indeed, the ubiquitous nature of this mode of communication requires greater care to preserve confidentiality. Given the need to monitor electronic communications systems, a policy and practice designed to maintain the protected nature of certain information should be implemented.
The Air Force has begun this process with a move toward professionalizing their systems administrators. n169 Network professionals should be trained in the technical and legal responsibilities of systems administration to identify the types of communications that should receive additional protection. They should be taught not to disclose information discovered during monitoring activities, except for official purposes. Clearly delineating when a systems administrator may make a disclosure of information is crucial in maintaining the protected nature of these communications. Although several different types of communications may be protected, the attorney-client [*184] privilege and an attorney's ethical responsibility to protect client confidences provide a good illustration of the need for additional protection from secondary disclosures.
____________________
n169 See AFI 33-115, supra note 94.
In the Military Rules of Evidence, the President recognized the existence of a testimonial privilege based on the attorney-client relationship. n170 The privilege protects communications made in confidence when obtaining legal advice. n171 "One of the principal purposes of the attorney-client privilege is to promote the free and open exchange between the attorney and the client . . . ." n172 The evidentiary privilege has two key components. First, the communication must be confidential. Second, the communication must be made for the purpose of seeking legal advice. n173 However, "the attorney-client privilege is not absolute." n174 A communication is not confidential if a communicant intends to disclose it to a third party. n175 In fact, the privilege does not exist when the attorney or the client uses a mode of communication that does not protect confidentiality.
____________________
n170 MCM, supra note 90, Mil. R. Evid. 502.n171 United States v. Romano, 46 M.J. 269 (1997); United States v. Rust, 41 M.J. 472 (1995).
n172 United States v. Neill, 952 F. Supp. 834, 839 (Dist. D.C. 1997).
n173 Rust, 41 M.J. at 479; United States v. Schaltenbrand, 930 F.2d 1554, 1562 (11th Cir. 1991); In re Grand Jury Subpoena Decus Tecum, 112 F.3d 910, 920 (8th Cir. 1997). The Army Court of Criminal Appeals quoted United States v. McCluskey, 20 C.M.R. 261 (C.M.A. 1955), when addressing the creation of an attorney-client relationship. The Army court stated:
Based on a policy to scrupulously protect the communications between clients and lawyers, the Court of Military Appeals has articulated the following prerequisites for establishing an attorney-client relationship: "(1) where legal advice of any kind is sough (2) from a professional legal adviser in his capacity as such, (3) the communications relating to that purpose, (4) made in confidence (5) by the client . . . [are protected as part of the attorney client relationship].")United States v. Spriggs, 48 M.J. 692, 695 (A.C.C.A. 1998)(quoting McCluskey, 20 C.M.R. at 267 (citation omitted)).
n174 United States v. Noriega, 917 F.2d 1543, 1551 (11th Cir. 1990).
n175 MCM, supra note 90, Mil. R. Evid. 502(b)(4); Romano, 46 M.J. at 273. The Eleventh Circuit in Noriega describes a two-part analysis to determine when the attorney-client privilege protects a communication from governmental intrusion: (1) when the communication was intended to remain confidential and (2) when "under the circumstances" the communication was "reasonably expected and understood to be confidential." Noriega, 917 F.2d at 1551.
An example of this principle is found in United States v. Noriega. n176 This case concerned the recorded telephone conversations between Manuel Noriega and his attorney. The calls were made on a telephone outside the prison cell where he was detained pending trial. Prison officials had informed Noriega that telephone calls were monitored, and the telephone he used had a [*185] label indicating calls made on the telephone would be monitored. But there was also evidence that prison officials had told Noriega that calls to his attorneys would not be monitored. Because of the ambiguity and confusion in the instructions on how privileged calls should be made, the court found Noriega had a reasonable expectation of privacy in the calls to his attorneys. n177 Upon reaching this conclusion, the court cautioned that had Noriega "actually [been] aware that his calls to his attorneys were being monitored," he would have been unable to claim the protection of an attorney-client communication. n178
____________________
n176 764 F. Supp. 1480 (S.D. Fla. 1991).n177 Id. at 1487.
n178 Id. at 1487-9. Despite finding an intrusion into the attorney-client privilege, the court refused to dismiss the indictment against Noriega. Intrusions into the attorney-client relationship are not per se unconstitutional. There must be some prejudicial effect from the intrusion. Id. (citing Weatherford v. Bursey, 429 U.S. 545, 588 (1977). To be prejudicial, the privileged information must be intentionally obtained, pertain to confidential defense trial preparations or strategy, and must be used to the detriment of the communicant. Id. at 1489; Neill, 952 F. Supp. at 840. There are four factors that must be satisfied to find a constitutional violation of the attorney-client privilege:
(1) whether evidence to be used at trial was obtained directly or indirectly by the government intrusion; (2) whether the intrusion was intentional; (3) whether the prosecution received otherwise confidential information about trial preparation or defense strategy as a result of the intrusion; and (4) whether the privileged information was used or will be used to the substantial detriment of the defendants.Neill, 952 F. Supp. at 840. In the Noriega case, there was no prejudice, since the government had sufficient protections to shield the trial team from intentional disclosures of attorney-client communications contained on the recorded telephone conversations. Noriega, 764 F.Supp. at 1489. Even though a disclosure "escaped" these protections in the Noriega case, the disclosure was not intentional. Additionally, the court held there was "no benefit to the prosecution, and no harm to Noreiga's defense, there was no prejudice and therefore no Sixth amendment violation." Noriega, 764 F. Supp. at 1489. The court in Neill, while disapproving of the government's choice to use "taint team" procedures to shield a trial team from attorney-client privileged material instead of submitting the materials for an in camera review, also found no prejudice from the government's intentional intrusion into attorney-client communications. Neill, 952 F.Supp. at 840-41; see also United States v. Calhoun, 49 M.J. 485 (1998) (regarding the procedure used in an Air Force case to shield potential attorney-client information during the search of a defense counsel's office).
Currently, electronic communications between an Air Force attorney and a client are not transmitted on secured systems, nor are most encrypted. Because otherwise protected remarks lose the privilege when communicated to a third party and both the attorney and the client should be aware that the systems administrator could intercept an electronic communication, the decision to use electronic methods to communicate could vitiate the existence of the attorney-client privilege. n179
____________________
n179 Although it is important to maintain the distinction between the evidentiary privilege and an attorney's ethical obligation to protect client confidences, this argument has been accepted by the Iowa Supreme Court in addressing an attorney's ethical obligation. Iowa Supreme Court Board of Professional Ethics and Conduct, Opinion 96-1 (1996) (due to an attorney's ethical obligation to protect client confidences, an attorney should not use e-mail for sensitive client communications without encryption or the express consent of the client).
[*186] Before reaching this conclusion, however, it is important to look at the use of electronic communications and the purpose of systems protection monitoring. If a government attorney uses the telephone to communicate with a client, there is the possibility the communication may be monitored under the provisions of TMAP. n180 This type of monitoring has not resulted in an elimination of the attorney-client privilege or the requirement that all communications be conducted in person. In recognition of the need to protect certain privileged information, the TMAP instruction limits secondary disclosures, especially when the communication is obviously protected. n181 In addition, the Eleventh Circuit recognized that "possession of [attorney-client] communications by one element of the government does not necessarily implicate another element." n182 It would seem, therefore, that the recognition that systems administrators may monitor communications does not necessarily eliminate the existence of an attorney-client privilege.
____________________
n180 See AFI 33-129, supra note 1.n181 Id. P21.6.
n182 Noriega, 917 F.2d 1551 n.10.
It should also be noted that the ECPA protects privileged communications. The provision reads, "No otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character." n183 Under this provision, a privileged communication remains privileged, notwithstanding the legality of its interception by a systems administrator monitoring the system.
____________________
n183 18 U.S.C. § 2517(4).
Interestingly, the protections afforded electronic communications by the ECPA provide the basis for the majority approach on this issue. Although the ethical responsibility to protect client confidences is not resolved by the ECPA, most state bar associations have found that the use of unencrypted e-mail does not violate the attorney's ethical responsibilities, even without the client's express consent to use e-mail. n184 The New York State Bar Association [*187] Committee on Professional Ethics explained,
In considering the ethical issue, we believe that the criminalization of unauthorized interception of e-mail certainly enhances the reasonableness of an expectation that e-mails will be as private as other forms of telecommunication. That prohibition, together with the developing experience from the increasingly widespread use of Internet e-mail, persuades us that concerns over lack of privacy in the use of Internet e-mail are not currently well founded. n185
____________________
n184 See, e.g., American Bar Association Standing Committee on Ethics and Professional Responsibility, Formal Opinion No. 99-413 (1999); Alaska Bar Association, Opinion 98-2, Communication by Electronic Mail (1998); Arizona State Bar Association, Formal Opinion 97-04 (1997); Opinion of the District of Columbia Bar's Legal Ethics Committee, Opinion No. 281 (1998); Illinois State Bar Association, Opinion No. 96-10 (1997); New York State Bar Association Committee on Professional Ethics, Opinion 709 (1998); State Bar Association of North Dakota, Ethics Committee Opinion No. 97-09 (1997); Pennsylvania State Bar Association, Opinion 97-130 (1997); South Carolina Advisory Bar Opinion 97-08 (1997) (overruling South Carolina Bar Ethics Advisory Committee Opinion 94-27). But see Iowa Supreme Court Board of Professional Ethics and Conduct, Opinion 96-1 (1996).n185 New York State Bar Association Committee on Professional Ethics, Opinion 709 (1998).
While a systems administrator may monitor electronic communications, safeguards must be in place to protect against the inadvertent or deliberate release of protected communications. Our systems administrators must have clearly defined guidance on how to protect certain types of communications, and there should be clear penalties for unauthorized disclosure of privileged information. Specific guidance for systems administrators on the release and protection of information has not yet been drafted. n186 This must be done in order to ensure the continued protection of privileged information communicated by electronic methods.
____________________
n186 While AFI 33-115, Volume 1, discusses the responsibilities of a systems administrator, there is no guidance in the instruction about the information collected as a part of the systems administrator's duties. See AFI 33-115, supra note 94, vol. 1.
Although current Air Force policy concerning the use of information gathered during TMAP/OPSEC monitoring is not directly applicable to systems protection monitoring and systems administrators, it may be helpful in formulating a policy for systems administrators. The policy relating to the use and disclosure of personal and proprietary information in TMAP reports is based on a requirement to balance the legitimate needs of the government to protect national security against the privacy and civil liberties of those involved in the monitored communication. Systems protection monitoring requires a similar balancing of the legitimate need to protect a communications system against the need to prevent certain types of communications and information from unauthorized disclosure. n187
____________________
n187 Although there may not be an expectation of privacy in a government communications system vis a vis a trained systems operator performing systems protection functions, there is still a need to use that system to communicate protected information. Although we may legally monitor the content of these communications, there is a nevertheless a policy reason for instituting some protections of the disclosure and use of certain types of information.
The TMAP policy specifically requires personnel monitoring communications to "protect the rights of individuals and proprietary information." n188 Indeed, several provisions offer protection in this regard. Monitors may not use the names of those involved in a monitored [*188] communication, their office symbols, transcripts, or facsimiles of a communication in a TMAP report. n189 A transcript or facsimile may be released, but only if necessary for operational purposes and only if names and personal privacy or proprietary information are removed before release. n190 Finally, inadvertently acquired information disclosing an "emergency situation or [a] situation threatening death or grievous bodily harm" must be reported to appropriate authorities immediately. n191 To the extent such information concerns only a significant crime or significant fraud, waste, or abuse, the communication cannot be reported if it is protected by the attorney-client privilege. n192 If identifying data is included in the report, the information can be used only to prevent future OPSEC problems or for administrative actions for disclosing classified national security information. n193 Disclosed information cannot be used for judicial actions without first submitting the matter to Headquarters Air Intelligence Agency Office of the Director of Operations and the Office of the Staff Judge Advocate, to Networks Division, Systems Directorate of the Air Force Communications and Information Center, and the Secretary of the Air Force General Counsel's Office. n194
____________________
n188 AFI 33-219, supra note 96, P23.n189 Id. P23.1.
n190 Id. P24.1.
n191 Id. P24.5.
n192 Id.
n193 Id. P25.
n194 Id.
A similar policy should be applied to systems administrators. They should be required to protect information acquired while monitoring the system. If the systems administrator generates a report regarding systems protection activities, the report should exclude the content of a monitored communication, unless protected information, such as names or identifiers that can disclose identity or proprietary information, is removed. Since a systems administrator can disclose inadvertently discovered evidence of criminal activity to a law enforcement official, applicable policy should also protect against the disclosure of attorney-client information. n195 Such a policy will balance the need to protect our communications systems with the need to prevent certain types of information from wrongful disclosure.
____________________
n195 It might be advisable for attorneys and their clients who use e-mail to communicate to clearly label any messages containing confidences. For example, most e-mail programs allow for a subject line. Similar to labels placed on most legal office FAX cover sheets, a smart attorney will use this subject line to label a confidential message as "Attorney-Client Information." This would put a systems administrator on notice that the information contained in the message is protected and should not be further monitored or released.
[*189] C. Department of Defense Policy
Currently, the DoD does not have a specific directive or instruction establishing policy for monitoring electronic communications. The Joint Ethics Regulation does, however, place users of government communications systems on notice that a communications system may be monitored. n196 The Joint Ethics Regulation (JER) also refers to two other DoD directives that apply to telephone monitoring. One directive governs telephone monitoring for communications security n197 and the other establishes policy for monitoring and recording telephone communications. n198 Although these two directives are pending revision, the DoD has indicated that the policy enunciated in both directives should be extended to all types of communications. n199 Unfortunately, both directives were drafted in the 1980s, prior to the explosion in the use of electronic communications. Trying to fit today's electronic communications issues into policy formulated for telephonic communications is like trying to fit a size "1999" foot into a size "1980" shoe. It is difficult at best and requires a great deal of wiggling.
____________________
n196 Department of Defense Directive 5500.7-R, The Joint Ethics Regulation P2-301(a)(3) (Aug. 1993) [hereinafter JER].n197 Department of Defense Directive 4640.6, Communications Security Telephone Monitoring and Recording (June 26, 1981). This directive applies to communications security monitoring and will not be discussed.
n198 Department of Defense Directive 4640.1, Telephone Monitoring and Recording (Jan. 15, 1980) [hereafter DoDD 4640.1].
n199 Telephone Interview with Patti Aronsson, Staff Attorney, Secretary of the Air Force general Counsel's Office (Military Affairs), Pentagon, Arlington, Virginia (Dec 1998).
An analysis of the policy found in DoD Directive 4640.1 reveals the problems encountered when trying to overlay telephonic monitoring policy onto electronic communication. This directive permits monitoring and recording communications, provided the information to be gained is necessary to accomplish the DoD mission. n200 The Directive defines "monitoring" as the aural acquisition of a communication. n201 This definition is natural, since the Directive was drafted to apply to telephonic conversations, which by their nature are verbal and can be aurally acquired. The definition's focus is the content of the communication, not that it was made. Because this directive has been extended to electronic communications, as now written the definition must be interpreted to include that type of communication. But, with the exception of video teleconferencing, electronic communications are not verbal communications. To be sure, language makes up the content of the message, but there is currently no way to acquire aurally an e-mail message. If this definition were rewritten to include electronic communications, the term [*190] monitoring would apply to the acquisition of the content of the communication. The Directive also defines "recording" as the preservation of the contents of a communication through use of electronic, mechanical, magnetic, stenography, or other means. n202 The definition does not include the notes taken by a participant to the conversation.
____________________
n200 DoDD 4640.1, supra note 198, PD.1.n201 Id. encl. 2, P1.
n202 Id. encl. 2, P2.
Finally, the Directive discusses "communications management activities," n203 defining them as "measures taken to ensure the proper mechanical operation and the efficient use" of a communications system. n204 Recording and analyzing the number and duration of a communication, the total load on the system, and records of communications including those accessed and their duration, all fall within the definition. n205 It appears this term is synonymous with the more current term "systems protection." It follows that any policy relating to communications management activities would, therefore, be applicable to system protection monitoring.
____________________
n203 Id. P3.n204 Id. encl. 2, P4.
n205 Id.
As with the Directive's definitions, the policy for telephonic communication does not mesh well with the realities of electronic communications. In establishing policy for communications management activities, the Directive prohibits recording the contents of a conversation, without specifically defining the term "conversation." n206 Although DoD has indicated that the policy contained in this Directive should apply to any communication, expanding the term "conversation" to include electronic communications without amending the prohibition precludes recording backup disks or tapes of e-mail stored on a server. Clearly, prohibiting backup tapes or disks is not the intention. n207 In order to reconcile the current policy with changes in technology, the term "conversation" would have to be limited to its plain meaning, as an verbal exchange of ideas, n208 or an exception would have to be made for electronic communication. Under this scenario, the directive would either limit the prohibition on preserving the contents of a verbal communication or specifically exempt recording electronic communications for storage.
____________________
n206 Id. P3a.n207 Additionally, the directive prohibits interception of communications to determine whether the communication is official or authorized, a necessary purpose behind electronic systems monitoring. Id. P3b. See also 5 C.F.R. § 2635.704(a) (1999), which establishes a duty to protect and conserve Government property and prohibits an employee's use of such property, or allowing its use, for other than authorized purposes.
n208 WEBSTER'S NEW UNIVERSAL UNABRIDGED DICTIONARY 248 (2 ED. 1983).
Extending the telephonic policy in DoD Directive 4640.1 to electronic communications also conflicts with provisions in the JER that permit [*191] monitoring for "any type of use, including incidental and personal uses, whether authorized or unauthorized." n209 The JER does not define "monitoring." In order to reconcile the Directive with the JER, the term "monitoring" in the JER would have to be read as permitting access to the content of stored communications rather than the content of communications in transit. Thus, a systems administrator would not be able to intercept communications as they occur, for example verbal conversations as a part of a video teleconference or keystrokes entering information in a chat room, solely to determine whether the communication was official or authorized. However, the systems administrator would be able to intercept an electronic communication and to access the content of stored communications for systems protection purposes.
____________________
n209 JER, supra note 196, P2.3.1(a)(3).
Finally, the Directive allows incidental monitoring by operators and maintenance personnel, if the interception is necessary to perform service or mechanical checks and if the parties to the communication are aware of the duration of and the reason for monitoring. n210 This provision was drafted to allow telephone operators to listen to a conversation while making a connection. It also allows maintenance personnel to listen to or record conversations as a part of a service or mechanical check, as long as the parties are informed. To extend the application of this policy to the systems administration function would require that systems administrators be classified as maintenance personnel. Such an extension of policy is, at best, problematic. Systems administrators have a responsibility to ensure the proper operation of their system, however, that responsibility does not, of itself, make systems administrators maintenance personnel. Even if a systems administrator can be called a maintenance person, the DoD Directive would only allow limited monitoring and only for the purpose of testing the system. Additionally, the systems administrator would have to notify the user when the monitoring has begun and when it ends.
____________________
n210 DoDD 4640.1, supra note 198, P3d.
Simply extending the policies contained in the DoD Directive to electronic communications could result in gaps in policy and procedure that would ultimately frustrate system protection efforts. Because systems protection monitoring is so crucial to the Air Force and DoD missions, the Directive should be rewritten with electronic communications in mind. The duties and responsibilities of a systems administrator should be clearly established and the policy should be drafted with today's technology in mind. Unlike current policy, a rewritten policy must also be sufficiently flexible to permit application as technology changes.
Systems protection monitoring is an essential part of the Air Force's efforts to "provide effective, efficient, secure, and reliable information network services used in critical Department of Defense and Air Force communications and information processes." n211 As the use of electronic modes of communication increase, so does the potential for harm from both inside and outside the system. The systems administrator and the monitoring function performed by the administrator are essential parts of the defense of our information infrastructure.
____________________
n211 AFI 33-115, supra note 94, vol. 1, P1.
Systems protection monitoring is a constitutionally permitted exercise of the government's authority. Air Force members and employees effectively consent to systems protection monitoring and are on notice that a systems administrator may obtain any information sent over the system. The operational realities of the Air Force workplace lead to the conclusion that there is no expectation of privacy for the purposes of systems protection monitoring, though there may be an expectation the content of communications will otherwise be protected. Indeed, just because there is no reasonable expectation of privacy for purposes of systems monitoring does not mean that an Air Force member or employee loses an expectation of privacy in their electronic communications for all purposes.
Systems protection monitoring also does not violate the ECPA's general rule prohibiting interception or accession of electronic communications. The consent exception allows interception or third party access to a stored communication when a party to the communication consents. The systems provider exception allows a provider to intercept an electronic communication or disclose the contents of a stored electronic communication if the interception is necessary to render services, or to protect the rights or property of the provider.
While monitoring communications for systems protection may be constitutionally and statutorily permissible, there are important policy considerations that must be addressed. Although a systems administrator may disclose inadvertently discovered evidence, a systems administrator should not act as the tool of a law enforcement agency. This distinction is important in maintaining the focus of systems protection monitoring as a means of protecting a system from misuse and abuse. The goal of systems protection is not to uncover criminal activity, but to keep the system running properly and ensure the information contained on the system maintains its integrity. If a systems administrator becomes a law enforcement tool, the purpose of monitoring would shift to obtaining evidence against a specific individual or [*193] group of individuals and would require probable cause and appropriate authorizations.
Another policy consideration involves protected communications. The DoD, should establish specific policies delineating when and to whom a systems administrator can disclose information garnered during systems monitoring. These policies should carefully address subsequent disclosure of certain types of information that would otherwise be protected. The needs of a systems administrator must be balanced with the responsibility to protect privileged information and communications.
Finally, the DoD should specifically address systems protection monitoring of electronic forms of communication. Guidelines must be established that take into account the technological principles, legal parameters, and policy considerations surrounding system protection monitoring. Trying to extend existing policy, which when drafted applied to verbal communications over telephone wires, is extremely difficult and is not likely to be successful.
Challenges come with the growth of new technology. The DoD needs to be able to meet these new challenges. Systems protection monitoring is only one of the tools in the toolbox, but it is an important tool. As we professionalize the duties and responsibilities of the systems administrator, we must make every effort to provide them with well-defined legal guidance. In this way, systems administrators and other network professionals will be better able to serve as that first line of defense in today's extensive but sensitive information environment.