In John P. Mello Jr.’s blog post, “Peeking into employee’s email can be no-no”, John details a recent New Jersey court case involving the rights of a company to view the contents of an employee’s non-business related emails on the laptop issued to the employee after the employee had left the company.

In the court case, the trial court refused to require the employer, Loving Care, to return the emails to the employee’s attorneys. A judicial panel had upheld a lower court’s ruling that it was allowable for the company to access the employee’s email communications between the employee and her attorney.

Later, however, an appellate court reversed the lower court’s decision and held that the employee had not waived their attorney-client privilege.

As it turns out, the laws regarding email privacy vary not only at state level but also at the federal level. For example, if one of the employees in your company sends an email from their state to someone else in another state the question could come up – which state’s email privacy laws supersedes the other state’s email privacy law? As it happens, what might be considered legal to read in one state might, in another state, be considered illegal and unjustified to read.

According to the State of California Online Privacy Protection Act (OPPA) of 2003, companies which operate commercial websites must disclose their privacy policy with regard to what data they might collect and share with other organizations. That data could theoretically include the contents of email messages that pass through their servers.

But the point at which companies can read email messages which they themselves did not create gets into very grey areas of law and are open to much interpretation. In United Sates v. Councilman a three-judge panel of the First Circuit Court of Appeals ruled that there was no violation of federal wiretapping laws when a company, which operated an online bookstore and email server, used their email service – which the company provided to subscribers – to basically view what email messages were being sent to their subscribers from a rival company.

What makes that case interesting is that the concept of “intercept” was at the core of the email privacy issue. If the email message contents were held within a temporary storage area then the viewing of the email message would not meet the definition of being “intercepted” as defined in the Federal wiretapping laws. Therefore the company which provided the email service to their subscribers was free to read email messages without impunity while those email messages were in “temporary” storage on their servers.

So if you think about your own company then this ruling would have given you, as an administrator and hence as a representative of your company, an open door to read and view emails on your servers. If, for instance, email messages were found in some “temp” storage directory on your server they would most likely fall under the category of “temporary storage” and be allowed to be read by someone other than the originator of the email message.

I say “would” as in past tense because a subsequent ruling by the full First Court overturned the panel’s ruling and thus that company was not allowed to read email that had indeed been “intercepted”.

At a more technical level the concept of “intercepting” a complete email message means that someone would have to “intercept” all the packets of transmission that made up the complete email message and then reassemble them so as to be viewable. I would hope that the legal system has already taken into account all such technical details and updated the laws where applicable.

Addressing the more general area of email privacy there exists at a federal level the Electronic Communications Protection Act (ECPA) (18 U.S.C.A. 2517(4)) which makes it a federal crime to intercept email transmissions. The law effectively makes it illegal to “snoop” the network for email messages while those email messages are in “real-time” transmission between sender and receiver.

What is interesting about the ECPA is that it does permit Internet Service Providers (ISPs) to view – read – email messages that are stored on their servers. Those email messages could be turned over to law enforcement officials as long as the officials could present the appropriate warrants or subpoenas.

So when I speak of these areas of email privacy being grey and open to interpretation all one has to do is look at the federal level such as the ECPA and the wiretapping laws to see how they are applied.