People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)
Let’s hope that’s an overstatement.
A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.
The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.
The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.
That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.
Here’s the first paragraph of the opinion:
In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.
Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.
Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.
If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?
Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.
May 6, 2010
I directly contributed to the drafting of the motion to dismiss for that won this case. One of the things that you are overlooking is that DA never actually identified the email account which was purportedly accessed by my client. The DA’s accusatory instrument stated that the complainant used her employers computer ?for work-related purposes, including to access and use her personal e-mail?, which suggests that the personal e-mail account was not entirely personal, but a mixed used e-mail which included work-related e-mail transmissions–and indeed our records show that the complainant’s email was used in this manner. To the extent that the complainant used an e-mail account for work-related e-mail transmissions on a computer owned by the her employer, to that extent one must call into question whether any access thereof was truly unauthorized.
This opinion does not deal a death knell to internet privacy in its entirety. It stands for the proposition that the concept of unauthorized access of a computer is unintelligible in the workplace when the computer is owned by the employer and internet access and transmission is provided by the employer. In such a context, there can be no “reasonable expectation of privacy” by an employee. Employees are on constructive notice–if not actual notice–that their internet usage is potentially being monitored–and rightfully so.
This is a very context specific decision. Your analysis fails to recognize this.
May 11, 2010
Actually, it mostly sounds like judges are simply giving up on the concept of internet privacy. And the thing about digital communications is that there’s a digital copy of everything that can eventually be accessed with the right passwords and protocol. Snail mail is starting to look better and better.
May 12, 2010
I understand what Mr. Moccia is saying, but that’s not what the judgement is saying. I’m thankful to Mr. Brown for calling out this extreme view.
May 14, 2010
What if?
What if, employers created White List (of websites needed for employees to perform their jobs) and limited Internet access to the White List?
What if, entertainment and webmail and other non-business related websites were blocked (at the router) so that “no employee” had access to other than the email provided for company business?
This would be a different order of content management but nothing that is not already done within school systems to protect children from pedophiles.
Hmmm!
A “closed business system” used for business and not entertainment.