Tuesday, June 24, 2008

Can your company read your email?

Below is a link to an interesting article in the Los Angeles Times this week. It has to do with a ruling by the 9th Circuit Court of appeals on an employer’s ability to access and read electronic messages (text messages or email) when they are stored with an outside provider. There are several interesting things to note about this ruling.

Arch Wireless was defined in the ruling as being an “electronic communication service” (ECS). This is important because if they were defined as a “remote computing service” (RCS) then they would be off the hook. The Stored Communications Act allows an RCS to release stored private electronic communication with consent of either the user or the subscriber (the city in this case) whereas if they are an ECS they can only release private communication with consent of the addressee or recipient.

At this point all of you who are using a hosted email or hosted archiving solution are wondering if your service is considered an RCS or ECS. As luck would have it the court made the distinction between what defines an RCS and an ECS. An ECS provides users with the ability to send or receive electronic communication. An ECS might also store those electronic communications but only temporarily for the purpose of transmission of the content or backup protection. On the other hand an RCS is defined as the provisioning of public computer storage or processing by means of an electronic communications systems.

Arch Wireless was defined as an ECS because when it archived the text messages it was not clear who it was doing that for. If they were clearly providing a storage service for their provider then they would have been classified as an RCS.

It is clear to me from this ruling that corporations using a third party for email service (e.g. MSN Hotmail) would need consent from the addressee or recipient in order to search or look at the email stored in that service. It is not clear to me whether or not this might extend to hosting companies hosting an email system (e.g. Corporate Exchange) for the public. In those cases they might be looked on as provisioning storage space so that they can host the Exchange organization.

However it is very clear to me that the way to avoid the risk associated with this ruling is to Archive. Whether hosted or onsite an Archive is not the storage of email for the purposes of back protection or a temporary holding position for transmission. An Archive is providing a permanent copy of the email for the purposes of compliance or eDiscovery. If a company uses a hosted solution for archiving they are safe since that solution clearly is provisioning storage to the public and storing data permanently. Safer yet is the company that Archives all data and stores it in house. This ruling would not apply to them.

Listed below are links to the article and the ruling. Enjoy! :)

http://www.latimes.com/technology/la-me-text19-2008jun19,0,1023202.story

http://www.ca9.uscourts.gov/ca9/newopinions.nsf/D2CDDB4098D7AFB28825746C0048ED24/$file/0755282.pdf?openelement

Technorati Tags:
, , , , , , , ,

2 comments:

Benjamin Wright said...

Ron: The Quon case may give employers incentive to broadcast to employees multiple, repetitive privacy disclaimers. What do you think? --Ben http://hack-igations.blogspot.com/2008/06/employee-imtexte-mailvoicecomputerinter.html

Ron Robbins said...

Ben,

Thanks for commenting...

This might protect them in the case of 4th amendment rights violations. I think that the ruling would still be the same though because of how the court defined Arch. Since Arch is an ECS they needed approval from Quon to acquire the emails. Since they did not obtain approval they are at fault.

I am not a lawyer though so I could be wrong. :)

Ron