Slashdot Mirror
NJ Court Upholds Privacy of Personal Emails At Work
chiguy sends word of a ruling from the New Jersey Supreme Court which found that a company did not have the right to read emails from an employee's personal account even through the account was accessed on a company computer. This ruling is likely to set precedent for other workplace privacy cases around the country.
"'The court has recognized the very legitimate and real concerns with regards to privacy. This gives some guidance to employers in terms of how explicit (e-mail) policies need to be,' [attorney Marvin Goldstein] said. The ruling stems from a harassment and discrimination lawsuit Marina Stengart of Bergen County filed three years ago against Loving Care of Ridgefield Park. Stengart, then the executive director of nursing, sent her attorney eight e-mails from her company-loaned laptop about her issues with her superiors. Stengart used her Yahoo e-mail account. 'Under all of the circumstances, we find that Stengart could reasonably expect that e-mails she exchanged with her attorney on her personal, password-protected, web-based e-mail account, accessed on a company laptop, would remain private,' Chief Justice Stuart Rabner wrote in the decision, which upholds an appeals court’s ruling last year."
a company did not have the right to read emails from an employee's personal account even through the account was accessed on a company computer.
I agree with the general principle - if someone doesn't use the company account there should be a reasonable expectation of privacy for a personal webmail account. However she still may be violating company policy about using work assets for personal affairs. The computer is owned by the company and they have every right to reprimand her for making the emails regardless of the content.
The data exists on the company's computers, likely passed through their network and servers, and because of these things they are legally accesible by the company. Unless the company accessed her email account at Yahoo using this data, there doesn't seem to be an issue to me. Unfortunately, the article is sparse on the details. Only an idiot would think, in these times, that the things they do on their company PC or laptop would not be accisible by the company. Just because they issue you a system doesn't make that system yours - its theirs, including all its contents.
Interesting, but I'm not going to get too worked up about it without reading the actual ruling. Attorney / Client communication is the one of the most privileged under the law. Unless the court wrote the opinion in such a way as to explicitly broaden the scope of "privileged information from personal email accounts", this is likely to be interpreted narrowly (or, at least, an argument can be made that the decision should be narrow).
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
How does this mesh with the other ruling that says that you have no expectation of privacy if your email is stored on a third-party server?
In an era where privacy is slowly being eroded online, it's good to see a judge take a stand and at least draw the line somewhere.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
But if what she did was wrong "regardless of the content", why did the employer have to read them?
They didn't. That was just stupid on their part - at least according to the judge. Unless they didn't have their usage policies written out (also stupid) they could have fired her, without reading the content, for violating corporate policy on acceptable use of company assets.
A person has no reason to expect anonymity on a computer or network that is not their own.
That's rather like saying you have no reason to expect privacy because you rent an apartment instead of owning a house. You send letters through the postal service which is a network you don't own either but you still have an expectation of privacy in many cases. I'm not sure the logic of your argument is on solid footing there.
I agree that she was probably naive in assuming that the company couldn't read her correspondence. Many people assume email is much more private than it actually is. Ignorant but probably nothing worse.
IANAL, but don't I give consent to monitoring when prompted by nearly any government computer system (and any private corporations who do something similar)? If I don't want to be monitored, I don't use that system...seems simple enough.
"ruling from the New Jersey Supreme Court ... is likely to set precedent for other workplace privacy cases around the country."
No, it's likely (100% likely, in fact!) to set precedent for other workplace privacy cases in New Jersey. For the rest of the country, it sets nothing, even if it might be useful for other courts dealing with similar problems.
Unless, of course, poster is just being ridiculous optimistic and think that the logic of this ruling is so impressive that all other judges will simply bow in awe and follow it. To which the only response is: d'awwwwww.
Finally my home state shows some common sense. Though this is a state supreme court, not federal, so I don't know how much precedet it will be.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
The company did have their usage policies written out and the court noted that they explicitly said "occasional personal use is permitted."
So she didn't violate the company's acceptable use policy.
If the company policy had said that personal use is never permitted, the court might well have ruled differently.
Instead, the court should have asked: if Stengart had left a written letter to her attorney in her desk when she left Loving Care, could Loving Care have used that letter in preperation for court cases?
Actually, if the letter was still in a sealed, addressed envelope... Then she could reasonably expect that the company would not be able to open it and read the contents, much less use anything they read in court. If the letter was NOT sealed it would be a different story.
IANAL, but I would think that the correlation of sealed envelope -> password protected personal email account would be an easy one to make.
It's communication between an individual and their attorney. That's legally protected six ways from Sunday far beyond normal communication. I'm pretty sure that is the thing that saved her.
It's absolutely dumb to be sending and receiving personal mail on work computers. Doubly so if you're communicating with a lawyer, discussing the possibility of filing a lawsuit against your company. I've seen some seriously dumb email usage in my day. Like using a company account to communicate with a mistress. That's my current favorite. :P I'm pretty sure I won't be allowed to filter out "my widdle pookie-wookie" if our email ever gets subpoenaed. In fact, there's a better chance of a subpoena requesting that phrase than excluding it.
From reading the article, it looks like it has nothing to do with networks and proxies and firewalls (oh my). They scanned her hard-drive and probably found them in the browser cache. Since it was a laptop, it entirely possible, if not likely, that she emailed her attorneys from home using her own network.
Flawed analogy. When you send your postal mail, you contracted with the postal service that they won't open your letter.
All analogies are flawed. Doesn't mean they are useless. To address your criticism however, you missed the point of my analogy which is that just because you don't own a network does not mean you have no expectation of privacy at any time. It's just not that simple.
Most corps that I know/heard of pretty much explicitly state they they can and will monitor their network.
That's a FAR different thing from saying the corporations have a right to monitor anything they want without limitation. Companies generally don't have a right to install a camera to watch me take a crap. It violates the principle of reasonableness. There are limits to how intrusive monitoring can get. This ruling says that this company violated one of those limits.
Is this tied close to something unique in NJ law or will this likely have broader influence with other state supreme courts?
First of all there is NOTHING in the Constitution explicitly protecting privacy. Nothing. Everything relating to privacy in the Constitution has been inferred. Go ahead and read it. You won't find the word privacy or anything like it mentioned even once.
The fourth and ninth amendments taken together. See also the fourteenth.
$ make available
If she left a sealed, stamped letter to her lawyer I would expect them NOT to open it. If she talked to her lawyer and the company overheard the conversation, I would expect their knowledge gained to be like unto "fruit of the poisoned tree", and disallowed. There is a big difference between what you CAN do and what you are ALLOWED to do. People who do what isn't ALLOWED because they realize they CAN, in a country under the rule of law, should expect to be punished when they are caught.
While I might not like that google reads all my email, at least I can be sure that it gets from their servers to my computer without being read by snoopers.
Unless you verify that the cert your browser gets for mail.google.com has not been replaced by SSL interception software, you cannot be certain your mail isn't being snooped by your employer (or even your employer's upstream provider). A nice tool for detecting changed SSL certs is the Certificate Patrol add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/6415).
When I read the Constitution I found this section called the Fourth Amendment. This is what is said:
Amendment 4 - Search and Seizure.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
I think reading private, off-site, email that is completely separate from work with a password you found cached in work equipment is a violation the "security" of the person in the story. I find that "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" and privacy regarding a person's home and private correspondence to be synonymous. The article mentions no potato but it does say a thing or to about potato. (The words "potato" and "potato" should be treated as phonetically different in the previous sentence and may alternately, at your pleasure, both be replaced in whole by the two words "tomato" and "tomato")
For instance, if you leave a spare house key in your desk drawer (which is using work equipment for personal use again) can management take it an go looking through your underwear drawer?
That's quite a penumbra.
Can't forget the tenth. If it's not spelled out in the Constitution, the Federal government doesn't have it. Since there is no Amendment saying the government can poke its nose into your business, you still have your privacy with which you were born.
God invented whiskey so the Irish would not rule the world.
The topic isn't the federal government doing something, so that's irrelevant.
legalities and ethical issues aside...
when, the fuck, are people going to learn to use encryption for important stuff. I mean, seriously, it's not *that* hard.
My ism, it's full of beliefs.
Since Federal law always trumps state law, you're wrong. A State can no more restrict my freedom of speech any more than the Feds could.
I got excited when I glanced and read Supreme Court... I'm thinking NO WAY - they actually did the right thing?!?!?! Then realized it was just the New Jersey Supreme Court.
If this get appealed I'm prepared for it to be overturned by the U.S. Supreme Court. They're not one's to let personal privacy get in the way of well... anything.
-[d]-
One man's flamebait is another man's satire.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Companies will just block access non-corporate e-mail websites. Which they should really do anyways since it allows employees to bypass all of the security filters on their e-mail system, creating a big security risk for the corporate LAN.
As we all know, encryption means probably never having to say you're sorry.
Except maybe to the NSA.
deleting the extra space after periods so i can stay relevant, yeah.
To my knowledge, At Will is the default employment contract in 48 states in the US. It can, however, be surrendered and replaced with another contract. Companies do this routinely by accident and that is part of the reason wrongful termination cases are still won in the land of At Will.
Would this not also require a redirect to a domain other then mail.google.com?
Nobody other then google should be able to generate a certificate for mail.google.com
Ah, but the corporation can.
Employer who violated an employees privacy:
"Loving Care"
"Loving care", indeed.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Have you actually read the first amendment? It says that Congress shall not... it says nothing about states rights. The SCOTUS decided some time back that it would be unconcionable for states to restrict some rights and hence the first amendment applies to states also. Other amendments provided the rationale for this decision.
Why is this distinction important? Well, what about gun rights? the SCOTUS has not yet decided if gun rights can be restricted at the state level. It's not so clear that all the rights enumerated in the bill of rights cannot be restricted by the states.
The real "Libtards" are the Libertarians!
Always remember you have rights because you are a person , not because the constitution says so.
Ideally true but not in reality. If what you were saying was true then why do dictatorships exist? After all I "have rights because I am a person". It's a nice dream but it's not reality.
If the law isn't written in such a way as to afford you a right, you don't have it. The Declaration of Independence declared all men are created equal, yet few would argue that was actually true under the law for most of the history of the US. The basis of US law is the Constitution so ultimately any discussion of US law will start there.
I am protected against unreasonable searches; how does that not explicitly protect privacy?
If it was so obvious, why did it take until 1967 for the Supreme Court to interpret the law to include a "reasonable expectation of privacy"? Fact is that the 4th amendment could be interpreted a number of ways other than how it has been.
What about breach of attorney client privilege?
IIRC the conversations were with her lawyer.
Would this not also require a redirect to a domain other then mail.google.com?
Nobody other then google should be able to generate a certificate for mail.google.com
SSL interceptors (such as the one made by Bluecoat) work by intercepting IP traffic bound for port 443. They pull a MITM attack on you by making a new SSL connection to the actual site, extracting the site's public key from the real cert, wrapping it in a forged cert that is signed by their CA cert. All the IT department has to do is install the interceptor's CA cert into each employee's browser (IE lets the domain admin do it remotely) so that the forged cert appears to be valid. So you either check for IT-installed CA certs in your browser (the Certificate Patrol add-on helps with Firefox), or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.
"Delete browsing history on exit".
At work, I have IE8. At home, Firefox, much easier.
Of course, there is memory. The work PC uses PGP FDE with a recoverable certificate, so I have to clear it myself.
deleting the extra space after periods so i can stay relevant, yeah.
Please read the 14th amendment. SCOTUS didn't do anything.
$ make available
[...] or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.
Such a script would do something equivalent to these manually entered commands:
Of course, file knowngood-gmailcert.txt should be under your physical control at all times (i.e, on CD/DVD or mounted read-only via TrueCrypt). If the certs fail to match, it's either because your SSL traffic is being intercepted by a MITM attack or the old cert expired and a new one was issued (this will happen periodically). If it's the latter, you can fetch the updated cert via a trusted channel (i.e., not from work) and repeat.
The certs obtained this way will be base64-encoded. To dump one in human-readable form, do this:
Given the amount of information processing power on a PC, and the fact that the SOE and entire configuration was supplied by the company, it's more like asking a company-loyal personal assistant or supplied temp/secretary to take dictation of a letter slagging off the company. There's a fairly good chance that they're going to grass on the person dictating the letter.
Whether or not there are legal rulings one way or the other, it's just DUMB to use company-issued resources for personal activities, particularly if those activities are going to cause problems for the company.
If someone absolutely must access personal email at work, wouldn't it be a hell of a lot smarter to either use a personal laptop with a WiFi link to the nearest hotspot out the window, or set up a encrypted tunnel to a home machine and make sure no logs or caches were stored on the work box? Or even just obtain a standard smartphone or PDA which can send and receive email?
1. The fucking amendment in question says that the things not enumerated are reserved to the States, so you are not only wrong but retarded.
2. What does the first amendment have to do with this?
3. This isn't a state government action either.
Why is this distinction important? Well, what about gun rights? the SCOTUS has not yet decided if gun rights can be restricted at the state level. It's not so clear that all the rights enumerated in the bill of rights cannot be restricted by the states.
It's great that you understand that the 1st spells out Congress. But the 2nd doesn't - we can't attribute this to minor oversight.
Then there's also State interference with the General Government's power to call forth the militia.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Did you happen to read the 14th amendment as well?
Did you know there are federal wiretap laws which DO apply to everyone, such that you can't record my phone call to someone else, period? Remember, that's also that whole pesky "this is the supreme law of the land thing," which pretty clearly states what happens when Fed and State laws collide.