Privacy is one of the central issues in electronic commerce. In a brave, newer world, email is the primary means of communication, where personal financial data is stored on servers connected to the Internet. Where ISP’s and many millions of computers worldwide can access and analyze personal data in milliseconds, there are many scenarios that never existed before. This article will examine some of the main rules regarding the government’s legal right to use electronic information, from the standpoint of what evidence can be gathered, by whom, and from what electronic sources. It will analyze these rules in terms of a series of hypothetical situations.

 Privacy in email. The right to privacy in email is covered in this article with emphasis on the privacy of email when it involves the attorney-client privilege. This is chosen because this privilege is one of the most established in the law, and is subject to little deviation and accidental waiver. Email between an attorney and client may alter the attorney-client privilege to the point that email may not be considered "private." Thus communications between the attorney and his client who has e-mailed to the attorney documents showing guilt could be subject to extraction.

Privacy in electronic records. Companies that transact significant business using the Internet often have financial and other records that can be accessed from the Internet. Laws exist to prevent unauthorized access and use of such records.

Electronic Communications Privacy Act. This article covers the Electronic Communications Privacy Act, which is central to the privacy of electronic communications, and electronic transfers.

Privacy was easier to maintain when data was only on paper. Then, of course, we have envelopes, sealed with sticky goo, tape or even wax. It is not easily visible to the naked eye unless steamed open or some other "obvious" tampering went on. Thus, it was not easy for any governmental entity to "tap" mail. Today, electronic communications provide a new challenge to the right to conduct business privately.

E-mail has a major privacy right attached, for like "snail mail" it has a clear and traditional expectation of privacy, behind a sealed envelope, and sent to a certain addressee. The major difference is there is no envelope, no seal wax or otherwise unless one uses encryption software. Such software is so easy to use now that there is no excuse for not purchasing and regularly using it to send your professionals confidential communications.

There is a lot of debate over whether the government should have more access to private information than others should. On the one hand, the laws currently being enacted make it relatively easy for government to obtain access to email, transactional data, and communications in cyberspace. On the other hand, these laws define the process under which the government can obtain such information.

Attorney-Client Privilege.    The most famous of all privileges for communication is the attorney-client privilege. This is one of the strongest privacy rules in common law, based on the notion that if one cannot tell the truth to his or her attorney then one would lose the ability to advocate by an attorney. This privilege can keep out of evidence actual confessions of guilt by a client to his attorney.

Attorney-Client Privilege in Email.   There is always risk that there will be an accidental disclosure to third parties of information that the attorney intended to be kept secret. Technically, the attorney-client privilege can be lost and the information disclosed to another party where it is disclosed to the general public.

Where email is concerned, this inadvertent disclosure can be caused by failing to carefully address mail to the proper recipient, by unintentionally routing the message to the wrong person, and through interception by a hacker. Some cases have held, though, that misdirected email from an attorney to a client without forms of protection show a "presumed lack of care" resulting in limitation of the secrecy. Hartman vs. El Paso Natural Gas 763 P2d. 1144 (1988), provided five factors to weigh on whether there is a loss of the privilege in general. The five factors are:

1. the reasonableness of precautions, and see above regarding the professional who communicates by e-mail incriminating documents,
2. the number of mistaken disclosures using the precautions,
3. the extent of disclosure,
4. the promptness and effectiveness of any mitigation, and
5. The interests of justice that are to be weighed against a ruling adverse to the privilege.

Generally, the stakes weigh in favor of "nondisclosure." This is because the client must be able to tell all there is to know to the attorney without fear or chilling effect.

The process by which email is transmitted exposes email to easy interception. As discussed in the previous article, given enough time, even the most powerful encryption can be broken. Certainly, hackers who know what they are doing can even get into the secret Pentagon databases. Emailing of confidential information between attorney and client, the attorney-client privilege can, in some jurisdictions, be lost.

Email can be encrypted to ensure privacy. However, not all email is sent in encrypted form. Even with confidential information, senders may not see the need for encryption. However, in the process of transmission email is ordinarily stored for a time on a server, or user’s client; or, it can also be held for a brief time by a router. This means that, whether the sender realizes or not, email is accessible until it is deleted from the mail server. Because email is accessible, sensitive email should be encrypted. Encryption software, such as PC Guardian Encryption Plus®, PGP® and others make it easy to encrypt and thus preserve confidentiality.

The general rule is that an attorney may be held to have waived the attorney-client privilege where an attorney (1) knows that a communication is intended to be privileged, and (2) any lock and key method, even US Mail (and presumably encryption) would protect or increase the privacy of the communication, but the attorney fails to use the better method. 

ECPA:  Electronic Communications Defined

Under the ECPA, an "electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic, or photo optical system that affects interstate or foreign commerce, other than:

1. Any wire or oral communication;
2. Any communication made through a tone-only paging device;
3. Any communication from a tracking device, or
4. Electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds."

The looseness and unpredictability of the court cases decided in this area tends to require an analysis on a case by case basis. Thus, it is helpful that Congress enacted the ECPA. The ECPA of 1986 filled a hole in the veil of privacy that surrounds all of us, but also definitively opened doors on government surveillance.

The statute brought federal privacy law out of the Stone Age by including additional material in the old "anti-wiretap" law. The wiretap law applied to audible communications mainly telephone communications by criminal suspects. The investigator would seek a warrant to tap the telephone. Later, as criminals became more technologically advanced, the government sought access to data sent electronically.

The position of the governments of the United States and most other nations is that they need means to identify communicators of electronic transmissions and to capture such transmissions for later analysis. In the United States, the ECPA gives the government access to electronic communications and electronic records, but also defines the limits of such access.

What the ECPA Provides in General

The ECPA, on its surface, seems to assure that private and public entities cannot lawfully invade an individual’s electronic domain. The ECPA is the best protection from private and government intrusion Congress has ever enacted. This type of protection is of the utmost importance in electronic commerce where there could easily be undetected and unapproved observation of the stored data of both the innocent person as well as the suspect. On the other hand, complete freedom from intrusion is not reasonable at a time when our government is facing so many challenges to its ability to police terrorists and organized crime. Without some invasive powers, government would never be able to intercept and decode communications among such terrorists and criminals.

The ECPA is divided into Title I, which protects messages in the course of transmission from interception, and Title II, which addresses stored data on remote computers or computing services. Title II also includes prohibitions on access to data by private persons similar to the Title I prohibitions.

Protection of Privacy in Email and Electronic Transmissions. 

The ECPA protects the privacy of electronic communications and email. In general, it treats electronic communications and email as voice communications. However, it also deals with a unique characteristic of electronic communications and email. Information sent through email, in encrypted form, is not functionally the same as oral telephonic communications. Email data is stored during transmission. This momentary storage occurs in a router or in an Internet service provider’s system. Moreover, it occurs for a sufficient duration to make the email viewable and downloadable by a non-addressee.

The ECPA prohibits interception of electronic communications and email. In general, "any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication," commits a criminal act. This includes government agents and anyone who intercepts the communications intentionally. For example, under the ECPA, intentionally hacking into any electronic communication is a crime.

The ECPA contains additional provisions that must be satisfied by the government in order to gain the ISP and network provider’s cooperation in case a law enforcement agent requests information by making a written application. In general, the agents need to supply to the court details and reasons why they need the information. The court’s order will specify, among other things, (1) "a particular description of the type of communication sought to be intercepted, and a statement of the particular offense to which it relates" and (2) "the identity of the agency authorized to intercept the communications, and of the person authorizing the application." In this the order rendered by the Court contains language similar to a warrant.

If the government agent’s request for an order is approved, under the ECPA, then agent may obtain "all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted."

Rules Applicable to Providers of Electronic Communications Services - ISPs

While the ECPA generally, under usual circumstances, prohibits the disclosure of the contents of electronic communications, the act provides exceptions for disclosure of the contents of a communication that is intercepted in one of several authorized ways. These exceptions cover "providers of wire or electronic communication service", who are to "provide information, facilities, or technical assistance to persons authorized by law to intercept wire, oral, or electronic communications or to conduct electronic surveillance..." under the Foreign Intelligence Surveillance Act of 1978. This provision applies to a government entity. The government may have to obtain a court order, or a certification from the attorney general that no warrant is required, all legal requirements are met, and assistance of the ISP is necessary. The user, whose data was lifted, is prohibited from obtaining "civil" damages against the cooperating ISP.

Under such circumstances, the ISP may not disclose the fact of or devices used to intercept the electronic communication. If it discloses, the ISP is liable for civil damages.

The ECPA provides that, in response to an administrative subpoena authorized by federal or state law or grand jury, "a provider of electronic communication service or remote computing service" must disclose to a government official the subscriber’s—

• name
• address
• local and long distance telephone toll billing records
• telephone number or other subscriber number or identity
• length of service
• The types of services the subscriber or customer utilized.
• And other sensitive information.

 Under the ECPA, it is possible to delay notice to the Subscriber or user under certain dire circumstances like to prevent loss of life, disaster or the like.

The delayed notice can be up to 90 days; plenty of time to download data from a server regarding the electronic transactions and records that are a part of an investigation. When the term expires, the agency must then serve notice on the user that the agent has already inspected the records.

Just as the technology is in constant shift towards a network centric epoch the likes of which, in communication, we have not seen since the very invention of the telephone. Authorities are in a similar state of flux as all 51 U.S. governments, the states and federal alike strive to both foster this new commercial boom on the one hand, and to reap revenue from its exchange for goods and services on the other.

The law on privacy, taxation and intellectual property will see major changes in the next decades that are so voluminous it boggles most imaginations. E-Commerce faces the need for international cooperation and standards that have not been faced since the concept of global shipping became a reality. We must be watchful of our governments and continue to interact by writing letters to representatives and urging them to protect our privacy. IRS is presently under great scrutiny. Its rules will also change; there may even be backlash as the government strives to correct past perceived and real abuses.

New laws are always on the horizon. Presently wending its way through Congress is the "Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace (E-PRIVACY) Act." The purpose of the act is to protect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to decryption assistance for encrypted communications and stored electronic information, to affirm the rights of Americans to use and sell encryption products, and for other purposes. New E-PRIVACY takes the ECPA one step further, and may forever alter and make more secure all transactions.

Freedom to Hide by Encryption.

The new section, Freedom to Use Encryption, styles itself as the freedom to encrypt Act. It is designed to make it "lawful for any person within the United States, and for any U.S. person in a foreign country, to use, develop, manufacture, sell, distribute, or import any encryption product, regardless of the encryption algorithm selected, encryption key length chosen, existence of key recovery or other plain text access capability, or implementation or medium used."

The proposed act seems quite radical in that it states no government agents may require, "compel, set standards for, condition any approval on, or condition the receipt of any benefit on, a requirement that a decryption key, access to a decryption key, key recovery information, or other "plaintext" access capability be-- (A) given to any other person, including any agency of the United States or a State, or any entity in the private sector; or (B) retained by any person using encryption."

New laws and Orders, rules and regulations tend to open up encryption technology. This trend is to allow better encryption to be exported. The export of this technology would ensure more compatibility. At this writing, it is allowed to export 56-bit encryption software. Most ATM and other EDI transactions use 128-bit encryption that is practically unbreakable. Hackers will try, but it is the massive resources of the Federal Government that will break it first.

Enhanced Network Protection.

This Act also would prohibit broadly the government from eavesdropping on private e-mail. Of the Act entitled, "Enhanced Privacy Protection for Information on Computer Networks." amends section 2703 of title 18, United States Code, a criminal section. This section is described above. That is the part of the ECPA is set aside as its own section to describe how a government indentation may intercept email. The Requirements for governmental access are set forth in 18 U.S.C. Section 2703. This new act further takes away the power of government to access information about persons that is contained on a network. It attempts to put back the privacy that may have been removed from the fantasy that a "home is my castle," since many times the network that personal information is stored in is not a castle.

Notice requirements Enhanced.

It provides, in general, that a governmental entity may "require the disclosure by a provider of a remote computing service of the contents of an electronic record in networked electronic storage, only if the person who created the record is accorded the same protections that would be available if the record had remained in that person's possession." Thus, it would make it more difficult for the government agent who now has to comply with the rules on illegal search and seizure, apply to the person, the body. Under the Fourth Amendment, the most private property of all is the property in the actual possession of its owner. This special idea that property being held physically close to its owner is sacrosanct in the law. This is proven by the common law felony of robbery. It is theft of that within the reach of the person that is most protected, and the law applies most heavily to the person and his information as if it were in the person's possession. It prevents the scenario where a government agent is able to merely subpoena a third party records keeper and get the information.

This act would seriously modify the provisions where a government agent can apply for a summons and obtain the information without the person whose information it knows about it. If the information is on a "Networked Electronic Storage" there are additional requirements. If this Act passes, a governmental entity may require the disclosure of the contents of an electronic record in a networked electronic storage only.

"Pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant, a copy of which warrant shall be served on the person who created the record prior to or at the same time the warrant is served on the provider of the remote computing service;

"Pursuant to a subpoena issued under the Federal Rules of Criminal Procedure or equivalent State warrant, a copy of which subpoena shall be served on the person who created the record, under circumstances allowing that person a meaningful opportunity to challenge the subpoena; or upon the consent of the person who created the record."

This last requirement really adds a huge layer of protection for anyone whose records are sought. It informs the person whose records they are in the FIRST instance that their records are being sought. Unlike the present law where one must quash the subpoena or warrant AFTER the records are already obtained to prevent their interdiction into evidence, here the person is warned and provided the a "meaningful opportunity to challenge the subpoena."

In all, these laws are designed with good intentions within the following "given" premise: The government needs revenue to operate; the people are fully represented; we earn money and demand government services, so the government needs methods to obtain its revenue. We all need to know that the rules followed are fair; that they will probably withstand Supreme Court scrutiny, and that they will probably allow us all to use the many incredible e-methods to communicate, to transact, to store our information and to feel secure, safe and private.

FTC – Privacy enforcement agency?

The FTC has taken a large role to protect privacy.

The now famous case of FTC vs. Geo Cities and its potential impact on the future of privacy on the Internet at least bear mentioning. This action and others planned by FTC may have great impact on the privacy for individuals and their ability to control thier private files. This article would not be complete without this information. The proposed Consent Decree, an Order based on settlement of the case, includes language that would certainly keep private the identity of an ISP’s customers and allow users of the Internet to purchase goods, transact business and maintain communications with less fear. The case was brought because Geo Cities, one of the most "hit" websites in the country, created a virtual community online. To be part of the community, users must input their private information including, but not limited to, name, email, age, and address, income range and the like. The problem was that the information was sent to third parties without the permission of the users. This was alleged to violate 15 USC § 45.

FTC charged that GeoCities told its users not enough about how this information would be used, by third parties, on lists, and other uses. The FTC requested business on line to maintain security, give consumers a choice whether their personal information was to be used and how. FTC wants business online to provide access by the consumer to their information to alter or delete it, and notice that includes the identity of the collector and intended uses of the information. Query whether this latter notice requirement, if made "the law," would place IRS into a battle with FTC over abuses of information gathered from online ISPs and data sources.