Internet Monitoring

New York Law Journal July 2, 2002, Tuesday

Copyright 2002 NLP IP Company - American Lawyer Media
All Rights Reserved.
New York Law Journal

July 2, 2002, Tuesday


SECTION: NEWS; Vol. 227; Pg. 5

LENGTH: 1933 words

HEADLINE: Active Internet Monitoring Is Widespread

BYLINE: By Jonathan Bick The author is of counsel to Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law (Random House 2000).

BODY:
Due to its enabling technology, the Internet is a very public communications system, and, consequently, lawful active monitoring of the Internet and e-mails is rampant. The legal justification for such monitoring is equally extensive.

The Internet creates statutory challenges as it facilitates numerous, legally questionable activities. Government, corporate and individual entities are empowered to actively monitor the Internet for proscribed activities. While no single, clearly enunciated, national legislation to justify active invasive monitoring of the Internet exists, a variety of stratagems designed to oversee proscribed Internet activities does.

Courts throughout the United States have offered a variety of legal justifications for active monitoring of the Internet and e-mail communications. As early as 1996 a federal court, in Bohach v. City of Reno, (D.Nev. 1996) 932 F. Supp. 1232, found that by sending a communication over the Internet, the party expressly consents to the recording of the messages. Consequently, the court also found such a party has "no reasonable expectation of privacy in his e-mails." Similarly, the court in United States v. Charbonneau, 979 F. Supp. 1177 (S.D. Ohio 1997), found that an individual did not possess an expectation of privacy of e-mail transmitted over the Internet, so they may be lawfully monitored.

Privacy expectations for Internet Web sites have been found similarly low. In J.S. v. Bethlehem Area School District, 757A.2d 412 (2000), a Pennsylvania appeals court found that the trial court was correct in its determination that no expectation of privacy in an Web site could be expected. Thus, Web sites may be lawfully monitored.

Some states, such as Washington, have statutes that make e-mails public records for monitoring and disclosure purposes (Wash. Rev. Code §42.17.020(36)). It should be noted that though e-mails were public records within the scope of the public records act, they can be exempt from disclosure if the e-mail contains personal information of no public significance.

The legal theory of implied consent has been used to overcome state privacy act legal restrictions to Internet and e-mail monitoring in some criminal cases. An appellant who was convicted of attempted second-degree rape of a child contended that the trial court had erroneously admitted into evidence copies of incriminating e-mail.

Rejecting his claim, the Court of Appeals of Washington found that while the Washington Privacy Act made it unlawful to record a private communication transmitted by telephone or other device, as the sender of an e-mail, the appellant implicitly consented to having the message recorded on the addressee's computer (State v. Townsend, 20 P.3d 1027 (2001)).

Similarly, the theory of implied consent has been used to overcome some Internet-related wiretap monitoring restrictions. For example, in the New Jersey Superior Court case of White v. White, 344 N.J Super.211 (2001) the court found that a wife, whose divorce was pending, had not violated the New Jersey Wiretap Act, N.J.S.A. §2A:156A-1, 36, by monitoring her husband's and his girlfriend's e-mail messages because she was an authorized user of a computer used to send and monitor the e-mail messages in question. The court also noted that monitored messages were already in post-transmission storage, so the wife did not need to intercept the e-mail messages to monitor them.

More recently, courts have found special justification for Internet use monitoring of employees. In TBG Ins. Servs. Corp. v. Superior Court, (2000 Cal. Daily Op. Service 1740 (2002)), the Court of Appeal of California found the trial court had erred in denying an employer's request to monitor an employee's home computer. The court reasoned that the employer's right to monitor resulted from the employee's written agreement to allow such monitoring.

Even when employees place e-mail in electronic personal folders and use passwords to block access to e-mail, the courts have found that employees do not have a reasonable expectation of privacy. In McLaren v. Microsoft, (1999 Tex. App. LEXIS 4103), the court reasoned that an employer's action of reading e-mails stored in a personal folder and protected by a password would not be considered an invasion of privacy because its need to prevent inappropriate use of its e-mail system would outweigh any privacy interest.

Employers are regularly advised by their counsel that they can diminish an individual employee's expectation of privacy by publishing in the firm's employee handbook that electronic communications are to be used solely for company business.

The handbook should also note that the company reserves the right to monitor or access all employee Internet or e-mail usage. The handbook should further emphasize that the company will keep copies of Internet or e-mail passwords and that the existence of such passwords is not an assurance of the confidentiality of the communications.

Consider today's Internet environment: Newly discovered security holes and the patches that repair them are made readily available on certain Web sites. Hackers have developed very efficient methods of identifying and exploiting known weaknesses through Web traversal engines. Their engines are constantly being updated with the latest holes, and their speed in exploiting these holes is increasing rapidly.

There is, in effect, a race between the hackers and the network administrators every time a new security flaw is identified. When hackers win this race, they position themselves with special access to system files as well as the ability to execute denial-of-service attacks. These difficulties require additional types of active Internet monitoring and perhaps additional legal justification.

Consider that federal and state monitoring of an activity, such as Internet communication and e-commerce, is generally grounded in state regulation of a subject matter.

An examination of state and federal regulation of drug prescribing over the Internet reveals considerable congruence among the different states' regulatory policies. In particular, nearly every state medical board has taken a position against Internet prescribing. Existing statutes, embodied in professional licensure laws and regulations, generally provide a basis for determining how jurisdictions address Internet medicine prescribing.

Some state statutes, such as the Illinois Pharmacy Practice Act, 225 Ill. Comp. Stat. 85/16a, allow active monitoring of Internet pharmacies' Web sites. Other states have enacted statutes specifically designed for Internet pharmacy regulation and support active Internet monitoring.

For example, propsed legislation introduced in Kansas, New Hampshire, New York and Virginia is designed to allow the active monitoring and regulating out-of-state pharmacies.

While many government agencies oversee Internet medicine prescribing, the Food and Drug Administration plays a chief role in coordinating drug regulation enforcement efforts. The FDA's jurisdiction over Internet prescribing activities arises from the federal Food, Drug, and Cosmetic Act, 21 U.S.C. 301. To implement the FDCA, the statute sets forth a comprehensive regulatory scheme, which includes active Internet site monitoring.

Now consider the legal basis for supporting the active invasive monitoring of the servers that make the Internet possible. In Katz v. United States, 389 U.S. 347 (1967), the U.S. Supreme Court found that the ability of government to wiretap and monitor telephone conversations was a necessary part of law enforcement.

The Katz Court found that in order to catch criminals, the government must be able to gain knowledge of illegal activities by actively and invasively monitoring telephones. In order to prosecute and deter Internet crime, the government must be able to actively and invasively monitor the Internet as it does telephones.

The Katz finding with respect to the active and invasive monitoring of communications has overcome challenges of the First Amendment (establishing freedom of speech), Fourth Amendment (establishing protections against unreasonable searches) and Fifth Amendment (establishing protections against self-incrimination).

Although the government has the clear right to actively and invasively monitor the Internet, it must do so appropriately. For example, with a court order, the Federal Bureau of Investigation can use "Carnivore" to monitor and record the Internet traffic of suspected criminals to collect evidence.

If the government fails to act properly, it may be in violation of the Electronic Communications Privacy Act of 1986, 18 U.S.C. §2510. This statute prohibits the intentional interception of any "electronic communication" under certain circumstances.

While the Katz finding is a basis for active and invasive Internet monitoring by the government, it does not offer a similar legal basis for private action.

For example, a client plans to implement a countermeasure to a common hacker strategy. The countermeasure would employ a Web traversal engine that would visit third-party Web sites and identify security risks. The client then proposes to e-mail all the needed patches to the technical coordinator of the site. The patches would be customized to fit the exact security holes identified in the server. Follow-up checks would be scheduled to encourage and monitor compliance.

This client is properly advised against implementing this program because its attempts to identify security weaknesses in servers that it did not own may result in legal difficulties. While legal arguments based on self-help, invitation and implied consent are available to this client, securing actual consent for the client's actions is the safest way to go.

One alternative would be to make the service a subscription, where administrators would authorize activity. However, this ignores the real problem of negligent administrators who unwittingly enable hackers to use their servers for attacking third parties.

Internet law development still lags Internet use. It may become necessary to regulate a minimum level of server administration. Any under-administered server can become a weapon of terrorism if left to the control of a hacker. However, negligent administration may be minimized if there is an early warning system such as the one described above. This represents a means to help prevent systematic unauthorized access to network servers, including large-scale information-based terrorist attacks.

It should be noted that joint private and public action is currently legally sanctioned. For example, in the State of Wisconsin v. Timothy P. Koenck, 626 N.W.2d 359 (2001), the Wisconsin Department of Justice, Division of Criminal Investigation, worked with a private citizen and a group called Internetwatch to monitor the Internet, mostly for child pornography. Internetwach, in this case, created profiles of young girls and communicated with individuals on the Internet using these fictitious profiles and turned inappropriate responses over to law enforcement for investigation.