During these post 9/11 times, we are hyper-sensitive to safety issues, and security
is now a top priority. We hear constant reports in the news of new technologies
which peer into computers and communications to sniff out terrorist activity.
Americans seem more willing recently to give up some privacy and convenience in
return for an increase in security and safety. These are times when the public’s
awareness of the debate between the value of privacy and that of security is, or
should be, at its highest state.
With the collapse of Enron and the ensuing reports of the "destruction" of e-mail
and other documentation at Anderson and Enron, there is a new wave of interest in
the extent of privacy e-mail users can reasonably expect and a public fascination
in the efforts of investigators to recover the computer evidence thought deleted
by its users. The surprise in store for those users who seek to find this
information is that their e-mail communications are largely unprotected from
invasion by privacy laws and that the tracks left by their e-mails are nearly
impossible to destroy.
There are two main consideration users should evaluate when determining whether
they should have a reasonable expectation of privacy while using their computers
to communicate. The first is whether the communication they are making is in a
public or a private forum. Generally, it is said that only private e-mail and
simultaneous online "chat" sessions that are afforded any real protection,
whereas postings on Usenet newsgroups and public message boards are considered
the "town halls of cyberspace" and provided much less shelter from invasion.
Just as a reveler in Times Square, a very
public space, should have a low expectation of privacy, a computer user of these
public fora should likewise be aware that law enforcement officials can roam
these online spaces at will, without any warrants, "listening" for any criminal
activity.
Next, the user's expectation of privacy also hinges on whether the actual
communication is considered a stored message or one in transmission. The
Electronic Communications Privacy Act (ECPA)
grants a much higher level of protection to those communications which are
considered to be in transmission, imposing higher civil and criminal penalties
against unauthorized eavesdroppers and requiring a "super-warrant" for
investigators to monitor electronic message in a criminal inquiry.
Much greater leeway is given in exploring
messages once they have come to rest, typically in archives of servers through
which they have traveled (and where investigators often require no more than an
administrative subpoena to get access).
Yet, there is a wrinkle to this seeming "bright-line rule." Messages waiting to
be picked up by the addressee may also be considered "stored" for the purposes of
the ECPA and permit access to law enforcement before even the addressee has seen
the communication.
The identity of the "invader" who is seeking access also effects the
communications' privacy status. Employers usually have been held allowed to have
free access to their employees' business and private e-mail sent through the
employer's system.
Surprisingly, even when the employer agreed in advance, in writing, not to monitor
an employee's e-mail or to use it in making employment decisions, a district court
in Pennsylvania upheld the employer's right to do both.
Internet service providers (ISPs) often leave open the door to law enforcement
through their service agreements with their users which contain "privacy
restriction clauses" overriding the default ECPA provisions.
Even when the ECPA rules are in force, the government may obtain basic user
information with merely an administrative subpoena or access to any stored
communication 180 days old or less with a warrant.
In neither of the above cases are either the government or the ISP required to
notify the user that her privacy has been invaded.
What is a privacy-yearning user to do in the face of these daunting obstacles?
Most novice users would reasonably believe that if they simply hit the delete
button, all traces of the e-mail are magically removed from prying eyes. This
is dead wrong.
E-mail communications are often a gold mine for criminal investigators.
Because of the trail of evidence they leave behind as they pass through servers
and the ineffective method by which computers "erase" data from hard drives,
electronic communications are usually easily recovered. Such recovered data
could become the star witness in upcoming litigation over the Enron/Anderson
debacle.
E-mail must pass through servers which sort and deliver the messages on to the
addressee. When a user sends an e-mail, it likely will pass through two servers,
each of which put a copy into its archive before sending it on its way. Including
the copies on the sender's and addressee's computers, that accounts for at least
four copies of a single e-mail, and any attachments, innocently sent through the
servers.
When one considers the size of Enron and Anderson, it is not unimaginable that
many more copies exist of each "deleted" e-mail.
Even when an e-mail has been deleted most of the data is retained on the
computer's hard drive. Computers do not actually erase data. Rather, they simply
make it seem to the user that the data is now invisible. The data remains on the
computer's hard drive until other data is written over it.
While users can utilize "wiper" programs, widely available on the web, to
overwrite the data, that is a time consuming process, leaving little opportunity
for a user to quickly dispose of data.
Further, the issue of multiple copies in multiple locations remains a thorn in
the side of the would-be concealer.
Reconstructing the e-mail evidence is done by so called computer forensics who
first must narrow the list of target users to limit the amount of data through
which they must sift.
Then, using specialized software, the experts will examine the mountains of
captured data left behind on the hard drives of the e-mail servers and computer
systems of the targeted users. In Anderson and Enron's case, even with the
narrowing of targets for investigation, the sheer volume of material will be
daunting. Despite some considerable efforts to conceal, there will be no
shortage of evidence available to investigators.
Armed with this information, users must then conclude that the only true way to
quickly assure that no useable data remains on their system is to drag their
"computer[s] into the yard and get busy with a very large hammer."
