You can go to our Newsletters.
Or search for a word here:
Text to Search For:
Boolean: Case


E-mail Privacy? Only a "Virtual Reality"
by Tina Murch

This article includes references to the University of California Electronic Communications Policy, which sets systemwide rules for use of e-mail and other computer resources. UC´s full policy can be reviewed online at
http://www.ucop.edu/ucophome/policies/ec/html/welcome/htm

If you work for UC as faculty or staff, you most likely enjoy a free e-mail account which you can access from anywhere. You regularly check your e-mail at your office, or from the library or lab on campus, using high-speed Internet access. At home, you probably connect via dial-up modem or DSL to the campus server. Ditto when you connect from remote sites when you are traveling. The ease and speed of instant access to your e-mail, especially when you´re far away at a conference or sitting on a plane, adds to the illusion that e-mail is intimate and spontaneous, like a phone conversation between friends or a business meeting with the door closed. It´s easy to forget that everything you write in e-mail or even in "instant messaging" is being recorded for posterity. Although it´s true that any time you put words in print you create a paper trail, e-mail is archived and can be accessed without your permission for years to come.
UC typically archives e-mail sent over campus servers for three years. In addition, your e-mail may be archived on departmental servers and individual computers, yours and those of your recipients, and each department sets its own policy for how long it retains backups of its files. Practice varies, but you can assume your e-mail will be stored at any number of locations on and off campus. Unlike paper, e-mail can´t be shredded, and even when you delete it, there´s a record of it somewhere, complete with the Internet Protocol (IP) address of your computer and your e-mail address, identifying it as yours as if it were written in stone.
In addition to the storage issue, there are distribution issues. What you send to one person can be copied to hundreds within minutes. "Unintended distribution," where valid recipients forward your e-mail to others, is commonplace when you send e-mail to a public electronic forum such as a listserve (electronic mailing list), newsgroup, chat room, message board or unsecured Web page. But even an e-mail sent to one person can be forwarded to others ad infinitum.
Count on two things: a lot more people can and probably do read your e-mail beyond those who were intended to receive it; and what you write can come back to haunt you years later and not only when you´re involved in litigation.

Subpoenas and Access Without Consent
In my legal case against UCSF, e-mail that was written three years earlier figured prominently in my settlement. Subpoenaed by the California Department of Fair Employment and Housing, my department´s e-mail provided ample evidence that I had been subjected to discrimination and retaliation.
But e-mail doesn´t have to be subpoenaed for it to turn up years later and incriminate those who wrote it. Anyone can make a request for UC e-mail to be released under the provisions of the California Public Records Act ( http://www.cfac.org/Law/CPRA/Text/cpratext.html). The law asserts that the public has a right to know how the people´s business is conducted and how taxpayer money is spent.
UC itself provides for e-mail to be released under its system-wide Electronic Communications Policy. (See the top of this article for the URL, then check the index for Chapter IV, Privacy and Confidentiality, Section B, Access Without Consent.) There must be a "substantiated reason to believe that violations of the law or of University policies have taken place." Before you submit a request to the chancellor of your campus, familiarize yourself with UC policies, which are published on the Web (www.ucop.edu/ucophome/coordrev/ucpolicies). Be forewarned: when a policy says "may" or "might," it´s meaningless; the mandatory language for such a request is "shall" and "should." Also, don´t allege something broad like "discrimination" which is open to legal interpretation. Collect evidence that UC failed to meet deadlines or follow specific procedures that its own published policies declare it "shall" perform. Even then, expect a fight.

Whoever Owns the Server Sets the Rules
All right. You understand your e-mail can be archived, subpoenaed or accessed without your consent, but you don´t have anything to worry about. Your worst offense is that you´ve expressed your opinion. And your e-mail is protected by your first Amendment right to freedom of speech. Right?
Wrong. The law protects the owner of the server, not the individual subscriber. In a university setting, the owner of the server is the university. This means that anything you send over a university server belongs to the university, not to you. A university e-mail account is university property, much as the chair in your office is university property. You can sit in the chair but you can´t throw it out the window, take it home, or give it to your favorite charity. That would be destruction or theft of university property.
Even if you´re logged on to your partner´s business e-mail account, your daughter´s AOL account, or a free Yahoo account you just created at the public library, the minute you send email over a university server, it becomes university property. The university sets the rules for usage of its electronic resources, including its servers. It has the right to monitor your usage without your knowledge, to store documents you send or receive, and to take action against you if abuse is suspected.
UC´s Electronic Communications Policy defines what constitutes allowable use and abuse of its resources. Criminal activities include cyberstalking, hacking, denial of service attacks and other disruptions of networks and systems, fraud, theft, copyright infringement, and breaking into the files of others. Other prohibited activities include sending spam, viruses, chain letters, violating university policies governing codes of conduct (such as sexual harassment policy), and using UC e-mail to conduct non-university business such as selling private products or services. If you violate UC´s rules, your e-mail privileges can be suspended or terminated and you can face disciplinary action up to and including dismissal. Depending on the offense you can also be charged with a misdemeanor or felony.

But You´d Never Send Spam...

You also haven´t set up your own business using UC resources, and you don´t have a clue what a denial of service attack is let alone how to execute one. But when e-mail is owned by the employer, you can bet it will be used as a weapon against employees.
If you´re involved in union activity or any type of workplace organizing, or if you´ve filed a grievance, a charge of discrimination or a lawsuit, expect that your e-mail is monitored. You don´t have to wait for the formality of a subpoena to have your e-mail scrutinized. If your supervisor, your department chairperson, your dean, your vice chancellor, or even a committee of administrators wants to read your e-mail, they can do so by claiming they are performing work essential to the business of the university.
Mind you, UC´s Electronic Communications Policy prohibits intentional and intrusive inspection of your e-mail. But UC discloses that there are "privacy limits" and admits that your e-mail can be accessed without your permission or knowledge due to "policies that require employees to comply with management requests for University records in their possession." Translated, this means that management can require you to copy them on your correspondence. It also means they can authorize technical staff to set up surveillance of your correspondence. Like everything else in the electronic world, this can be done remotely and is seamless and invisible to the user.
While many supervisors monitor their staff´s e-mail to track employees´ personal use of computers during work hours, what´s really scary is when managers screen to find out who you write to, what listserves you subscribe to, what you write about, who your friends are, who you confide in, what Web sites you look at, what e-mail attachments you´ve sent or received. What jobs you applied for and what offers have been made. What you wrote to a campus officer when you reported you were harassed by your assistant dean. What you told your doctor about your workplace stress. What you discussed with your lawyer about the progress of your lawsuit.
If your supervisor or dean reads your e-mail and interprets your tone as insubordinate, or as hostile toward superiors or colleagues, you can be brought up for charges before campus committees, you can get a negative letter or unsatisfactory review in your personnel file, you can be denied reappointment or tenure for lack of "collegiality." If you write something that could be interpreted as offensive or as violating university codes of conduct, regardless of your intention or the actual language used, your e-mail could become evidence in disciplinary action against you.
You may be able to fight in court to preserve the confidentiality of your doctor-patient or lawyer-client communications, even when those communications were conducted on university property. But UC attorneys will argue that you lost any expectation of privacy once you sent e-mail over university servers. Don´t give them the opportunity.

But You Use AOL for Your Private E-mail
OK, so you´re keeping your confidential communications confidential by using AOL or any other private Internet Service Provider (ISP). The private ISP owns your e-mail account, not the university. You assume no one at UC can access your AOL e-mail without issuing a subpoena to your ISP.
Not necessarily true. Again, if your AOL e-mail travels over a university server, it becomes university property. To keep it off university servers, keep a close check on both the ISP (who owns the e-mail account) and the Internet connection (what server you use to connect to the Internet) at both ends of your correspondence (sending and receiving).
Let´s say you log on to your AOL account in your office. You send a memo to your lawyer, thinking your communication is safe because you´re using AOL, not your university e-mail account. But your Internet connection is through a university server, so it is not safe.
Similarly, let´s say you e-mail a colleague to confide in her about your harassment complaint. You write from home, using your AOL account and an AOL Internet connection. You write to her AOL account, not her university e-mail account. You assume you´ve got it covered. But then she logs on to her AOL account in her university office. Once again, your e-mail is not safe. 
	For instructions on how to do it right, see #4 below.


Protect Yourself As Best As You Can
  1. Watch what you write. Watch the content and tone. Take a second to consider how your worst enemy would use what you are about to write. Edit appropriately.
  2. Don´t send confidential documents as attachments unless you´re absolutely sure they will not travel over university servers. They can be forwarded, read, and used against you just as easily as e-mail itself. Use the Post Office or FedEx, or drop it by in person.
  3. Open an AOL e-mail account (or other private ISP account) for any correspondence you want to shield from university management.
  4. To keep your AOL e-mail off the university servers:
  5. Keep a hard copy of any e-mail you think may be pertinent to your legal case. This includes your own e-mail and the e-mail you receive from others. Keep e-mails in chronological order.

    And here are some general security tips:
  6. Keep personal correspondence and personal documents off your computer at work, and off any computer which the University owns.
  7. Ask the technical staff in your department for information on departmental policies for backing up servers and other departmental computers. Ask about any e-mail policies in your department.

Good luck!
-wage@wage.org-