The Privacy of Emails

A colleague has alerted me to a December 2010 ruling on email privacy, in the US 6th Circuit court. There’s a brief article here from DC law firm K&L Gates.

The 6th Circuit delivers a welcome reversal of the July 2010 ruling in Rehberg v Hodges, in which the 11th Circuit court somewhat bizarrely concluded that Mr Rehberg’s “privacy interest in emails held by his ISP was not clearly established”. Even in that case, although the ruling itself denied Mr Rehberg’s right to privacy, the court did amend previous statements as follows:

“The Court had written that a “person also loses a reasonable expectation of privacy in emails, at least after the email is sent to and received by a third party” and that “Rehberg’s voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information.” This is not the law, and the incorrect statements are no longer precedent.”

Article here on the EFF site.

Note the court’s use of the phrase “third party”. I would be interested to know if this ruling has any effect on a law enforcement request for access to received emails still in the possession of the intended recipient (as opposed to an intermediary). The reason for my interest will be clear in a moment…

Broadening the context beyond email: the legal implications of disclosures via online networking sites are still, in my view, a long way from being conclusively worked out in case law. There was the ruling in Romano v Steelcase Furniture, in which Mrs Romano’s Facebook photo showed her apparently happy and smiling in front of her home. Steelcase’s lawyers argued that that was prima facie evidence she was not suffering as badly as she had maintained in an injury suit against them, and successfully got a ruling that Mrs Romano’s private Facebook pages should be disclosed in case they revealed further incriminating evidence.

The twist in that latter part was that not only had Mrs Romano obviously decided that she wanted some of her Facebook disclosures to be more private than others, she had in fact also deleted some of her private pages. At least, she thought she had. In fact, they were still on disk somewhere in Facebook’s storage, and as a result, they were disclosed in evidence. I blogged about that in October, here.

So, in the social networking case, it seems the law still has to catch up with the notion that disclosure is not a binary thing. I keep quoting danah boyd on this, because I can’t improve on her way of putting it:

“Making something that is public more public is a violation of privacy”

(Making Sense of Privacy and Publicity, SXSW 2010; text available here)

In the email case, I’d argue that the same gap still needs to be bridged. US case law seems to be taking the following line: an email from Sandra to Reece embodies an expectation that it is sent in confidence by the sender to the recipient. It is intended to be kept confidential from the ISP who conveys it. (As an aside, that’s interesting if you reflect that an unencrypted email is much more like a postcard than a letter sealed into an envelope…).

That’s fine as far as it goes… but what about the non-binary shadings? Legally, what expectation can a sender have in the confidentiality of, for instance:

  • The contents of an email which the recipient has opened?
  • The contents of an email still unopened in the recipient’s inbox?
  • Copies of the email archived by the sender (for instance, in a “Sent Mail” folder) on the sender’s system, on an employer’s email system or on one operated by a third party, say, in the cloud?

There may be many instances of a single electronic disclosure, and I don’t think the legal privacy status of these instances has been fully explored yet in any single jurisdiction, let alone in cloud computing and multi-jurisdictional contexts. Of course, if you know different, let me know via the Comments field.