Monday, May 19, 2008

What Arlington Public Schools Get Wrong About Email Privacy

Someone in Arlington Public School has woken up to the fact that email is a marvelously insecure way of communicating. Email is an application that moves a text file from one computer to another. A text file requires no special application to be read. It’s kind of like sending a postcard, and anyone who handles the postcard can read the postcard. Worst yet, everyone who handles the postcard can retain a copy of the postcard. Worst yet, anyone who receives the postcard can forward it on to 50 over their closest friends. Not very private or secure.

APS handles a lot of messages between parents, teachers, students, and administrators. A good bit of those messages personal content and sensitive information.

[Paragraph One] + [Paragraph Two] = An APS Disclaimer:

"This communication was sent via the Arlington Public Schools mail system. Please be advised that email is not a secure form of communication. There should be no expectation of right to privacy in anything sent via electronic mail."

Excuse me? Did you just say I have no right to privacy?!?

Let’s go back to the chalk board. Simple because something is technically insecure does not mean that it is legally insecure. Just because I leave an apple out on a table does not mean that the government can legally swipe it.

The APS disclaimer uses two legal terms of art: “Expectation of Privacy” and “Rights.” An “Expectation of Privacy” and our Rights come from the US Constitution, and specifically here the 4th Amendment. You will recall from public school social studies that the 4th Amended states,

The right of the people to be secure in their persons, houses, papers, an effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

This right has been elaborated in wiretap law and the Electronic Communications Privacy Act (ECPA), which have developed the concept of an “Expectation of Privacy.” Where one has an Expectation of Privacy, the 4th Amendment dictates that the government must have proper authority to search and seize our communications. ECPA specifically sets forth the subpoenas and warrants the government needs in order to access and read our email.

Add all this up: we have a Constitutional Expectation of Privacy in email, protected by the 4th Amendment. It does not matter that it is woefully technically insecure. This is an Expectation of Privacy as against the government, and the government – this time APS – cannot take that away from us.

In other words, five years down the road, when FBI Agent Fox Mulder believes my kid is an alien, Agent Mulder may not simply go through APS email records related to my child. The emails may be insecure - but Mulder is barred by the Constitution from search and seizure without proper authority.

The US Supreme Court has time and again articulated the fundamental nature of privacy to our American experience:

The makers of our constitution undertook to secure conditions favorable to the pursuit of happiness... They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone – the most comprehensive of the rights and the right most valued by civilized men. – Justice Louis D Brandeis

APS gets it wrong. I would never put any sensitive information in an email; but that does not mean I don’t have an Expectation of Privacy in email or that the government can read it lacking proper authority.

No comments: