OMB on email privacy

[David Farber <farber () central cis upenn edu>]

From: kadie () eff org (Carl M. Kadie)
Subject: [OBM] Guidelines for government-employee email privacy/monitoring
Date: 12 May 1994 21:22:55 -0400


An excerpt from:
> ftp://ftp.eff.org/pub/EFF/Policy/Access_govt_info/federal_email_policy_omb.repo
> rt>


=========================================================
Report of the Electronic Mail Task Force
Prepared for the Office of Management and Budget,
Office of Information and Regulatory Affairs
April 1, 1994


[...]
Monitoring e-mail


E-mail technology makes it possible for Federal agencies to
monitor the communications that flow through their e-mail
utilities.  Some monitoring may be necessary for system
management, trouble shooting, capacity planning and similar
purposes.  Additional monitoring, concentrating on the parties
involved and what information is communicated, may be appropriate
to manage records, to protect privacy and confidentiality, in the
interests of national security, for law enforcement, and for
other legitimate purposes.  However, such monitoring of actual
communications and communicators may impinge on the
Constitutional rights of freedom of speech (1st Amendment),
against unreasonable search and seizure (4th Amendment), and
against self-incrimination (5th amendment), as well as on the
right to privacy, specifically as set forth in both the Privacy
Act and the ECPA.


However, the agency may wish to access or monitor an employee's
mail when the employee's official duties are carried out through
the use of e-mail, as a basis for evaluating the quantity,
quality, or efficiency of the employee's work.  Access to an
employee's electronic mail by an employer is a potentially
contentious area that should be directly addressed.  Choices
range from treating all electronic mail as accessible at any
time, to limiting access to particular circumstances when such
access is necessary.


An agency should first decide for what purpose(s) it wishes to
conduct monitoring and determine that all such purposes are
legitimate.  Legitimate purposes for monitoring or accessing
individuals' e-mail include:


To conduct system management, trouble-shooting, maintenance, or
capacity planning, to correct addressing problems, or for similar
reasons related to performance or availability of the system.  In
such cases, to the extent possible, the content of messages
should not be accessed.  If it is necessary to access contents,
then those who actually gain access to e-mail messages should be
careful to protect privacy and confidentiality.


To maintain security of the system.


To carryout records management responsibilities.


To conduct authorized law enforcement surveillance or
investigations, including tracking unauthorized access to a
system.


To conduct business during a business crisis if an employee is
absent when information is required.  In such a case, the agency
should notify the employee affected that such access was obtained
when the employee returns.


To conduct business during a prolonged absence of an employee,
when information in the employee's e-mail is required.  In such a
case, the agency should notify the employee affected that such
access was obtained when the employee returns.


For purposes of national security.


When an agency decides to monitor the contents of e-mail messages
or the identities of the parties communicating, the agency should
specifically identify the purpose(s) of such monitoring, ensure
that the purpose(s) are legitimate, and establish and implement
controls and constraints that prevent the misuse of monitoring.
An agency which monitors e-mail should do so in the least
intrusive way possible to acquire the required information.
Usage statistics, for example, may only require the date and time
stamps of messages, rather than the sender and recipients' names.
System maintenance on a mailbox may only require gathering header
information, rather than the entire contents of messages.
Intrusive monitoring may have a "chilling effect" on usage of the
system.


Similar considerations apply to access to e-mail by employer in
employee's absence.


In all cases, it is important to notify individuals subject to
monitoring in advance what the rules are.  Individuals subject to
monitoring must be notified in advance of the following:


     the authority to conduct monitoring,


     the circumstances under which monitoring would be
applicable,


     the particular type of monitoring which will be used,


     the kind of information which will be collected during the
monitoring,


     the uses to which the information collected may be put,


     the potential effect on the individual of the monitoring,
and


     the effect on the individual of refusing to participate in
such monitoring.


Employees should be notified when they are hired, or when they
are given access to e-mail, of any monitoring programs in effect.
In addition, they should be notified in advance before any new
monitoring program.  Business partners should be notified about
monitoring when the partnership is established or in advance of
any new monitoring program.  Agencies should also conisder
whether, and how, to notify any other correspondents of their
employees.   In addition, individuals must be granted due process
rights to access and amend Privacy Act records created as a
result of monitoring, or when an adverse action is initiated as a
result of monitoring.


[...]
======================== end of excerpt =========================


- Carl

--
Carl Kadie -- I do not represent EFF; this is just me.
 =Email: kadie () eff org, kadie () cs uiuc edu =
 =URL: <http://www.eff.org/CAF/>, <ftp://ftp.cs.uiuc.edu/pub/kadie/> =





--
Stanton McCandlish * mech () eff org * Electronic Frontier Found. OnlineActivist
"In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich
Partners, two-thirds said it was more important to protect the privacy of
phone calls than to preserve the ability of police to conduct wiretaps.
When informed about the Clipper Chip, 80% said they opposed it."
- Philip Elmer-Dewitt, "Who Should Keep the Keys", TIME, Mar. 14 1994