Read the case study on pp. 387-392 of the textbook and Children’s Online Privacy Protection Rule (COPPA)(https://www.ftc.gov/system/files/2012-31341.pdf) Then answer the following questions:
The trial court found that Stengart did not have a legitimate expectation of privacy when sending personal emails through the company’s laptop. The appellate court and the Supreme Court disagreed. Discuss the reasoning that the higher courts had in reversing the trial court.
What effect would this decision have on a company when thinking about forming company policy regarding personal communication?
What kind of tools/techniques are available for Internet surfing process to comply with COPPA?
Read the case study on pp. 417-419 of the textbook and answer the following questions:
Would a state anti spam statute that specifically prohibited pornographic, obscene, terroristic, and fraudulent emailing withstand constitutional scrutiny? Why or why not?
Is spam really so bad? Why can a business lawfully send unsolicited traditional mail, or make unsolicited phone calls (as long as their is no violation of a no-call list) but spamming violates the law?
STENGART v. LOVING CARE AGENCY: 201 N.J. 300, 990 A.2d 650 (2010)
FACTS
[Marina Stengart worked for Loving Care Agency, Inc. (Loving Care), a home healthcare agency, as an Executive Director of Nursing. The company provided her with a laptop computer from which she could access her own personal email as well as the company’s server to access company emails.]
[At the end of 2007, Stengart accessed her own personal Yahoo email account on the company’s laptop to speak with her attorney concerning her situation at work. She did not save her email user ID or password on the company laptop and did not save any private information on the computer. The company’s browser software, however, automatically saved a copy of each web page visited in a temporary cache folder. She was not aware of this.]
[Soon after, Stengart left Loving Care and returned the laptop computer. A few months later, she filed a lawsuit with claims of discrimination, harassment, and retaliation. After the lawsuit was filed, Loving Care hired a company to retrieve all files from the laptop’s hard drive. The files that were retrieved included email communications that Stengart had with her attorney through her personal email account.]
[Loving Care’s attorneys used the email communications in the lawsuit. Stengart’s attorneys argued that the email communications were private. Loving Care’s attorneys countered that there was no reasonable expectation of privacy based on the company’s policy, which stated:]
Loving Care may review, access, and disclose all matters on the company’s media systems and services at any time e-mails, Internet communications and computer files are the company’s business records and are not to be considered private or personal to any individual employee occasional personal use of the computer is permitted.
[Stengart’s attorneys requested that the judge disqualify Loving Care’s attorneys and exclude the emails from evidence. The judge denied the request, holding that Stengart waived the attorney-client privilege. Stengart appealed the denial of the request. The appellate court reversed and remanded the decision to the trial court. Loving Care appealed.]
JUDICIAL OPINION (JUDGE RABNER)
Loving Care argues that its employees have no expectation of privacy in their use of company computers based on the company’s Policy. In its briefs before this Court, the company also asserts that by accessing e-mails on a personal account through Loving Care’s computer and server, Stengart either prevented any attorney-client privilege from attaching or waived the privilege by voluntarily subjecting her e-mails to company scrutiny. Finally, Loving Care maintains that its counsel did not violate RPC 4.4(b) because the e-mails were left behind on Stengart’s company computer—not “inadvertently sent,” as per the Rule—and the Firm acted in the good faith belief that any privilege had been waived.
Stengart argues that she intended the e-mails with her lawyer to be confidential and that the Policy, even if it applied to her, failed to provide adequate warning that Loving Care would save on a hard drive, or monitor the contents of, e-mails sent from a personal account. Stengart also maintains that the communications with her lawyer were privileged. When the Firm encountered the arguably protected e-mails, Stengart contends it should have immediately returned them or sought judicial review as to whether the attorney-client privilege applied.
A
We start by examining the meaning and scope of the Policy itself. The Policy specifically reserves to Loving Care the right to review and access “all matters on the company’s media systems and services at any time.” In addition, e-mail messages are plainly “considered part of the company’s business … records.”
It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.
The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.
The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.
The scope of the written Policy, therefore, is not entirely clear.
B
The policies underlying the attorney-client privilege further animate this discussion. The venerable privilege is enshrined in history and practice…. Its primary rationale is to encourage “free and full disclosure of information from the client to the attorney.” That, in turn, benefits the public, which “is well served by sound legal counsel” based on full, candid, and confidential exchanges.
“For a communication to be privileged it must initially be expressed by an individual in his capacity as a client in conjunction with seeking or receiving legal advice from the attorney in his capacity as such, with the expectation that its content remain confidential.”
E-mail exchanges are covered by the privilege like any other form of communication.
The e-mail communications between Stengart and her lawyers contain a standard warning that their contents are personal and confidential and may constitute attorney-client communications. The subject matter of those messages appears to relate to Stengart’s working conditions and anticipated lawsuit against Loving Care.
IV
Under the particular circumstances presented, how should a court evaluate whether Stengart had a reasonable expectation of privacy in the e-mails she exchanged with her attorney?
A
Preliminarily, we note that the reasonable-expectation-of-privacy standard used by the parties derives from the common law and the Search and Seizure Clauses of both the Fourth Amendment and Article I, paragraph 7 of the New Jersey Constitution. The latter sources do not apply in this case, which involves conduct by private parties only.
The common law source is the tort of “intrusion on seclusion,” which … provides that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” A high threshold must be cleared to assert a cause of action based on that tort. A plaintiff must establish that the intrusion “would be highly offensive to the ordinary reasonable man, as the result of conduct to which the reasonable man would strongly object.”
As is true in Fourth Amendment cases, the reasonableness of a claim for intrusion on seclusion has both a subjective and objective component.
B
A number of courts have tested an employee’s claim of privacy in files stored on company computers by evaluating the reasonableness of the employee’s expectation. No reported decisions in New Jersey offer direct guidance for the facts of this case. In one matter, the Appellate Division found that the defendant had no reasonable expectation of privacy in personal information he stored on a workplace computer under a separate password. The defendant had been advised that all computers were company property. His former employer consented to a search by the State Police, who, in turn, retrieved information tied to the theft of company funds. The court reviewed the search in the context of the Fourth Amendment and found no basis for the defendant’s privacy claim in the contents of a company computer that he used to commit a crime.
Certain decisions from outside New Jersey, which the parties also rely on, are more instructive. Among them, National Economic Research Associates v. Evans, 21 Mass. L. Rptr. No. 15, at 337, 2006 WL 2440008 (Mass.Super.Ct. Aug. 3, 2006), is most analogous to the facts here. In Evans, an employee used a company laptop to send and receive attorney-client communications by e-mail. In doing so, he used his personal, password-protected Yahoo account and not the company’s e-mail address. The e-mails were automatically stored in a temporary Internet file on the computer’s hard drive and were later retrieved by a computer forensic expert. The expert recovered various attorney-client e-mails; at the instruction of the company’s lawyer, those e-mails were not reviewed pending guidance from the court.
A company manual governed the laptop’s use. The manual permitted personal use of e-mail, to “be kept to a minimum,” but warned that computer resources were the “property of the Company” and that e-mails were “not confidential” and could be read “during routine checks.”
The court denied the company’s application to allow disclosure of the e-mails that its expert possessed. The court reasoned,
Based on the warnings furnished in the Manual, Evans [could not reasonably expect to communicate in confidence with his private attorney if Evans e-mailed his attorney using his [company] e-mail address through the NERA Intranet, because the Manual plainly warned Evans that e-mails on the network could be read by NERA network administrators. The Manual, however, did not expressly declare that it would monitor the content of Internet communications…. Most importantly, the Manual did not expressly declare, or even implicitly suggest, that NERA would monitor the content of e-mail communications made from an employee’s personal e-mail account via the Internet whenever those communications were viewed on a NERA-issued computer. Nor did NERA warn its employees that the content of such Internet e-mail communications is stored on the hard disk of a NERA-issued computer and therefore capable of being read by NERA.
As a result, the court found the employee’s expectation of privacy in e-mails with his attorney to be reasonable.
According to some courts, employees appear to have a lesser expectation of privacy when they communicate with an attorney using a company e-mail system as compared to a personal, web-based account like the one used here…. As a result, courts might treat e-mails transmitted via an employer’s e-mail account differently than they would web-based e-mails sent on the same company computer.
Courts have also found that the existence of a clear company policy banning personal e-mails can also diminish the reasonableness of an employee’s claim to privacy in e-mail messages with his or her attorney…. We recognize that a zero-tolerance policy can be unworkable and unwelcome in today’s dynamic and mobile workforce and do not seek to encourage that approach in any way.
JAYNES V. COMMONWEALTH OF VIRGINIA: 666 S.E.2d 303 (Va. Sept. 12, 2008)
FACTS
[From his home in Raleigh, North Carolina, Jaynes used several computers, routers and servers to send over 10,000 emails within a 24-hour period to subscribers of America Online, Inc. (AOL) on each of three separate occasions. On July 16, 2003, Jaynes sent 12,197 pieces of unsolicited e-mail with falsified routing and transmission information onto AOL’s proprietary network. On July 19, 2003, he sent 24,172, and on July 26,2003, he sent 19,104. None of the recipients of the emails had requested any communication from Jaynes. He intentionally falsified the header information and sender domain names before transmitting the emails to the recipients. However, investigators used a sophisticated database search to identify Jaynes as the sender of the emails.43]
[The Circuit Court of Loudon County, Virginia convicted Jeremy Jaynes of violating Va. Code § 18.2-152.3:1, which is the unsolicited bulk electronic mail provision of the Virginia Computer Crimes Act, Va. Code §§ 18.2-152.1 through -152.15, and sentenced him to three years in prison for each of three counts, for a total term of nine years. The Virginia Court of Appeals affirmed, and, in a 4–3 decision, the Supreme Court of Virginia also affirmed the conviction.44]
[However, the Virginia Supreme Court granted Jaynes’ petition for a rehearing. He argued on rehearing that he should have been allowed to challenge the constitutionality of § 18.2-152.3:1, that the statute violated his First Amendment rights, and that his conviction therefore should be overturned.]
JUDICIAL OPINION (SUPREME COURT JUSTICE G. STEVEN AGEE)
Jaynes was arrested and charged with violating Code § 18.2-152.3:1, which provides in relevant part:
A. Any person who:
1. Uses a computer or computer network with the intent to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers … is guilty of a Class 1 misdemeanor.
B. A person is guilty of a Class 6 felony if he commits a violation of subsection A and:
1. The volume of UBE transmitted exceeded 10,000 attempted recipients in any 24-hour period, 100,000 attempted recipients in any 30-day time period, or one million attempted recipients in any one-year time period ….45
… Reversing, the Supreme Court of Virginia held that the statute under which Jaynes was convicted, Virginia’s Anti-SPAM Act, was unconstitutionally overbroad.
3. CONSTITUTIONALITY OF CODE § 18.2-152.3:1
We now turn to Jaynes’ contention that Code § 18.2-152.3:1 is unconstitutionally overbroad. To address this challenge, we first review certain technical aspects of the transmission of e-mails. In transmitting and receiving e-mails, the e-mail servers use a protocol which prescribes what information one computer must send to another. This [Simple Mail Transfer Protocol (SMTP)] requires that the routing information contain an [Internet Provider (IP)] address and a domain name for the sender and recipient of each e-mail. Domain names and IP addresses are assigned to Internet servers by private organizations through a registration process. To obtain an IP address or domain name, the registrant pays a fee and provides identifying contact information to the registering organization. The domain names and IP addresses are contained in a searchable database which can associate the domain name with an IP address and vice versa.
The IP address and domain name do not directly identify the sender, but if the IP address or domain name is acquired from a registering organization, a database search of the address or domain name can eventually lead to the contact information on file with the registration organizations. A sender’s IP address or domain name which is not registered will not prevent the transmission of the e-mail; however, the identity of the sender may not be discoverable through a database search and use of registration contact information.
As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore, like the registration record on file in the mayor’s office identifying persons who chose to canvass private neighborhoods in Watchtower Bible & Tract Society v. Village of Stratton, 536 U.S. 150 (2002), registered IP addresses and domain names discoverable through searchable data bases and registration documents “necessarily result[] in a surrender of [the speaker’s] anonymity.” 536 U.S. at 166. The right to engage in anonymous speech, particularly anonymous political or religious speech, is “an aspect of the freedom of speech protected by the First Amendment.” McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 342 (1995). By prohibiting false routing information in the dissemination of e-mails, Code § 18.2-152.3:1 infringes on that protected right. The Supreme Court has characterized regulations prohibiting such anonymous speech as “a direct regulation of the content of speech.” Id. at 345.
State statutes that burden “core political speech,” as this statute does, are presumptively invalid and subject to a strict scrutiny test. Under that test a statute will be deemed constitutional only if it is narrowly drawn to further a compelling state interest. Id. at 347. In applying this test, we must also consider that state statutes are presumed constitutional, City Council v. Newsome, 226 Va. 518, 523, 311 S.E.2d 761, 764 (1984), and any reasonable doubt regarding constitutionality must be resolved in favor of validity. In re Phillips, 265 Va. 81, 85–86, 574 S.E.2d 270, 272 (2003).
There is no dispute that Code § 18.2-152.3:1 was enacted to control the transmission of unsolicited commercial bulk e-mail, generally referred to as SPAM. In enacting the federal CAN-SPAM Act, Congress stated that commercial bulk e-mail threatened the efficiency and convenience of e-mail. 15 U.S.C. § 7701(a)(2). Many other states have regulated unsolicited bulk e-mail but, unlike Virginia, have restricted such regulation to commercial e-mails. See e.g., Ariz. Rev. Stat. § 44-1372.01; Ark. Code Ann. § 4-88-603; Cal. Bus. & Prof. Code § 17538.45; Fla. Stat. § 668.603; Idaho Code § 48-603E; Ill. Comp. Stat., tit. 815 § 511/10; Ind. Code § 24-5-22-7; Kan. Stat. Ann. § 50-6, Md. Code Ann., Commercial Law § 14-3002. There is nothing in the record or arguments of the parties, however, suggesting that unsolicited non-commercial bulk e-mails were the target of this legislation, caused increased costs to the Internet service providers, or were otherwise a focus of the problem sought to be addressed by the General Assembly through its enactment of Code § 18.2-152.3:1.
Jaynes does not contest the Commonwealth’s interest in controlling unsolicited commercial bulk e-mail as well as fraudulent or otherwise illegal e-mail. Nevertheless, Code § 18.2-152.3:1 is not limited to instances of commercial or fraudulent transmission of e-mail, nor is it restricted to transmission of illegal or otherwise unprotected speech such as pornography or defamation speech. Therefore, viewed under the strict scrutiny standard, Code § 18.2-152.3:1 is not narrowly tailored to protect the compelling interests advanced by the Commonwealth.
4. SUBSTANTIAL OVERBREADTH
The Commonwealth argues that Code § 18.2-152.3:1 is not substantially overbroad because it does not impose any restrictions on the content of the e-mail and “most” applications of its provisions would be constitutional, citing its application to unsolicited bulk commercial e-mail, unsolicited bulk e-mail that proposes a criminal transaction, and unsolicited bulk e-mail that is defamatory or contains obscene images. According to the Commonwealth an “imagine[d] hypothetical situation where the Act might be unconstitutional as applied does not render the Act substantially overbroad.”
The United States Supreme Court recently reviewed the First Amendment overbreadth doctrine in United States v. Williams, 553 U.S.___, 128 S. Ct. 1830 (2008). The Court noted
[i]n order to maintain an appropriate balance, we have vigorously enforced the requirement that a statute’s overbreadth be substantial, not only in an absolute sense, but also relative to the statute’s plainly legitimate sweep.
… [I]t is impossible to determine whether a statute reaches too far without first knowing what the statute covers.
553 U.S. at ___, 128 S. Ct. at 1838. Applying that inquiry under Williams in this case is relatively straightforward as Code § 18.2-152.3:1 would prohibit all bulk e-mail containing anonymous political, religious, or other expressive speech. For example, were the Federalist Papers just being published today via e-mail, that transmission by Publius would violate the statute. Such an expansive scope of unconstitutional coverage is not what the Court in Williams referenced “as the tendency of our overbreadth doctrine to summon forth an endless stream of fanciful hypotheticals.” 553 U.S. at —, 128 S. Ct. at 1843. We thus reject the Commonwealth’s argument that Jaynes’ facial challenge to Code § 18.2-152.3:1 must fail because the statute is not “substantially overbroad.”46
…
III. CONCLUSION
For the foregoing reasons, we hold that the circuit court properly had jurisdiction over Jaynes. We also hold that Jaynes has standing to raise a First Amendment overbreadth claim as to Code § 18.2-152.3:1. That statute is unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails including those containing political, religious or other speech protected by the First Amendment to the United States Constitution. Accordingly, we will reverse the judgment of the Court of Appeals and vacate Jaynes’ convictions of violations of Code § 18.2-152.3:1.47
