Thursday, March 26, 1998

E-mail isn't private, and it may be permanent, too

By Reid Kanaley

Knight Ridder Newspapers

E-mail. Does it ever go away?

Intimate 2-year-old electronic messages - 42 of them - traded by once-powerful Wilmington lawyer Thomas Capano and Anne Marie Fahey, the young woman he allegedly murdered, emerged at a bail hearing for Capano last week.

Gleaned from the hard disks of computers used by Capano and Fahey months after they were sent, the messages are the latest reminder of the rugged persistence of e-mail and of its frequent tendency to make public news out of private words.

"These things obviously do stay around for awhile," said Capano defense lawyer Charles Oberly 3d. "There's no question ... to erase them is very, very difficult."

Privacy experts say the public needs constant reminders e-mail, now used by millions for personal and business correspondence, is potentially as private as a billboard on the interstate.

E-mail increasingly figures in everything from divorce proceedings to murder investigations. Businesses have almost carte blanche to review electronic mail sent and received by employees on company computers.

"Whole computers are being taken. We saw even with Monica Lewinsky, they subpoenaed her computer, her hard drive, and her discs," Rafaat Tass, head of the Global Internet Liberty Campaign for the American Civil Liberties Union, said in a reference to the probe of President Clinton's alleged affair with a White House intern.

Oberly said while he was not familiar with the source of all the Capano-Fahey e-mails - or if there had been any attempt to erase them - it was his understanding most, if not all, were easily obtained under search warrants issued to prosecutors after Fahey, a secretary, disappeared in June 1996.

The defense introduced the messages in an attempt to show the victim and the accused had a caring relationship. Capano was denied bail anyway.

E-mail has a secret disk life, not only on the desktop computer but potentially on each of the computers it visits on the Internet.

"You can shred a letter and throw it away," Tass said, but even deleted files can remain on a computer's hard drive for years.

That is because a deleted computer file isn't really erased until the computer needs the disk space. It may then record something new over the deleted item. In the meantime, experts can retrieve the ghost files at will.

Encrypting e-mail messages may only add a sense of false security, say privacy experts. Determined e-mail pilferers, hackers and legal authorities can eventually crack most common encryption codes, and if not, courts can compel the writers of encrypted e-mail to hand over the "keys" to encryption software, just as they would have to turn over the keys to a safe whose contents were under subpoena, they say.

"Because it is called mail, most people have the impression it is confidential, and it certainly isn't," said Robert Ellis Smith, publisher of the Privacy Journal, a monthly newsletter. "It's really akin to a postcard."

A survey by the corporate-backed American Management Association said 14.9 percent of businesses had engaged in storing and reviewing employee e-mail in 1997, and 10.9 percent of companies did so for all employees.

In addition, federal law enforcement agencies now monitor e-mail in 17 percent of their investigations that involve some kind of technical surveillance, according to government figures compiled by James Atkinson, a computer security expert in Gloucester, Mass.

"There is no such thing" as e-mail privacy, said Atkinson.

If he hadn't known it before, Harvard law professor Lawrence Lessig learned that lesson last week when a U.S. Court of Appeals temporarily halted his work as a special master in the Department of Justice's antitrust case against Microsoft. Microsoft had objected to Lessig's role, pointing out Lessig wrote in an e-mail last June that he had "sold my soul" and installed Microsoft software on his computer, only to find it may have "screwed up" his files.

In the first federal court case on workplace e-mail privacy - or lack thereof - the U.S. District Court in Philadelphia ruled in January 1996 there is no "reasonable expectation of privacy in e-mail communications" between an employee and his supervisor.

Based on that ruling, "employers are ... free to read employees' e-mail, even if it's not job-related and even if they promise their employees they won't do it," said Lewis Maltby, director of the ACLU's Workplace Rights Task Force.

As a safeguard, said Smith, "be very careful (with e-mail) at work and don't use it for any sensitive conversations if you don't want it to come back and haunt you."

He said employees ought to urge management to state a policy on e-mail privacy.

And at home, said Smith, individuals should check with their Internet service providers to know when and how e-mail files are backed up and what policies exist for their disclosure and protection.

"The bottom line," said Atkinson, "is, if you want to keep it private, don't do it via the Internet."

(c) 1998, The Philadelphia Inquirer.

Visit Philadelphia Online, the Inquirer's World Wide Web site, at http://www.phillynews.com/

Distributed by Knight Ridder/Tribune Information Services.