Federal and State Wiretap Act Regulation of Keyloggers at the Workplace
2015-08-28Keylogger hardware and/or software are inexpensive devices that are quite easy to use. The purpose of keyloggers is to record every single keystroke on your computer. Additionally, it allows the monitor to access any password-protected accounts of an unsuspecting typist such as email. You must be having keyloggers installed on your workplace computer. These keyloggers might have different names like “SniperSpy,”“IamBigbrother” and “CyberPatrol.” It is a fact that employers rely upon keylogger sat the workplace and install them to monitor their employees without their knowledge.
Managers defend this act with the point that computer surveillance is highly important in boosting the productivity level at the workplace. However, alternate tools such as remote desktop access, website blockers and time audits let employers determine whether any of their employees deviated from the given task. These tools are effective as well as less risky because surveillance is done without breaching the trust of the employees and embarrassing them like the case is with Keyloggers.
Though keyloggers invade privacy but they have become legal in various jurisdictions since currently no federal law has prohibited their surreptitious use specifically at the workplace.TheElectronic Communications Privacy Act (ECPA) that embraces the Federal Wiretap Act (FWA) as well as the Stored Communication Act (SCA), could possiblyavert keystroke theft. However, as of now their offered protections doesn’t extend to keyloggers. There is nonetheless, evidence that a change may come soon in this regard.
This can be stated considering some of the recent cases that have suggested a wider interpretation of the ECPA than the previously implemented one. Moreover, since a consensus regarding federal law prohibiting keyloggers is absent therefore, to protect public from keystroke theft some courts have interpreted state statutes. This conflicting situation between jurisdictions over interpretations of law leaves citizens of various states vulnerable to invasive spying at the workplace. This confusion also creates lack of clarity among both the employers and the employees regarding what should and shouldn’t be considered a lawful conduct. It is about time that the secretive use of keyloggers gets subjected to extended and comprehensive regulation by federal and/or state law. Lately, this position has been adopted by courts in a few cases.
Inadequate Interpretation of the Federal Wiretap Act
In September 2011, Lisa Rene’s case titled Rene v. G.F. Fishers, Inc was heard at the Southern District Court of Indiana. The woman’s privacy was violated via a keylogger at the workplace. The defendants authorized plaintiff to access her personal email account and checking account from a computer at the workplace without informing her that the computer had keylogger software installed. This software allowed the company (defendants in this case) to obtain Rene’s personal account passwords, which were then accessed, viewed, discussed and forwarded amongst themselves. G.F. Fishers Inc., was therefore, sued by Rene on grounds that this action breached the FWA, the SCA and the Indiana Wiretap Act (IWA).
The FWA 18 U.S.C. § 2511(1)(a) penalizes anyone “who intentionally intercepts [an] electronic communication.” However, Rene’s FWA claim got dismissed. Her argument was that the firm violated the FWA by conducting keystroke theft because she typed her personal accounts’ passwords on the company’s office computer. The court found that capturing keystrokes or keystroke theft didn’t constitute “interception” as is explained in the FWA. Although FWA didn’t compel this interpretation, generally courts endorsed that the FWA requires interception to happen “contemporaneously” with transmission of the information/data. In this context, “contemporaneous” requirement was included in the definition of interception with regards to oral and wire communications before the enactment of the ECPA. Originally, it was intended to continuously store answering machine tapes that were confiscated by police so that these don’t fall within the scope of the law.
The FWA was amended after the introduction of the ECPA and it later included electronics communications too. Some courts declared that Congress tried to retain the “contemporaneous” requirement. The Konop v. Hawaiian Airlines Inc. can be accessed to get the summary of primary cases. Since most keyloggers store the information captured on their host computer and this is later retrieved by a monitor. This is why Rene couldn’t establish that the seized information was transmitted contemporaneously and the FWA was violated.
In that particular case, the court decided that Rene’s keystrokes didn’t meet the requirements of the FWA regarding “electronic communication,” which the FWA defines as signs and signals “transmitted … by a…..system that affects interstate or foreign commerce.” 18 U.S.C. §2510(12) In this scenario the keylogger didn’t transmit her private information anywhere else, that is, beyond the office computer. The court also found that the act of F.G. Fishers Inc., didn’t involve a system that could affect interstate or foreign commerce.
United States v. Scarfo, and United States v. Ropp were two primary cases that helped in the development of this interpretation of the Commerce Clause for addressing the legal status of keyloggers. A New Jersey federal law court ruled in Scarfo case that the use of a keylogger by the FBI to “eavesdrop” while conducting an investigation into mob boss NicodemoScarfo’s unlawful criminal betting and loan sharking practices didn’t violate the FWA. According to the FBI, the department didn’t record Scarfo’s keystrokes while his computer was linked to a modem. Therefore, a system that could affect interstate commerce wasn’t involved.
Nonetheless, having a network connection might be insufficient for putting keylogger use as a violation of the FWA. A California district court found in Roppthat an employer didn’t breach this law even after his installed keylogger wasn’t deleted and the computer had a network connection. In this case, the court decided that “the reasoning used in Scarfo is flawed in some respects.” Furthermore, the court gave a rather narrower construction of the Statute as it declared a computer with a modem could be deemed as a system that affects interstate commerce. Therefore, court concluded that “[a]lthough this system is connected to a larger system–the network–which affects interstate or foreign commerce, the transmission in issue did not involve that system. The network connection is irrelevant.” Id. at 838.According to the court, the statute required that the system should be able to affect interstate commerce at the time when information was intercepted along with the incorporation of keystroke capture. In Rene, the court agreed with this explanation of the FWA.
Counter-arguments that favored the inclusion of keylogger wit hint the Commerce Clause got rejected by the Ropp and Rene courts and a more holistic view was adopted. Prior to these cases, courts considered that if the keylogger hadn’t been installed on a network computer, it was impossible for the employee to check emails and other account, the passwords of which the keylogger recorded. In Ropp and Rene, courts found that the connection was incidental and opted for a compartmental take on the system concluding that keylogger’s function was separate from networking function of the computer, ignoring the fact that the network function was exactly what the employer wanted to exploit. Ropp court tried to defend its position by insisting that Congress only should cover new technological terrain. However, seven years have passed since Ropp and apparently legislation has become far more insufficient as the invasive trait of keyloggers has increased and yet remains unchallenged.
As far as average buyers are concerned, the recent ranges of keyloggers that are available to them offer complete remote access, which lets a monitor to gather stolen keystrokes online. Such keylogger software is capable of transferring the gathered keystroke data to a website either by directly using a network connection or via intercepting plainly WA rules. This way, it becomes possible to monitor the typist remotely.
These advancements in technology point to the need of making arbitrary distinction made in FWA explanations. The dissimilarity between stealing the keystrokes of any employee contemporaneously with transmission and/or after some time is not important at all provided that similar access is offered by the keystrokes. That’s why the legislature didn’t include the provision “contemporaneous” while the FWA was being drafted.
The Insufficiency of Regulating Keyloggers Under the SCA
Keylogger complaints lodged by plaintiffs can be brought under both the SCA and FWA. Although Rene’s FWA claim was rejected but her SCA claim did reach summary judgment. The court decided that accessing her passwords via a keylogger software didn’t breach FWA law but accessing and reading her email would have been termed as a violation. Contrary to this, her SCA claims that were directed towards illegal access of “electronic communication while it is in electronic storage,” weren’t deemed as a reliable substitute to federal or state keylogger rule since courts couldn’t agree on the suitable interpretation of SCA regarding an email18 U.S.C. § 2701(a) (2011).
The ambiguity present in the law generated a crucial query in a majority of cases where it has to be determined whether emails that have previously been read could be considered part of “electronic storage.” Many different stances have been adopted by the courts to address whether accessing an individual’s email violates SCA. In this regard, some tended towards prohibition under the SCA whereas some weren’t much inclined towards extending SCA’s scope.
This mixture of decisions explains that SCA claims are erratic and cannot offer an appropriate substitution for FWA claims in this context. Moreover, SCA claims don’t prevent plagiarizing into the countless password accounts to which keyloggers offer easy access.
“Affecting Commerce”: Wide-rangingExplanations of the FWA
The constricted interpretation of the Commerce Clause as well as the requirement of “contemporaneous” interception has prompted defeats in a considerable number of FWA claims and the State Wiretap Act breaches involving keyloggers. Commentators have noted that the primary issue if the ineffectiveness of the ECPA in keylogger oversight. However, there are indications that such interpretation of the FWA is rapidly losing its stronghold. One court at least has criticized the FWA’s Ropp interpretation. In the casePotter v. Havlicek, spousal spying occurred through a keylogger, and an Ohio district court identified that the statute was read too narrowly by the Ropp court because it stated that the communication to travel in interstate commerce and not just affecting interstate commerce. In case of Havlicek,court suggested that messages sent on any networked computer, which contained keystrokes, did affect interstate commerce. Thus, the Commerce Clause demands were met. This sort of explanations did gather some momentum in cases involving keyloggers. Such as in Brahmana v. Lembo, which was a Californianoffice spyware case involving use of keylogger and “network analyzers” that stored keystrokes over a network, court quoted the Havlicekinterpretation and similarly suggested that in Ropp case, the court endorsed a narrow explanation of the FWA. It was declared by theDistrict Court for the North District of California that the “means of monitoring” did support the discovery that interstate commerce got affected by the keystrokes and the claim went to the finding. A Texas district court identified in Langston v. Langston,that the case law regarding the legal status of keyloggers is uncertain and unclear. In this context, reference was made to the Brahmanaand Havliceksince in these cases courts discovered that keyloggers could establish electronic communications that violated the ECPA. Such decisions indicated a probable shift in the courts’ willingness in protecting the citizens’ privacy rights by considering keystroke theft as something counted under federal.
Extensive Interpretations of State Wiretap Acts
The weakness of the interstate Commerce Clause is missing in the State Wiretap acts and therefore, their applicability centers upon the explanation of a completely different set of terms. In Rene’s case, it was identified by the court that keystroke theft could establish IWA violation. In that particular case, the defendant argues that since Rene’s FWA claim was rejected therefore, her IWA claim should also be rejected citing that under the IWA “intercept” definition is “nearly identical” to interception definition under the FWA. However, court rejected this argument from the defendant and stated that while the provisions may resemble each other but the definitions are “hardly identical.” ”Intercept” has been defined by the IWA as “the intentional recording or acquisition of the contents of an electronic communication by a person other than a sender or receiver of that communication, without the consent of the sender or receiver”with “electronic communication” without demanding that the system at issue must affect interstate commerce as the requirement with the FWA and without the need of being contemporaneous. Ind.Code 35–33.5–1–5.
In State v. Walters, a keylogger was installed on the defendant’s computer by his roommates for reading his emails. The case was heard by the New Hampshire superior court, which discovered that surreptitiously installed keyloggers did breach the New Hampshire wiretap legislation. Newhampshire Wiretap legislation defines intercept as “the aural or other acquisition of, or the recording of, the contents of any telecommunication or oral communication.” N.H. Rev. Stat. Ann. § 570-A:1. In this case, the court suggested that the keylogger gave the roommates an opportunity to “intercept and record the defendant’s Internet user password,” which was a clear violation of the statute. Walters at *1.
In Rich v. Rich a keyloggerwas installed by Leslie Rich on the computer of his wife without her knowledge. The keylogger copied her passwords as well as full blocks of her typed text. Rich was sued by his wife under the Massachusetts Wiretap Act, which forbids oral and/or wire communications interception in cases involving keyloggers. In this case too, the defendant argued that since keyloggers aren’t covered in the FWA, the MWA should also not cover it due to the requirement of interception. The MWA defines “Intercept” as means to “secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication …” (citing G.L.c. 272, § 99B(4)). Later, the Massachusetts superior court identified that even in the restricted FWA reading Leslie’s acquisition would establish interception because the emails were copied entirely and not stored in email and recovered later. Therefore, it established contemporaneous transmission.
Contracted Interpretations of State Wiretap Acts
Some states chose not to expand scope of their wiretap acts to installed keyloggers without consent or knowledge, although these states weren’t unburdened by the Commerce Clause. The use of keyloggers was interpreted to be not prohibited in the Pennsylvania Wiretap Act.
Pennsylvania courts interpreted “intercept” as having similar definition in the PWA as it has in the FWA including the “contemporaneous” requirement, even though the statute doesn’t require it. 18 Pa.C.S.A. § 5703. Visit Lane v. CBS Broad. Inc.(“If a keylogger does not intercept electronic communications under the federal act, it cannot be deemed to do so under the terms of the parallel state statutes.”)
Likewise, the Louisiana Electronic Surveillance Act was interpreted by the Louisiana District Court to exclude the keyloggers regulation. These cases demonstrate that minor dissimilarities in interpretation and/or wordings does allow completely different results in the triumph of state law claims. Another complication that arises can be attributed to limited case law in this region since various states have privacy statutes that haven’t been tested by complicated cases.
In some jurisdictions, courts have declined to take a stand in prohibiting the surreptitious use of keyloggers regardless of the available option of applying state legislation. This makes individuals vulnerable to getting their private data exploited by their employers. The most unified way to increase employee privacy rights against keyloggers is to interpret FWA broadly, which only courts can do. Since the ECPA coverage is missing, therefore, states need to examine their statutes and think about the public policies that they are required to protect. Considering substitutive surveillance methods, insufficient federal regulation and ongoing advancements in technology sector, expanding state statutes is very important and justified.