Email, Voicemail, and Privacy:
What Policy is Ethical?

Marsha Woodbury, Ph.D.
Chair, CPSR

Paper prepared for The Fourth International Conference on Ethical Issues of Information Technology, Erasmus University, The Netherlands, 25 to 27 March, 1998


Abstract: Business people repeatedly asked Computer Professionals for Social Responsibility (CPSR) to recommend a policy to deal with email and voice mail. After many such requests to our organization, we attempted to construct guidelines that we could endorse. This paper outlines the guidelines that we proposed and will discuss the public reaction to them. The paper discusses the tensions inherent in a business environment, and the means of identifying ethical behavior for both companies and their employees.

1. Introduction

"What should we do about our employees and their email?" That is the question that business people repeatedly asked Computer Professionals for Social Responsibility (CPSR). After many such requests to our organization, we attempted to construct guidelines that we could endorse. The subject of handling electronic mail (email) and voice mail (vmail) in the workplace is a deep and complicated issue that any "wired" business must face. Our initial attempt to draft a policy showed us exactly why business had requested help--determining the limits of electronic communication is like trying to design the Euro dollar. Just when you make it acceptable, someone lodges an objection.

As with most computer questions, we can understand how the bits and bytes convey information, but the social and moral impact of the process is more difficult to determine. Deborah Johnson put forth the idea that computer technology, unlike most other new technologies, is more likely to change the fundamental character of everything that we do. She proposed that we think of the ethical issues surrounding computers as new species of old moral issues 1. Likewise, a policy dealing with technology is a living document, because the technology is constantly changing, pushing us to redefine our ethics. For example, we could not anticipate that workers would be sending email from browsers in 1989 when Mosaic, Netscape, and the Internet Explorer did not exist.

In pondering policy, we wandered from privacy into freedom of information and from pornography to protest. We are still on this journey. This paper contains the guidelines that we proposed and will discuss the public reaction to them. Are they practical? Do they follow ethical strictures? What has happened since CPSR stepped into the fray? This paper will try to answer those questions.

2. Definitions

First, we should define our terms. Email is electronic mail, using computers to transmit messages via data communications to electronic "mailboxes." On the other hand, vmail is a term for voice message switching. Using computers, the telephone system, and other electronic means to store and forward voice messages2 . People sometimes think of email as they do an informal telephone conversation, except email is recorded, of course. However, the fact remains that email and vmail are recorded and saved, and they can be presented as evidence in a court of law.

The definition of ethics could take many pages. For this short paper, we limit it so that ethical behavior is normal or expected and unobtrusive. Unethical behavior is that which harms other people or keeps them from achieving their legitimate goals 3 . Ethics help us cooperate, to live and work together, to predict the behavior of other people and businesses and government and organizations. In a rapidly changing world, the "rules" are not always clear and behavior is difficult to predict.

There is obviously a tension between the employee's right to privacy and the business' right to control what goes on in the workplace. In developing a policy, the company should endeavor to change its overall atmosphere of trust and humanity as little as possible. As Scott Adams, author of the Dilbert cartoon, has written, the person doing the work of the company--the hands-on person--is central to the company, and the process of "creating policies" is one step removed from hands-on work. Whatever email and vmail policy the company adopts should "get out of the way" of the worker.4 In making a policy, designers should remember that the average person is only mentally productive a few hours a day no matter how many hours are "worked," and the email and vmail policy should endeavor not to kill happiness and creativity . In other words, the new policy should allow time for gossip and throwing spit wads, calling home to check on the children and receiving an email message from a long-lost friend. And now, to the discussion of policy.

3. Sample Policy

The original guidelines that CPSR put up on the web were taken almost word-for-word from the policy developed by a private company, and we used this title: " CPSR's Sample Electronic Mail and Voice Mail Use Guideline"5. The CPSR Portland Chapter contributed these guidelines that were created and used by a large, prominent Oregon company. The policy was intended to serve as a reference for companies to establish policies of their own, for it was an authentic operational document that, even with its flaws, had served its company well (this policy used an alternative spelling for email and vmail):

Email and Vmail are corporate assets and critical components of communication systems. The Email and Vmail systems are provided by the company for employees to facilitate the performance of company work and their contents are the property of the company. Although the company does not make a practice of monitoring these systems, management reserves the right to retrieve the contents for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or to recover from system failure.

Personal use of Email or Vmail by employees is allowable but should not interfere with or conflict with business use. Employees should exercise good judgment regarding the reasonableness of personal use. A junkmail group and other ad-hoc mail groups are available for employees to exchange information or post personal notices (i.e. "for sale", "for rent", "looking to buy", etc.). Employees may sell items or post messages on junkmail or other ad- hoc mail groups as long as they do not violate the law or company policies.

Use of Email and Vmail is limited to employees and authorized vendors, temporaries, or contractors. Employees and authorized users are responsible to maintain the security of their account and their password. They should change their password quarterly and take precautions to prevent unauthorized access to their mailbox by logging off when possible if their terminal is unattended. (Unauthorized entry to an individual's account or mailbox poses system security issues for other users.) Email and Vmail passwords should be at least 6 alphanumeric characters including at least one numeric character for Email.

A. Efficient Usage

Efficient use of the Email and Vmail systems suggests that messages should be concise and directed to individuals with an interest or need to know. General notice bulletins may be sent to public groups, news groups local to our company, junk mail, or specific work groups. Standards for global mailings can be found in (a location on the company server.)

Vmail messages which have been read will expire after seven days. This is a limitation of the disk storage capacity of the voicemail system.

B. Misuses of Electronic mail and Voicemail

Misuse of Email/Vmail can result in disciplinary action up to and including termination. Examples of misuse include the following: prohibits obscene, profane or offensive material from being transmitted over any company communication system. This includes, for example, accessing erotic materials via news groups. Also, messages, jokes, or forms which violate our harassment policy or create an intimidating or hostile work environment are prohibited. Use of company communications systems to set up personal businesses or send chain letters is prohibited. Company confidential messages should be distributed to company personnel only. Forwarding to locations outside is prohibited. Accessing copyrighted information in a way that violates the copyright is prohibited. Breaking into the system or unauthorized use of a password/mailbox is prohibited. Broadcasting unsolicited personal views on social, political, religious or other non-business related matters is prohibited. Solicitation to buy or sell goods or services is prohibited except on junkmail or ad-hoc mail groups.

C. Responsibility for this policy:

"A specified department in the company" is responsible to ensure the efficient use of systems according to this policy. Where issues arise, the department will deal directly with the employee (and notify their manager where appropriate). The interpretation of appropriate use and future revisions of this policy are the responsibility of "a committee" or an appointed official.

4. Policy Feedback

As soon as we published our guidelines electrically, our members proposed amendments6. Basically, they suggested four things:

First, the level of email monitoring should be made clear. For example, the company ought to state that email will not be monitored or reviewed for the purposes of enforcing managerial authority. The approplieate level of monitoring varies. When email or vmail is a person's occupation, then it would be appropriate for their management to evaluate the quality of their work. Otherwise, email should be private. One CPSR member wrote: "the monitoring of individual communications not of a business nature be limited to 'duly authorized investigations' that have been authorized by the Director of Human Resources or higher authority, or as may be required to meet requirements of a lawful subpoena." 7

Second, the language of "efficiency" bothered some of our members. They wanted companies to orient their policy to more human values and individual rights. "Communications via e-mail or v-mail should not burden the receiver inappropriately or unnecessarily, but this brevity is as much courtesy as it is efficient. 8

Third, proper disclaimers on external postings are important, but they did not appear in the policy. Do disclaimers have any genuine meaning? For example, on email sent from work that debases another product, is it enough to put on the bottom, "This email in no way reflects on the company I work for." On products, courts have held that disclaimers have their limits, and that if some malfunction in a product is done consciously, unscrupulously, excessively, or unreasonably, then the disclaimer does not apply9 . Likewise, a disclaimer on email would probably have a limited usefulness, and there would be a point where the employee would have done a disservice to the employer.

Fourth, the policy did not state the penalty for abuse by administrators. By doing that, the company can signal to employees that intentional abuse of an email policy by system administrators or others will be subject to severe sanctions including possibly immediate dismissal from the position of trust that made improper access possible or dismissal from the organization altogether. 10

Also CPSR received a post from a labor union representative who urged that "prohibitions against political opinions should be amended to allow for messages of interest to the members of a unionized workforce." 11 The argument here is that employers should not prohibit announcements about union meetings and activities, and discussion about these developments, even if those messages are not going to benefit the employer. A union representative wrote CPSR: "As our corporation grows--we are at 3000 employees nationwide, with only about 500 of them unionized--and taking into account that our owner has many tens of thousands of nonunionized employees worldwide, our democratic rights to unfettered association are being threatened on all sides by policies such as have been proposed here.12

Had CPSR overlooked anything else? Indeed, we had neglected a rather large area concerning the nature of the communications themselves. As one person put it, email and vmail have a large role in recording the on-going business of the organization and thus have legal risks associated with its use and abuse. "Its more important aspects are related to its role in recording the on-going business of the organization and legal risks associated with its use and abuse. One of the most important aspects of email, vmail and other electronic documents, is that they constitute organizational records in many if not most cases"13 The author had done studies of email usage and policy in organizational settings, and found that the large percentage of employees do not know what is and is not a record, particularly in respect to email and vmail. Thus they also are unaware of their responsibilities in this regard, and the policy should stipulate that the author of any email be promptly notified after the fact if an email message has been accessed, and told why.

The CPSR policy did not incorporate these record-keeping considerations. For example, "those responsible for the administration of email systems often set email destruction dates (known in the records management world as retention schedules) on the basis of purely technological considerations (e.g., to avoid the disk exceeding 80% of capacity) rather than on the value of the information as an organizational asset." 14

5. Whose Property Is It Anyway?

These policy questions make us revisit examples of how businesses handle email and vmail. In her book, Who Owns Information, Anne Wells Branscomb devotes an entire chapter to Who Owns Email. 15 Branscomb begins with the story of a female administrator who was horrified to find her boss reading printouts of employee email. She lost her job for her protest. She tried to sue her employer, but there were no laws guaranteeing the confidentiality of email at the workplace, and she lost her case. The question of ethics is different from looking at laws and their enforcement, for even though something is legal it can be unethical, and if something is illegal it can be ethical. Laws do not have to fit the definition of ethics.

Branscomb serves our discussion well, for she expands upon the definition of email and helps us to be quite clear about the types of communication that one might find stored in a company's computers. Email messages include mailings to forums both moderated and free-wheeling, and often the kind of chat that once took place around the water cooler is now recorded and saved somewhere. Often a person must participate in a forum to fulfill a job. As we know, people "let their hair down" and have many playful conversations online at work. The company that wants to foster creativity should encourage fun and banter. However, the company cannot turn a blind eye in this direction. For example does the employer have the onus of protecting its employees from online harassment in these forums? One would think so. According to Branscomb, corporations do monitor their internal messaging systems. Companies have for years monitored their workers performance at work, for example through listening to online salespeople during business calls, but companies have also been monitoring employee communications with each other to see if those calls and messages are related to business practices16.

Clearly,the electronic communications policy should be map for administrators and users, one that can be read and followed, a policy that sets out what is acceptable and unacceptable behavior for both employee and employer. We see instances of this need in well-known businesses area, such as law firms. Lawyers struggle with the issues of client-lawyer privilege and confidentiality, and their email and vmail communications may have special restrictions. Should a lawyer encrypt all his or her email as though sending a postcard, or should he or she not need encryption because email is more like telephone, cellular, and other delivery services? 17 Stockbrokers can not legally email their clients without passing the message through supervisors, so they seldom use email for business.

On college campuses, the limits are now more strictly defined as security and ethical issues have emerged. The University of Michigan has a policy that "applies to any member of the University community, whether at the University, or elsewhere, and refers to all information resources, whether individually controlled or shared, stand alone or networked." 18 Their document assists the community in the administration of the Proper Use policy, and it specifies the responsibilities that each member of the UM community agrees to assume by his or her use of campus technology resources.

...to promote the ethical, legal, and secure use of computing resources for the protection of all members of the University of Michigan computing community. The University extends membership in this community to its students and employees with the stipulation that they be good citizens, and that they contribute to creating and maintaining an open community of responsible users. 19

Once such an agreement is made clear, then the student has clear information about what types of behavior are not permitted and the student agrees to accept responsibility for his or her actions. And, as regards harassment, the school requires students:

To respect the rights of other users; for example, you shall comply with all University policies regarding sexual, racial, and other forms of harassment. The University of Michigan is committed to being a racially, ethnically, and religiously heterogeneous community20.

By spelling out the rules as clearly as possible, the system administrators make the use of email and vmail clear and easy to follow. At the University of Illinois, computer-lab have sign-ons to prevent students from using the school's computers anonymously in an effort to discourage harassing or sexually offensive e-mail. Some of the problem messages included death threats, while on one occasion a student posing as a classmate suggested the latter was interested in having sex with various professors. 21

Part of the problem with determining ethics and laws is finding a metaphor for email and vmail. The University of California's policy essentially likens email to the telephone, where nominal personal use is readily accepted. 22 That is far more realistic than the steps taken at Wayne State:

Wayne State University's president has banned the use of the university's e-mail system and its Internet access for non-university purposes, prompting outrage among faculty members, who met last week and vowed to fight the new policy.

The policy, issued late last month by David Adamany, informs students and faculty and staff members that the university reserves the right to monitor their use of its computer systems to insure that the equipment is employed in university-related work only.

"Other uses are prohibited," the policy states, adding that Wayne State "is entitled to access and monitor its information-technology resources without prior notice." 23

6. Pleas for Legislation

Every user needs to know what degree of privacy she or he can expect on the system. At the same time, the business needs to protect itself when it is forced to invade the privacy of the user, as it would in complying with a court order. 24 Thus CPSR tried to put forward a sample policy that would help ensure employee privacy while protecting the company, too.

Recently, privacy advocates have proposed new legislation to guarantee that businesses will ensure privacy and confidentiality to their employees. Right now there are few laws that control workplace surveillance technology or abusing the norms of respect for the individual that we may have hoped for. Although the emphasis in many discussions of protection is on employee records, the email and vmail archives that a company maintains are also a potentially intrusive source of data. In a recent draft, the advocates "acknowledge that all members of our society --government, industry, and individual citizens--share responsibility for ensuring the fair treatment of individuals in the use of personal information." They stress individual responsibility and the importance of public education about how information is collected and used. 25 Laws are scarce, and evidence of unethical practices by employees and employers is worrisome.

There are many vexing questions still be decided. Who is responsible for slanderous email sent from a company's email system? Does a disclaimer really mean anything? Exactly when can company officials read employee email? At what point does an employee abuse the purpose of online communications provided by the company?

7. Conclusion

As this paper has shown, the attempt by CPSR at offering an email and vmail policy proved to be filled with holes and troubling omissions. Like trying to wear someone else's shoes, any attempt to "wear" a statement or policy imported from outside an organization is going to be a poor fit. The borrowed guidelines only gave CPSR and those who borrow this guideline a starting point. The better policies are well organized, easy to read, address all the issues, and include the underlying rationales26. Was the CPSR sample policy practical? Yes, it is a useful document that its original company has had little trouble with. Does the CPSR policy follow ethical strictures? The criticisms pointed out that the policy did not emphasize enough the restraint and consideration that systems administrators must have, the punishment for noncompliance, or the status of email archives.

What has happened since CPSR stepped into the fray? Slowly awareness is spreading that ethical use must be defined and enforced. At the United States Internal Revenue Service, the issue of unauthorized access by IRS employees to tax returns and taxpayer records has shown how easily employees can use a desktop computer to go through private records even when policy specificially prohibits them from doing so. The author suggests that the policy is not a reflection of the culture. Having a policy imposed on people without their "buying in" or active support is like having road rules that people ignore. Some drivers will run the red lights unless they can see a reason why they should not. Therefore, a policy must be integral and of its setting, a part of the organization and its ethic.

Our aim is to have companies and employees achieve legitimate goals while doing the least harm to other people or entities. Books on ethics tend to be heavy and ponderous, yet what we want is something concise, understandable, fair, and helpful. We seek a workable solution that "gets out of the employee's way," as Adams would say27. We in CPSR learned much about ethics in trying to put forward a policy. What we would like to propose is that people act responsibly and use their email and vmail tools in an ethical manner. We would encourage business to protect the privacy of communications. We hope our foray into this territory will be useful to others.

1 Johnson, D. (1994) Computer Ethics, 2nd Ed. New Jersey: Prentice Hall. p. 10.

2 Long. L. and Long, N. (1998) Computers, 5th Ed. New Jersey: Prentice Hall, p. G17.

3 Mason, R. O, Mason, F. M., and Culnan, M. J. (1995) Ethics of Information Management, London: Sage Publications, p. 12.

4 Adams, S. (1996) The Dilbert Principle, NY: Harper Business, p. 317.

5 CPSR (1997) A sample E-mail and Voice-mail policy (with CPSR's suggestions for improvement) http://www.cpsr.org/program/emailpolicy.html, Oct. 14, 1997.

6 Levinger D. and Page C., http://www.cpsr.org/program/emailpolicy.html, Sept. 19, 1997.

7 Barry, R. (1997) Email messages ARE organizational records. http://www.cpsr.org/program/addition.html, Sept. 19, 1997.

8 Levinger D. and Page C., http://www.cpsr.org/program/emailpolicy.html, Sept. 19, 1997.

9 Johnson, D. (1994) Computer Ethics, 2nd Ed. New Jersey: Prentice Hall, p. 133.

10 Barry, R. (1997) Email messages ARE organizational records. http://www.cpsr.org/program/addition.html, Sept. 19, 1997.

11 Schoenfeldt, G. (1997) Labor Union Comments , http://www.cpsr.org/program/emailpolicy.html, Sept. 19, 1997.

12 Ibid.

13 Barry, R. (1997) Email messages ARE organizational records. http://www.cpsr.org/program/addition.html, Sept. 19, 1997.

14 Ibid.

15 Branscomb, A.W. (1994) Who Owns Information? New York: HarperCollins Publishers, Inc.

16 Ibid.

17 Krakaur, P. (1997) E-mail Emancipation? EthicsBeat 1: 1 http://www.collegehill.com/ilp-news/

18 University of Michigan (1997) Responsible Use of Technology Resources . The Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan (Standard Practice Guide 601.7).

19 Ibid.

20 Ibid.

21 Kerber, R. (1997) Kids Say the Darnedest Things: Student Web sites present schools with difficult free-speech issues. Wall Street Journal. Nov. 17, p. R12.

22 Electronic Mail Policy (1996) University of California Office of the President, http://www.ucop.edu/ucophome/policies/email/email.html

23 Basinger, J. (1997) Wayne State U. Draws Fire for New Policy Limiting Computer Use and Privacy

Rights. The Chronicle of Higher Education, Inc. Nov.10, 1997.

24 Scott, T.J. and Voss, R. B. (1994) Ethics and the 7 "P's" of Computer Use Policies, in Ethics in Computer Age, ACM: 0-89791-644-1/94/0011, p. 61

25 Information Industry Association (1994) INFORMATION POLICY ONLINE , 1:4.

26 Scott, T.J. and Voss, R. B. (1994) Ethics and the 7 "P's" of Computer Use Policies, in Ethics in Computer Age, ACM: 0-89791-644-1/94/0011, pp 61-67.

27 Adams, S. (1996) The Dilbert Principle, NY: Harper Business, p. 317.

Questions? Comments? Write Marsha Woodbury.