There are several privacy issues raised by this case. Is the privacy of individuals violated if their email is tracked back to them, or if they are videotaped? What privacy obligations do those who maintain computing systems have to users of those systems? Was the privacy of the Asian targets of Machado’s email violated when Machado used finger to find them?

Legally, there seems little privacy protection for either public or private employees from their email or other online activity being monitored by their employers. The privacy protection that has been granted seems to be done on analogy with wiretap restrictions: email in transit may have some privacy protection, but not when it sits as a file on a machine. The law then sees it as the property of the person who owns the machine. Here is one clearly odd place where legal reasoning is stuck in an older model of technology (the telephone) and technological change has left it behind.

But this landscape is shifting constantly both because of new legal decisions and because of the patchwork of laws protecting privacy in the United States. Many European countries (e.g. England, Germany, France, Sweden) have adopted broad legislation that covers the privacy of personal information. These are now coordinated by the European Union. U.S. privacy law is much more of a patchwork. Privacy is protected in a myriad of different domains by specific laws (e.g. privacy of library records, privacy of video records, privacy of medical records). In addition, most of these laws are directed at protecting privacy from governmental intrusion rather than from intrusion from large organizations.

Before you make any claims about what is or is not protected by privacy laws, we recommend you check some of the reputable sites we list in our references on the legal issues associated with privacy. Before you make decisions about such issues, you should check with legal counsel with expertise in privacy law.

But some privacy is expected by users and attempted by administrators, even if it is not guaranteed by law. The public posting of privacy policies on web sites is becoming regular practice. Personal privacy and Internet web sites is a large issue that will be addressed in another case, however. In this case we need to ask what the privacy issues are for individual users with accounts on a networked system.

Standard policy in academic computing systems is that all users sign a document saying they have read and understood their rights and responsibilities on the computing system. These vary slightly from institution to institution, but almost without exception, people are warned that their files and electronic mail may be looked at by systems administrators in the line of their duty. Most academic institutions make it a point to avoid doing this unless there is a system security issue, and thus provide a reasonable amount of privacy to academic users. This is not necessarily the case in other systems in the business world. Practice there varies widely, but most systems still have users sign a document that outlines their rights and responsibilities.

In our case, the university did have a document that Machado had signed in order to get his account. But Machado may not have read the document or have understood it. This brings up an important distinction that is used in legal cases, but is also helpful in our discussion. The distinction is between the subjective feeling of privacy and the reasonable expectation of privacy.

Subjectively, Machado might have felt like his message was private and that it could not be traced back to him. This was partly because he misunderstood the system (many mailers hide the SMTP headers that allow tracking, but they are still there for those who know where to look). It may also have been that he had forgotten or misunderstood the document he signed (college students sign a great deal of paper in dealing with administration). But even if he had the subjective feeling of privacy, a reasonable user on the system should know that most email can be tracked.

The Asian targets of Machado' hate mail may have felt that their privacy was violated. But again, the distinction between the subjective feeling privacy and a reasonable expectation of privacy should help us think clearly. If your telephone number is published in a telephone book, callers could pick out your name based on its apparent ethnicity and call you to harass you. The harassment may be immoral, but looking up your name in the telephone book is not. We might think of the finger command in a similar light. It is a sort of telephone book that provides access to specific items of information about you.

Still, many installations do not implement the finger command because they value the privacy of their users more than they value the ease of information access that finger supplies. And in most cases concerning privacy, we will need to balance various values against one another.

In this case we have offset claims of privacy: Machado’s claims vs those of the targets of his email. Any consideration of privacy right will need to do this sort of weighing of competing claims.

Legal work will give us little help here. In the U.S. the owner of the information may, by and large, do with it as he or she pleases. Though the law allows a broad use of information by its owner, systems administrators might ask a more fundamental question: what good(s) or values are we protecting with our privacy policy and our use of information?

To answer this question simply with "a right to privacy" is not to answer it at all. Why do we value privacy or think people have a right to it? If we are going to go beyond the requirements of the law, we need to find a principle on which to base our decisions about privacy.

For example, some European countries have begun to recognize privacy as a sort of public good, in the way we think of a clean environment as a public good. In this sense of public good, the reasonable assurance of privacy supports a climate in which individuals have control over their personal information and how it is accessed and used.

But we need to go further than this and ask, "Why would it be good for individuals to control their personal information?" This is, at base, a philosophical question about why we value privacy. Two answers have arisen from the philosophical literature: (1) because a basic respect for persons requires privacy and (2) because not having privacy would change our behavior in undesirable ways. For a short review of these issues, see Deborah Johnson chapter on privacy in her book Computer Ethics.

The basic respect argument begins by claiming that we ought to treat people as ends and never only as means for our own good. This is a basic deontological (duty based) approach to what we owe each other. If we treat people as ends in themselves, then it follows that we should give them the power to establish their own relationships with others. Now here is the where privacy comes in. To really have control over my relationships with other people, I need to have control over information about myself. I may share some information in my family that I would rather not share with my insurance broker. So, a basic part of respect for persons involves respect for their control over their own information.

The change in behavior argument is based on a simple principle: people act differently when they know they are being watched. The utilitarian (outcome based) argument suggests that we should value privacy to the extent that we value a society that is spontaneous, creative, and open. So, some privacy is required to support this sort of society.

So now we come back to what privacy obligation(s) system administrators or Internet providers have toward their users. What kind of a climate among your users do you want to achieve? Will your privacy policy achieve it? What basic levels of respect do you owe your users? And how can you balance both of these with the need you have to know about system performance and to prevent abuse of the system?

These are not easy questions in their application. But careful reflection can help you establish a policy that has the appropriate balance.

We can also ask whether the computer personnel at the University of California, Irvine achieved the appropriate balance in their (1) implementation of the finger command, (2) tracking down of Machado’ email, and (3) subsequent discipline of Machado. Doing this will require asking questions about what basic respect they owed to Machado, to the Asians who were the target of his email, and to the user community. In addition, it will require asking questions about what sort of environment the actions of the computer personnel establishes.

Next Issue