Can I legally log into an employees webmail if they left their password on a company computer?
May 19, 2008 7:17 AM   Subscribe

Say I have an employee who was using a company computer. They departed under bad terms. I suspect that they took proprietary and valuable company documents with them when they left by sending them to themselves or someone else using a webmail service. If I can recover their webmail password from the company computer they were assigned, is it legal for me to log in and check to see if they did this? Why or why not?

This is in the United States. My understanding is that employees have no expectation of privacy on company assigned computers. This is a semi-hypothetical question, since I am not about to do it, but I am working on a forensics case where the possibility might come up. I will definitely check with a lawyer, probably the one who hired me to do the investigation, and if it seems legal and they want it done, will ask for a letter of indemnity from them. I know you are not my lawyer and will not construe your answers as legal advice.
posted by procrastination to Law & Government (25 answers total) 1 user marked this as a favorite
 
At the very least, it's unethical. If they'd left a house key in their desk, would you be justified in stopping by their home and taking a look around? IANAL, TINLA
posted by spaceman_spiff at 7:21 AM on May 19, 2008 [1 favorite]


I have no doubt that the companies IT policy would insulate you from any legal ramifications of doing this, but I would still run it past a lawyer.

On the other hand, what is the point of doing this digging? You should always assume the worst when an employee leaves under these circumstances, so assume the damage is done. If you are planning to take some legal action, then you might want to get law enforcement involved before you go digging around in "personal" files.
posted by OlderThanTOS at 7:31 AM on May 19, 2008


The person who left may have no expectation of privacy on the work computer you have been asked to check, but the computer on which their web mail is stored is not that computer, and so they may have a different expectation of privacy on that system. Using something you find on the work computer, to access an account on a different computer system is probably not kosher, at all.
posted by paulsc at 7:34 AM on May 19, 2008


2nd on the IT policy. I've worked many jobs with IT policies stating that nothing you do on a company machine is private. If the employee accepted the job offer with these policies in place they agreed that you can look through their stuff as long as you stayed within the policies.
posted by justnathan at 7:35 AM on May 19, 2008


Seems like it would be a good idea to run this hypothetical question by the webmail service's legal department. They'd probably be able to give you a better answer.
posted by necessitas at 7:35 AM on May 19, 2008


you'd think that someone with enough foresight to secret away company files would at least change their webmail password to something that wasn't cached on their work machine once they were done.
posted by Oktober at 7:38 AM on May 19, 2008


Best answer: Unauthorized access to their private email account is probably a crime. Searching your IT records, and the company computer they used is perfectly legitimate. Going beyond your own company owned resources would be foolish without first getting help from a lawyer, not a MetaFilter lawyer either, well versed in this area. Nevertheless, I am pretty sure that accessing their private email without their permission or a court order is a criminal offense.
posted by caddis at 7:43 AM on May 19, 2008


If the company computer contained a log of their online email activities you could look at that but logging into their account would be unauthorized access into the employee's webmail account. You could check the browser history, firewall logs, etc. But I think spaceman_spiff has it - knowing their webmail password doesn't give you a right to use it.
posted by GuyZero at 7:44 AM on May 19, 2008


IANAL, but I've done my share of IT policy enforcement, and my take would be that you have every right to retrieve anything on that work computer (and you could have monitored all trafiic between that work compouter and a webmail site), but you have no right whatsoever to use that information now to access third-party computing systems without authority. Reading the password from some cached file is a separate act from impersonating the ex-employee to hack into his third-party site account. You might similarly be able to read a personal credit card off of that work system as well, for example, but you have no right to use it.
posted by tyllwin at 7:44 AM on May 19, 2008


Best answer: Having no expectation of privacy means you can *watch* what they do, by logging their actions or intercepting their web traffic in house to see what they're seeing as or after they do. The lack of privacy protection allows the employer to use information gathered for internal disciplinary purposes, it doesn't give them a right to publish (for example) or continue to access the employee's information later.

I don't know what exactly they call it in US law (the Canadian Criminal code calls it "Unauthorized use of computer", which in this case would refer to the email server) but I doubt even the most widely worded Employee Internet Handbook or employment contract (check to see if their company even bothered to have them sign one) would allow anything like this, especialyl since those documents would likely no longer be in effect after the employee is no longer an employee there.

In no legal universe are you going to get away with using a logged password to check their non-company email address. Period. It just won't fly.

P.S. I think it was on this podcast by US computer security experts Steve Gibson and Leo Laporte that I heard a bit about how people generally DO have expectation of privacy unless they've signed a very specific contact/handbook/whatever notifying them that they don't, and that in the US the tech investigator brought in by the company must be very careful to see and be aware of that to avoid being personally liable for breaching wiretap laws.
posted by tiamat at 7:44 AM on May 19, 2008 [2 favorites]


My gut feeling is that possession of the password and the authority to use the password are two separate things.

You write your password on a piece of paper in your wallet, it falls out, and I pick it up. Nothing there gives me permission to violate (for example) Hotmail's T+Cs.

I accidently leave my password on your machine. That doesn't give you the right to use that password to log in to a webmail account hosted by (for example) Google.
posted by Leon at 7:45 AM on May 19, 2008


(IANAL) Assuming the departed employee signed a non-disclosure agreement when he or she came to work for your company, it seems that, if you have evidence on the employee's workstation that he or she improperly sent/kept proprietary information, then the proper avenue would be to pursue it legally through your company's lawyers contacting the former employee or his/her lawyer. If your company doesn't have a non-disclosure agreement, then you might not have any (legal) course to pursue. Almost certainly hacking private email is not a legal option.
posted by aught at 7:52 AM on May 19, 2008


It's different with work emails, as far as I know. At my work place, all emails sent and received and email accounts are "public property". In other words, don't do anything with them that you don't want your boss to see, because if he hates you, he WILL see them.
posted by Phire at 7:52 AM on May 19, 2008


Best answer: I believe that any lawyer offering an opinion on this issue would be well-advised to consider the implications of the Stored Communications Act, 18 USC s2701, which provides that it is a federal statutory violation to :

"(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system..."

In my own experience, some otherwise very respectable lawyers are not up-to-speed on this stuff.

TINLA.
posted by QuantumMeruit at 8:00 AM on May 19, 2008 [1 favorite]


Nthing the sentiment here that, while there's no expectation of privacy in the use of a computer at work, there certainly is an expectation of privacy in one's own webmail account.

Besides. Suppose you knew for sure he emailed documents to his webmail account. Then what? Unless there were very specific policies about not removing electronic files from the workplace, he can say it was a backup, or I was taking work home, and I've deleted them since I left. Unless you were able to execute a surprise search warrant, you'd never prove otherwise.
posted by beagle at 8:01 AM on May 19, 2008


I think you should let it go. Get your IT people to block gmail, yahoo, etc... if you want to stop this sort of thing in future.
posted by chuckdarwin at 8:13 AM on May 19, 2008


If this isn't an email account that you administer, I would be amazed if you could legally do this. If you do not administer that account as part of your business it is not your property to access.

Think of a real world analogy. If he were to have dropped his apartment keys on your parking lot, you could not just go walking around his place searching for documents.

If you want to have any legal case at all, try to get a warrant. If you find something this way I cannot imagine that evidence would hold up in court. I can easily imagine you getting in legal trouble.
posted by dosterm at 8:25 AM on May 19, 2008


Response by poster: Thanks for the answers. I strongly suspected that it would not have been legal, and now I know for sure. If asked to do so by a client, I will refuse.
posted by procrastination at 8:37 AM on May 19, 2008


Best answer: If I can recover their webmail password from the company computer they were assigned, is it legal for me to log in and check to see if they did this? Why or why not?


This is unauthorized access to a system that does not belong to you. To put this in perspective the police would need a warrant to do this. This is generally called "computer intrusion" and depending on the circumstances and state it could very well mean a felony conviction for you. I cant comment on your state but here are some federal guidelines.
posted by damn dirty ape at 8:37 AM on May 19, 2008


Hey boss, you accidentally left your bank statement on my desk with your password written on the top, its ok if I just log into your online banking and take a look around, thats totally legal right? I'm not going to steal your money or anything, I just want to look at your private financial information.

If you have evidence (other than he left on bad terms) that he may have stolen documents you could probably legally get the webmail provider to at least confirm/deny that the documents were sent.
posted by missmagenta at 8:43 AM on May 19, 2008


....Apologies if I'm pointing out the blithering-idiot obvious here, but I'm honestly confused as to why you would need to try and check their webmail account if all you're trying to do is see if they sent themselves something from their work address. Couldn't you simply do a check of their send log from their work email to see if there are any out-of-the-office emails they sent at about that time, with largish attachments?
posted by EmpressCallipygos at 9:07 AM on May 19, 2008


EmpressCallipygos, the idea is that this person took these documents and mailed them to himself via webmail. That is to say his To and From are the same thing in his webmail. He never used the company email.
posted by damn dirty ape at 9:58 AM on May 19, 2008


Think about the human aspect of this.

Whatever they've done, it's already done. If they've sent the documents home, they're there, and I would assume backed up on offline storage.

If you snoop around like this, you will arouse their suspicion. If they discover it's your company, the documents they have will probably end up incredibly public in ways you don't want.

I'd suggest: Don't do it.

I've had a similar situation. The human aspect is very important to consider here. Think about what you would do if your employer did this to you on your way out. If you would react just fine, look at the people in offices surrounding yours. Would they react well? There's your answer.
posted by shepd at 12:15 PM on May 19, 2008


"To put this in perspective the police would need a warrant to do this."

You're right, but that's totally irrelevant. We're not talking about the police, we're talking about a private entity, which is not bound by the same rules. I realize that you probably know that... but I've found analogies like this cause laypeople to make direct connections where none exist, so it's worth pointing out that the fourth amendment doesn't really protect against invasion of privacy by a private citizen.

The entity is, however, bound by the SCA, as mentioned above... so not only is an ethical non-starter, it's almost certainly illegal as well.
posted by toomuchpete at 8:30 PM on May 19, 2008


I do not know whether this is legal or not, however I'd like to point out something that people seem to misunderstand/rorget here.

If an employee uses a web based mail, they need not "email documents to their webmal", instead they open a browser, upload the files they want and email it wherever the heck they please (perhaps just saving as draft). That way, they aren't using the company email account to email out with, but could, in theory, be making off with lots of documents they shouldn't have.

If the place of work if of the restricted kind where nobody can leave the office carrying a briefcase full of documents without having it inspected, one shouldn't allow them to access webmail either, obviously since it's their "cyberbriefcase", pardon the expression. Can the employer inspect the cyberbriefcase? Probably not, but they might be able to check logs to see if anything was uploaded to the webmail, since that usually involves calling another specific URL within the webmail provider and is pretty obvious in logs.
posted by dabitch at 7:32 AM on May 20, 2008


« Older Lease question: I don't want no uncompensated...   |   Driving routes from Cincinnati to Ann Arbor? Newer »
This thread is closed to new comments.