Judge Alex Kozinski Website
Writings

Pulling the Plug: My Stand Against Electronic Invasions of Workplace Privacy

PANEL 2; WORKPLACE MONITORING: CYBER-SNOOPING, AND COOKIES: CREATING STANDARDS FOR WATCHING OR NOT WATCHING: PULLING THE PLUG: MY STAND AGAINST ELECTRONIC INVASIONS OF WORKPLACE PRIVACY

Judge Alex Kozinski, Judge for the United States Court of Appeals for the Ninth Circuit, Pasadena, California; University of California Los Angeles, A.B. (1972); J.D. (1975).

This is the story of how I became an overnight sort of cyberspace terrorist and sort of media hero in the cyber-world. In the federal judiciary we have a network of computers populated by about thirty-thousand people that work at the federal judiciary and we are all inside this huge nationwide firewall. This intranet is used by everyone to talk with each other, and there are three gateways through which we are able to communicate by e-mail with the outside world. If you want to load a Web page or send an e-mail outside the system, you have to go through one of the three gateways. This is true wherever you are in the country, if you are within the federal judiciary. It happens very quickly and people are generally unaware of it, but here is how it works: depending on where you are situated, you send a request that goes to a gateway. This request then goes past the gateway to the Internet and sends back a page which then goes back through the gateway and to you.

Gateways in firewalls can be a security problem because people can hack and violate security at the gateways. Therefore, electronic devices that monitor the activities at the gateways were added. This is sort of the way you might have a guard, or if you have a fortress with a moat, you'd have somebody at the watchtower watching the moat to make sure that the infidel hordes are not coming across the moat. If people come in that look like they are merchants, the guard lets them pass; but if they look like they are invading armies, the guard raises the gate. This is what the electronic device is there for - to look for things that are hacker attacks, basically terrorist attacks. These electronic devices function in this manner: there are all these commands going back and forth through the gateway. Every time somebody types a command it goes across the gateway, which can actually be visually seen on the computer screen. Then, every time a signal comes back, there is another command that goes onto the screen. Obviously there are many more commands than the human eye can possibly monitor, so what humans have to do is tell a  [*408]  machine to look for the kinds of things that look like hacker attacks. Whenever something like that comes up, the computer can sound the alarm and then a human being will look at it and see whether in fact the thing is a hacker attack.

And then somebody said, "While we're looking for hackers, we can also figure out whether people are looking at pornography. We can do anything, you just tell us what you want to look for and we will look for it. It's just a machine. We can tell it every time they say "Kozinski' we can pull it out; every time they say "New York Times' we can pull it out." Next, a man by the name of Ralph Meachum at the Administrative Office, with no interest at all in privacy or any cognizance at all that this might be offensive to anybody says, "That's great. Why don't we start looking, since we've got this thing, it's free, we've paid for it already, this is just an added bonus. Let's look and see what sites people are accessing, and if it's a pornographic site or something, we'll try to get them fired."

This actually did start to occur with no approval from the judiciary. Our court took a strong stand and we warned them that if they didn't stop monitoring us, we were just going to unplug our machine, which happened to be located in our building. They said, "No, we're not going to do it," and yet we still voted to unplug it. I went up there and unplugged it myself. The excuse made was: "Oh, you can't do it. The two things are tied together, if you take down the monitoring of employees you also have to find another way to stop the hacking." I don't know who they thought they were fooling, but they didn't fool us. After we took down the machine they said: "Oh well, after all we can remove the privacy, the monitoring of employees, and leave only the problem of hackers, it's no problem." And that's what they did.

We had won that battle. This was a year ago and they spent all year figuring out a way around it. What they wanted to do was to get consent from employees for the monitoring, as a condition of working for the federal judiciary. Thus, a worker would have no privacy expectations in anything that is on his or her computer, including the keystrokes. Every time you boot up your computer there would be a screen where you would actually affirm that you have consented to the monitoring. So they would get you in a variety of ways, and at that point they are given basically unlimited bureaucratic authority for two weeks to monitor anything or anyone on the network. It was really incredibly scary, distasteful, and wholly unnecessary. But they didn't succeed. The judges, once they were alerted to the problem, turned it down. So, as of last September 24, we found a policy that monitors only hacking, not communications, by judicial employees.

We have never had a security problem in the federal judiciary. I believe that there are places in the government where that kind of intrusion may be necessary. The Pentagon may be such a place, along  [*409]  with the National Security Agency. I do know that at the federal judiciary we are very fortunate to have great employees who take security and confidentiality seriously. What's more, if they really wanted to leak anything, they would just make a photocopy and take it home and fax it to whomever. It is both intrusive and unnecessary. You have to make sure that your consultants, the people that come in and set up these kinds of security systems are aware of the privacy interests because, if they are not, it is incredibly easy and cheap for them to add a monitoring device to your system. Of course, many employers will claim that they would never ever think to invade privacy. The problem is that we do not really have a good idea of what privacy ought to be with Internet communications, but people have a very good idea about bathrooms and they have a very good idea about telephones. So when I ask people, "Would you put a camera in the bathrooms at work?," people are horrified. "This would never happen." "It could not happen." "I would not do it." However, what if you were one of those companies where employees have access to small amounts of cash or jewelry and you are afraid that they might be putting things in their underwear when they go to the bathroom?

I personally know an employer who deals in gold, and he says, "No, no. We would find some other way of doing it. We would watch them, but we would never, ever monitor the bathroom." But what about telephones, would you put a recording on a telephone? Let's say you warn employees and you let them know that they can call their doctor, they can call their mother, but we are going to listen in on every conversation. The difference is that we have had bathrooms since time immemorial, and people have pretty good ideas of what is expected, what the civilized approach to the relationship between employer and employee is in terms of expectations. Even if the employer provides the bathroom, the toilet paper, the water, and the hand towels, it does not mean that he can put a camera in the bathrooms to take pictures of you - it is just very well understood.

It is the same situation with the telephone. It came along at a time when we did not have a lot of capacity to monitor and so people grew up with the expectation that telephones are sacred, that people really do not listen in on your conversations unless they get a court order. We do not have that kind of understanding on the Internet. In a way, we are groping to find the right paradigm, the right balance, the right approach to a kind of common shared understanding. And one necessity of the things that have to occur is that employers and companies have to be aware of the privacy interests and privacy concerns. Very often they hire geeks who can just say that such monitoring is possible. It is not always the responsibility of the people who actually do the technical aspects of it to be aware of the privacy interests. They assume that somebody else is aware. But very often what will happen is that the employer will not be  [*410]  aware, the consultant will not be aware, and pretty soon you are down the road to having private e-mail read by others.

I think it is important to raise privacy concerns, but I do want to draw a distinction between two kinds of situations, and ensure that we understand that privacy concerns are really very different. One situation is where you have information about consumers or about individuals, identified to those individuals; so if I can figure out what you, as an individual, are watching by way of TV or whatever products you are using and the like. I think that is one level of privacy concern. It is very different when you are looking at consumers in the aggregate. Consumers may in fact resent and feel an intrusion if they are identified by name as being the users of particular programs and the like. I think it may be different if all you are doing is stating that you have six thousand subscribers and four thousand of them watch this particular program, or three thousand or two thousand watch this particular program, and of those, fifteen hundred zap the commercials. I believe that consumers are less concerned about these privacy concerns.

We live in a society and, therefore, give away little bits of our privacy and little bits of our individuality. You walk out to the street, you get into your car, you drive down the street, and people see you. Now, if you lived in the forest somewhere and didn't meet anybody and didn't have any of the benefits of society, you have true privacy. Nobody would know what you are doing, as nobody would be aware of you. But, in fact, by interacting with other people, by being out in public - let's say you drive down to the motel and meet somebody there who is not your wife or husband. I suppose you could wear a bag over your head if you don't want anybody to know that you are there, but if somebody happens to be there and sees you, that is just too bad. You could not claim an invasion of privacy. Now try to figure out where along the way your privacy interests are in a situation where you are engaging in a communal activity over the Internet as opposed to going out in the street where you are being observed as one of a number of passers-by. You are observed not as an individual, but as one of a number of people who are being counted for engaging in a certain activity. When you have considered this, I think it becomes a very difficult issue, and I think one we need to focus on.

It seems to me when one places something out into the public, it becomes part of my reality. They become part, in a way, of the public domain. They are part of the way we all perceive each other and our shared assumptions, our shared cultural experience. I don't think the sort of control-freak mentality of most people who have intellectual property rights serves either our societal interests or, ultimately, the interests of the copyright holders. Now, I generally do like that Europeans are thinking about these concerns, but I do not like what they are doing because they are too far overboard. They have more rights,  [*411]  but, at the same time, in Europe they have these cameras on the streets where they take people's pictures and then run them against mug shots in police stations. I don't understand the Europeans at all, but basically I disagree with everything they are doing. I think they are totally upside-down, and I'm glad I left there forty years ago. God bless America - I'm glad I'm here.