Electronic Records Conundrum, The

Information Management Journal, Jan/Feb 2004 by Swartz, Nikki

Today, everything from business e-mails to speeding tickets could potentially - and legally - be posted online for all to see with just a few mouse clicks

After losing their jobs, their health care, and their pensions and retirement fund savings, Enron Corp. employees probably never dreamed things could get worse.

But in March 2003, the Federal Energy Regulatory Commission (FERC) released the private exchanges of Enron employees - more than 1.6 million e-mails and documents - by posting them on the Internet in a searchable database (www.ferc.gov/ industries/electric/indus-act/wem/03-26-03-release.asp) for the world to read.

The agency gathered the e-mails, which included messages sent and received from 2000 through 2002, as part of materials collected for its investigation of Enron's alleged energy market manipulation. Via the database, individuals can peruse the e-mail of 176 current and former Enron executives and employees, most of whom were involved in the company's power-trading operations. But what has angered the employees as well as privacy advocates is the fact that the names of the e-mails' senders and recipients were not removed or edited, nor were e-mails containing bank records and Social Security numbers.

The FERC told The Wall Street Journal that the purpose of the online database is to help the public better understand whether Enron helped to create - and then profit from - an energy shortage in California during 2000 and 2001. In this vein, the database contains technical e-mails between power traders discussing "price curves" and "hub contracts." But it also includes personal e-mails regarding employees' finances, children, and relationships.

In an interview with The Wall Street Journal, FERC spokesman Kevin Cadden said the agency had given Enron three weeks' notice that it would be releasing the data collected in its investigation but Enron did not respond. Two days after the e-mails were posted online, however, Enron petitioned the FERC to get some of them removed. Employees inundated Enron with angry messages demanding that certain documents be removed from the database. The agency removed a few of the most sensitive e-mails, including a payroll document that listed the Social Security number of every employee.

Following a U.S. Court of Appeals order early last April, the database was disabled for 10 days, during which time Enron was allowed to identify every e-mail it wanted removed. About 100 employee volunteers combed through hundreds of thousands of messages and filtered out sensitive personal information.

The FERC eventually removed about 8 percent of the database, or 141,379 documents. But Enron employees still believe that too much personal material remains on public display. As of August 8, the agency had spent 350 hours reviewing about 17,185 documents for which confidentiality had been requested. Of those, the FERC said only 5,128 documents - mainly those containing Social Security numbers and employee performance evaluation information - would be withheld permanently.

Although many Enron employees undoubtedly believe that too much personal material still remains online for the public to view, their situation has taught employees everywhere a valuable lesson: Be careful how you use your business e-mail. You never know where your electronic messages may end up or who may be reading them, especially if the company you work for is sued or comes under investigation.

The Business Records Loop Hole

Internet service providers (ISPs) such as America Online and Yahoo! cannot release electronic communications to law enforcement or other parties without a warrant. But once an e-mail has been read or has remained opened for 180 days, it reverts to the unprotected "business records" category and is up for grabs by law enforcement, regulators, and lawyers, making it potentially dangerous to its author.

Weaknesses in existing laws protecting business records, including information stored with ISPs, open the door to widespread government data mining, legal experts said at a recent conference on Internet surveillance law.

Jim Dempsey, executive director of the Center for Democracy and Technology, explained how changes in technology have opened a gaping privacy hole that has exposed the flaws in two Supreme Court decisions. In the 1976 U.S. v. Miller and the 1979 Smith v. Maryland cases, the high court ruled that bank records and phone numbers dialed are not protected because there is no "expectation of privacy" once a third party is given information.

"The business-records cases say that if you voluntarily disclose [records] to someone else, you lose Fourth Amendment rights to them," Dempsey said. "To carry that over to the world of the Internet poses some problems, where people are taking information and putting it on third parties outside their control."

Recent efforts to build and implement data-mining technologies such as the U.S. Department of Defense's Terrorism Information Awareness (TIA) project are exploiting the "business record weakness," he said, and legal scholars, Congress, and executive-branch officials must rethink those precedents.