Question: When and how is an expectation of privacy predictable, and does this extend to joint property between husband and wife?

The scenario: Husband & wife, still married, still living together, in a joint-property state; the couple purchased a computer after they were married. One partner in the marriage wants to know what is on the computer, all of it, deleted files, e-mail, documents, etc. Because of passwords, file deletions, and related barriers, a third party--a forensic computer examiner--is needed to extract the requested information and provide it to only one partner. I have been confronted with this scenario dozens of times since I started doing forensic computer work. Each case has its own merits, and I make a decision based on each individual set of circumstances.

Disclaimer: I am not an attorney; this is not legal advice, or even a legal opinion. This article reflects my decision on how I intend to conduct my business after being presented with an ethical, and legal dilemma of whether or not to take each case.

While this article focuses on computer privacy, it is apparent that the logic applies to several other areas wherein privacy issues become a concern. Keep in mind that we are not discussing privacy in the workplace; the principles may apply, but there are different regulations and expectations when discussing a person's expectation of privacy on the job.

Opinions regarding the privacy issue are like thumbs, everyone has at least one and most have a couple of them. The opinions run from, "It's all private," to "None of it is private." After doing quite a bit of research, I'm convinced the resolution is somewhere in the middle.

The California Privacy Act (PC 630-637.3) was designed to protect the right of privacy, and it prohibits eavesdropping or recording of confidential communications without the consent of all parties involved. No exemption for a spouse. Additionally, Section 1 of Article 1 of the California Constitution assigns inalienable rights, including the right to privacy. On the Federal level, the ECPA (Electronic Communications Privacy Act of 1986) prohibits unauthorized access to or retrieval of electronic communication while it is in electronic storage, especially when a person exhibits an expectation of privacy.

In determining whether we have a privacy expectation conflict, we need to look at several issues that either reinforce or negate that expectation. Circumstances that tend to tip the scales include:

• How many people have access to the computer? Is it in a common area, or accessible to only one person? Do other family members use it to play games, do homework, write letters, or generally have access? If so, it is doubtful that general access areas within the computer could be considered private.
• Passwords, I think, offer strong argument that there is an expectation of privacy; however, from whom? Is the password intended to prohibit access by the spouse, or maintain privacy from a third party? For example, if financial or business files are have password protection, an argument could be made that it is for business privacy, but not spousal privacy. Another consideration is simply if the password is known or not. If a person has never known a password, perhaps the reason is for privacy protection. However, lack of computer knowledge may be the reason for not knowing a password; if a party has no computer knowledge, there is little reason for them to know the password. It would not do them any good--they wouldn't know what to do with it if they did know it. Therefore, a password might not be known, but the person still have access. The same for screen names, or other Internet identifiers--there are multiple considerations for why a person may have different identities on the computer.
• Encryption should throw up red flags all over the place. But the reason for the encryption needs to be investigated. Many of the issues involving passwords apply to encryption, but with a different twist--encryption carries with it an intentional act; generally, someone had to encrypt the file with an expectation that it would be later unencrypted, by either the same person or by another recipient. Regardless, the user has without doubt expressed a privacy expectation.
• File deletion is a common practice of all computer users. If a file is deleted it may be because the user simply did not want the file cluttering the hard drive, or it may be because they intend the information to be kept private.

I tend to consider all these issues when making a determination about privacy, but it all boils down to one primary consideration: whether or not a person has a right to see what is on the computer. If an argument can be made for privacy expectation, they do not have that right. If circumstances negate the privacy expectation, then they may have a right to the information. Simple, huh?