An interesting decision was released last week by the Superior Court of New Jersey, a US state-level appeal court. According to the facts of the case, the defendant had accessed a co-worker’s Yahoo e-mail account from a computer lab terminal, which the plaintiff had inadvertently failed to log out of. The snooping defendant noticed an e-mail thread mentioning them, printed out the e-mail, and confronted the plaintiff with it. Obviously shocked by the invasion of privacy, the plaintiff immediately filed the suit, relying on the provisions of a state wiretapping statute – which apparently allows for both civil and criminal remedies.

It appears that historically, the test under this New Jersey law has been premised on the expectation of privacy held by the person whose communication was “intercepted”. That’s similar to the case law on the issue in Canada. However in the present case, the court was asked to decide whether the defendant knowingly accessed the account without authorization, and if not, what the extent of that authorization was.

Because the plaintiff had accessed their own inbox, and had left the index screen of the inbox up on the terminal when they left, the court found that the defendant did not infringe the law prohibiting access without authorization. The only question left to the court (in this case, a jury) was whether the defendant had exceeded the authorization provided by the plaintiff’s failure to log off. The jury found that the defendant did not exceed the plaintiff’s “tacit authorization” to access the account. On appeal last week, the court upheld the trial court’s decision – the snooping defendant was vindicated.

In Canada, the facts lend themselves not to a civil trial, but to criminal proceedings under the Interception of Communications provision of the Criminal Code. However the statutes are otherwise not all that different and much of the key phraseology is similar enough to think that the New Jersey case law might be relevant.

I don’t agree with the specific questions put to the jury, and the departure from the pure expectation of privacy test is unusual, but it would certainly be interesting to see how a Canadian case on similar facts would be interpreted.

Until we have such caselaw, the takeaway from all this is to protect your data and your communications as much as possible – any failure to do so, even accidentally, could be viewed as tacit authorization to snoopers and other evildoers.

Scott R. Young