Snooping into a co-worker's e-mail? You could be arrested

News anchor charged with e-mail break-ins shines light on line between a prank and a crime

Ever pass by a co-worker's unattended computer and consider taking a peek at her e-mails? Or have you ever thought it would be a funny prank to figure out your cube mate's e-mail password and break into his work account to mess with him?

What may seem like a practical joke or a harmless, furtive glance actually could land you in more hot water than you'd ever expect. It could go as far as getting you fired or even charged with a federal crime.

The recent case of a Philadelphia TV news anchor charged with breaking into his co-anchor's e-mail account shines a light on the seriousness of such snooping. And while Lawrence Mendte, the news anchor at CBS affiliate KYW-TV took his e-mail snooping to an extreme, security analysts and lawyers say seemingly simple actions can quickly turn into criminal matters.

And the problem is that people often don't realize that breaking into or surreptitiously eyeing a colleague's e-mail actually is a crime.

"I don't think people are of the understanding that this type of conduct is a crime," said Scott Christie, a former federal prosecutor who headed up the computer hacking and intellectual property section at the U.S. Attorney's Office in New Jersey. "You look over someone's shoulder and read a personal letter and that's not a crime, so how can it be a crime to access someone's e-mail? It's not the same thing, of course. Part of the lack of understanding comes from the fact that e-mail is so common these days and people whip them off without thinking twice.

"What you're doing when you're accessing e-mail is affirmatively exceeding your access to electronic documents and systems," he added. "Usually, you're doing that by pretending to be that person to break into their account."

Snooping into other people's e-mail messages, no matter if it's meant as a prank or is only a one-time thing, is a crime in most circumstances.

Ken van Wyk, a consultant at KRvW Associates LLC, said he suspects that taking a surreptitious look at co-workers' e-mail is a common occurrence in business. "For a co-worker to snoop, that would take some work, but for a sys admin to do it, that's trivial," he added. "That's where abuses are more likely. If someone was caught doing it, I'd generally expect a pretty ugly situation."

Mendte is a good example of that. The well-known Philadelphia media personality was charged late last month with intentionally accessing a protected computer without authorization and obtaining information in furtherance of a tortious act, a felony. He is accused of secretly accessing one work and two personal e-mail accounts of co-anchor Alycia Lane more than 500 times between March 2006 and May 2008.

In court documents, prosecutors contend that Mendte accessed private e-mail communications between Lane and others, including friends, her attorney and even some between Lane and a friend's wife. Some of the information that was accessed pertained to civil and criminal litigation that Lane was involved in.

On several occasions, Mendte allegedly shared private and legal information obtained from the stolen e-mail documents with a reporter from the Philadelphia Daily News.

Mendte, who faces five years in prison, lost his job over the situation. He was released from his contract in June following an independent investigation by CBS, according to a story on the KYW Web site.

Van Wyk said being reprimanded or even fired is a far more likely punishment than having your employer call law enforcement. But that largely depends on how often you snooped, what you did with the information and how you accessed the e-mails or instant messages.

"When you do it once, it is criminal, but the question is whether that warrants prosecution by the government," said Mauro Wolfe, a partner at the Dickstein Shapiro LLP law firm. "I can't even imagine a case where a local prosecutor would want to take that on. The Mendte case shows that when you do it 537 times and in a public way and when you try to destroy someone, you're going to be prosecuted. When you try to harm someone and humiliate them publicly, that takes it to another level."

Employers, however, mostly have the legal right to read workers' e-mail and instant messages. If it's the employer's system, equipment and time, then the communications are under their domain as well. "They inform employees that only professional use is permitted and they have the right to monitor what goes on with e-mail traffic and Web surfing," said Christie, who leads the information technology group at law firm McCarter & English LLP, where he is a partner. "There's no reasonable expectation of privacy."

And when it comes to co-workers taking their curiosity or bad intentions too far, Christie said it comes down to intentional access.

He explained that if an e-mail is on someone's computer screen and you walk by and see it, you have not intentionally accessed that e-mail. However, if you are looking at a blank screen or screen saver and you press keys or move a mouse to access e-mail, then you have intentionally accessed it. Doing something affirmative is the dividing line between a possible slap on the wrist from your boss or dismissal and possible criminal charges.

"The totality of the conduct makes it a more serious offense," said Christie. "If someone is actually breaking in, by bypassing a password, if it was done in an effort to commit another crime, like identity theft, that would certainly make it a felony and something law enforcement would certainly take much more seriously."

Both Christie and van Wyk said it would be more tempting for someone in IT to break into a co-worker's e-mail because their level of access would make it so much easier. And while Christie said he'd expect IT workers to be under greater scrutiny, van Wyk said that's largely not the case at all.

"Watching the watcher is a classic problem that is not trivially solved," said van Wyk. "I think IT needs to have policies that speak to abuse of power. Too often those policies are left unarticulated. Like, you may use admin privileges to run the system but not to read users' data. You may back the data up in your job function, but you may not read it without express permission from its owner. That sort of thing."

Christie said companies need to be more vigilant about keeping an eye on employees' communications and who might be accessing areas they shouldn't be. IT should be tightening security, making sure there are set policies and that employees are well educated about what's allowed and what is not. And, he added, companies need to step up and investigate when it's warranted.