Employee Privacy

Employer Disclaimer, Reservation of Right to Monitor


Expectation of Privacy, or Consent to Inspection?


US courts have generally upheld an employer's policy to read employee e-mail and search employer-issued PC, laptop & mobile phone.[1] But Quon v. Arch Wireless, makes management review of electronic records, like text messages, more dangerous.

Disclaimers

Employers are thus motivated to publish privacy disclaimers like: "This e-mail account is for official business only. No end-user expectation of privacy. End-users consent to management inspection of message contents."

Or, if space is tight: "Official business. End-users: no privacy; consent to inspection" . . . with more explanation published on the Web.

Employers have incentives to monitor computer usage, including need to deter sexual harassment/hostile work environment. As they supervise the workplace, employers don't want to be liable for invading privacy.

Officer Quon's Story

Quon was an officer with the Ontario, CA, police department. Quon knew the department's general policy prohibiting nonofficial computer communications, reserving management power to review computer activities and disclaiming employee expectation of privacy.

Click
The department issued Quon a pager enabling him to exchange text messages via a third-party service. Using the pager, he in several months exceeded his per-character quota, and he paid the extra charges. A supervisor informally told Quon the department would not review his messages so long as he paid the extra charges. Then Quon's excess usage came to the attention of the department chief. The chief asked that the service provider (equivalent to Internet Service Provider, ISP) disclose to management contents of Quon's archived messages. Viewing the police department (not Quon) as the account subscriber, the provider complied.

Quon and some of his text correspondents (plaintiffs) sued, claiming the department, a government agency, had violated their Fourth Amendment right to be free from unreasonable search.

The court ruled plaintiffs had reasonable expectations of privacy in the messages. Even though the department's formal policy disclaimed that expectation, the supervisor nullified it by saying the department would not examine the messages. [The police department appealed to the US Supreme Court.  The Supreme Court ruled found a rationale for ruling in favor of the police department.  But it did not dismiss the logic of the lower court that a supervisor could nullify formal department policy.]

What Should an Employer Do?

So, as a policy matter, what is an employer to do? It is hard to avoid informal statements (such as from Quon's supervisor) that are construed to invalidate formal privacy disclaimers.

Employers' logical response is to state disclaimers over . . . and over . . . and over. Repetition of disclaimers may not eliminate employer risk, but it may reduce it.

Information technology enables easy repetition of disclaimers, just as it enables enterprises to widely broadcast other policies and legal terms.

Privacy disclaimers might be published – and republished – any number of ways (the more the better), including on log-on banners, at the bottom of messages, in video reminders and in public notices on web sites. See my earlier articles about the general effectiveness of legal terms published to the world (e.g., external recipients of employee e-mails, text & audio messages) by way of the World Wide Web.

What do you think?

--, Senior Instructor on Computer Investigation Law at the SANS Institute.

[1] See, e.g., Muick v. Glenayre Electronics 280 F.3d 741 (7th Cir. 2002).
[Again, all my blog comments are just public discussion and not legal advice for any particular situation.]
3 comments

Voicemail & Other Audio Legal Records

Forensics & Retention Policy


Preservation, Authentication and Evidence of Cell Phone Records & Unified Messages


Voicemails can be legally significant to a contract, a divorce, a harassment case or a crime investigation. But keeping a record of voicemail or other audio can sometimes be challenging. Businesses do not commonly retain voicemail as part of their usual record retention policies. Note that although Rule 206 of SEC Regulation S-X (a leading authority in the world of business record retention) requires CPAs to keep extensive records, including e-mail, in the course of their professional work, it excludes voicemails from the retention requirement.

Yet as "unified communications" (or "unified messaging") becomes more popular, the logic for not retaining voice mail will fade away. Under unified communications, text, audio, video and other electronic messages are all delivered to a common inbox for the user and processed equally. Under unified communications, message data is message data, regardless of format. And, formats are interchangable. A voice message can be converted to text and vice versa. . . . A voicemail can be very valuable evidence, recording (often with a timestamp) a person’s intent, knowledge or state of mind.

Capture and Preserve Audio

I once received a voicemail I wanted to preserve for legal purposes. My client had hired a man to write software, and the work proceeded before a formal, written contract was in place to confirm ownership of the software. I was working to get such a contract signed, but the man was being uncooperative. One day he left me a voicemail, confirming we should have a contract documenting that the software belonged to my client. This voicemail was precious because it constituted evidence, in the man's very voice, that my client owned the software. Given the man's behavior, I was unsure he'd ever actually sign a paper contract.

So I wanted to preserve the voicemail as best I could. The voicemail was on my cell phone voicemail service, which normally deletes voicemails in 15 days and provides no method to forward voicemail to permanent storage or to something like my e-mail address.

What was I to do? One option was to file a lawsuit and seek an immediate subpoena to force my cell provider to preserve a forensically-high-quality record of the voicemail. But that option would have been excessively expensive and massive overkill. And there would have been no guarantee that the service provider would have in fact preserved the evidence in time.

So I followed a second option. I installed a microphone on my PC. Then I played the voicemail over the loud speaker on my cell phone and recorded the sound with the microphone. The result was a .wav audio file that was intelligible, though of lower quality than if a forensics expert had preserved original data directly from the service provider's information system. I also wrote a memo describing what I had done, when and how. The memo would help me testify about the evidence I had preserved if there were ever a lawsuit or investigation in the future.

Webcam Evidence Capture and Affidavit

That was 2005.  Today I would use a procedure like that described in my video on the capture and preservation of text messages.

Today, another tool is available to help preservation in a situation like this. As I have explained in an April 9 post and an April 10 post, MyElectronicEvidence.com offers a free service so an evidence collector can sign a digital file (like an audio file) with a voice signature. The voice signature shows the evidence collector’s authentication of the file and explanation of where the file came from and so on. The voice signature deters alteration of the evidence and enables a connection with the evidence collector, even if the collector becomes unavailable after the fact.
--

[Again, nothing I say on this blog is legal or other professional advice. It is just general public discussion, to which I invite comments so I and my readers can learn. If you need expert help, you should not rely on this blog. You should go get help.]
0 comments
Subscribe to: Posts (Atom)