please click here for the original pdf
November 2011
Electronics and Consent Where Has All the Privacy Gone?
Roger Heaton and Shawn Patrick Article courtesy of Hinshaw & Culbertson, LLP © 2011—Used with permission
“You have permission to read my e-mails, regardless of who I wrote them to or whether they contain any personal, private, and confidential information. You may also read my text messages, diary entries and drafts of my letters to others; you may look at all the pictures I have saved. You do not need to tell me that you have read or examined them. In other words, I consent to you having unlimited access to everything that I have created or stored electronically. Finally, you may create a comprehensive map-like summary of where I was when I made each phone call or sent each text message.”
Can you imagine making these statements to a total stranger? Or worse, to numerous strangers? Or to people who may have a financial incentive to use the information to their advantage and perhaps to your disadvantage? Not many people would be inclined to give such consent expressly. But, millions of people routinely grant broad consent impliedly by their computer use practices or by clicking past a lengthy privacy policy without reading it or any consideration of what it actually authorizes.
The law addressing consent to access electronic data has not kept pace with technology. People are using smartphones and personal computers to communicate continually. The lines between business and personal communications are blurring, or at least the devices used to conduct both our professional and personal business are multiplying. It has become possible to listen in on a business conference call while simultaneously texting a note to a spouse and/or conducting a personal online banking transaction. Many people check their personal e-mail accounts while on a break or lunch hour, using their office computer to access their Internet service provider through a web browser. And, the pressures to work longer hours and to use time efficiently combined with a desire not to carry and switch between multiple phones and computers create strong incentives to multitask. Unquestionably, people sometimes elect to forego their personal privacy by the choices they make. Those who participate in the use of social networking mechanisms like Facebook and Twitter not only invite public access to details of their lives, but also seem to relish their ability to generate large audiences to witness their thoughts. Recently, Twitter even announced that every tweet that has been created since 2006 will soon be housed for public inspection and consumption at the Library of Congress.
But, people engage in both private and non-private communications. And, when they take steps to keep others from reading or overhearing those communications, and those steps require third-parties to capture unknown passwords and affirmatively use them to gain access to the underlying information, then the effort to retain the personal privacy should be honored.
The Federal Stored Communication Act prohibits any person from “intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or…obtain[ing]… access to a wire or electronic communication while it is in electronic storage.” What constitutes “authorization”? What degree of consent is enough? Employers often advise employees in handbooks or written policy manuals that anyone who uses the company computer equipment has no right of personal privacy in any matter or information stored in, created on, received from, or sent from the company’s computer equipment. The employer’s policy will often go on to say that the company reserves the right to review, monitor, access, retrieve any such information, without notice or explicit permission from the employee.
How does the company, or an overly inquisitive IT employee, then monitor the employees’ computer activity? The typical systems administrator operating an office computer network can simply install key-logging software. Once installed, anything the employee types on his computer can be captured and forwarded to the systems administrator. An example of software that can trap passwords over a network is called Cain and Abel. This program, available via the Internet, is marketed as a password recovery tool for Microsoft operating systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. In short, this means that any employee’s password used to access third party servers is recoverable. To see the prevalence of software that can capture e-mail passwords, conduct an Internet search for “crack Outlook PST passwords.”
In today’s economic climate, most employees would not refuse or leave a job due to company Internet privacy policies. To the extent that the employees actually read and consider these policies, they likely either rationalize that the loss of privacy is not serious or that the company is unlikely to carry through with actually monitoring or reviewing what the employees access despite the declared ability to do so. But, should a company be able to extract “consent” from an employee with a one-size-fits all take-it-or-leave-it electronic monitoring policy? Suppose an employee was willing to consent to the company’s policy at the time she was hired, but several years later, she developed a health condition that she did not want others to know about. If the doctor who treats her calls through an Internet-based phone service or e-mails her to advise her of an appointment, test results, or even a diagnosis, is the employer entitled to locate a captured password and use it to snoop through her stored e-mails or voice messages and discover this private medical information?
Employers certainly have their own interests to protect. They do not want employees to waste time or to use company equipment for improper, or even illegal, purposes. It has become common knowledge that pornography is rampant on the Internet and that a substantial percentage of Internet searches are related to pornographic content. No employer should be exposed to the embarrassment that could be caused by an employee who is accessing or trading child pornography or who is operating a personal business using office equipment. But, employers can (and do) install Internet filters that dramatically reduce those risks without retaining the claimed prerogative to access and examine password-protected e-mail accounts that are hosted on third party servers.
It is interesting to compare the situation to pre-computer practices. Were employers routinely advising employees that their conversations with others could be recorded and reviewed, regardless whether that conversation took place over an office phone or in an employee break room? Were employees advised that if they brought a diary to work and wrote in it that the company reserved the right to pick it up and read it? Could an employer open any employee’s wallet to look at what credit cards were there or remove a checkbook from a purse to see whether the employee had a positive or negative account balance? If not, then why is it now viewed as acceptable for an employer to capture an employee’s passwords and use them to access the same information on an electronic statement?
As with many instances in the law, we are faced with competing interests. Somehow we need to balance those interests and to draw lines that are designed to accommodate both. This is an exercise that involves policy determinations, and it is clear that courts are not ideally situated to make policy-based decisions. Legislatures, with their access to broad fact gathering mechanisms and their accountability to the electorate, are better situated and responsible for striking this balance. But, legislators facing this task should not be reluctant to slow technology’s march to thwart the shrinking sphere of privacy that used to surround us all.
Privacy is like life. Once it is taken away, it cannot be recovered.
RISK MANAGEMENT SEMINAR SERIES
Sexual Harassment Prevention Training
Friday, December 2, 2011 Registration: 7:30 am Program: 8:00 am – 10:00 am
HR Compliance: Why To, How To
Friday, December 9, 2011 Registration: 7:30 am Program: 8:00 am – 10:00 am
All training sessions available to our clients * Reserve early / seating is limited!
Register for upcoming seminars Contact Darcee Nichols at dnichols@cavignac.com or call 619-744-0596
* NOTE: Due to the popularity of our seminars and limited space available, we regret we cannot provide refunds or credits with less than 72 hours advance notice of cancellation.
Disclaimer: This article is written from an insurance perspective and is meant to be used for informational purposes only. It is not the intent of this article to provide legal advice, or advice for any specific fact, situation, or circumstance. Contact legal counsel for specific advice.