Quon: US Supreme Court Rules Against Privacy on Employer-Issued Devices
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as “reasonable and normal in the private-employer context.”
The City of Ontario asked its wireless service provider for details about the text messages sent and received by the city’s police officers, when their texts regularly exceeded the monthly limit for which the city had contracted. Officer Quon was disciplined for violating police department rules when the city discovered that he sent numerous personal messages, some of them sexually explicit, both on and off duty. He and other individuals who communicated with him sued the city, arguing that the city’s actions represented an unreasonable search in violation of the Fourth Amendment of the US Constitution, the privacy clause found in Article I, section 1 of the California constitution, and also the federal Stored Communications Act (SCA).
The US 9th Circuit Court of Appeals, citing the Supreme Court’s 1987 ruling in O’Connor v. Ortega, 480 US 709, found that Quon had a reasonable expectation of privacy in his message content and that the city's examination of his text messages was not reasonable, even though there was a legitimate, work-related purpose for auditing the officer’s wireless usage. The appellate court noted that the city could have used less intrusive means to review wireless usage and charges. The appellate decision drew widespread attention, including a 2008 article in the Los Angeles Daily Journal by my colleague Tanya Forsheit. Tanya pointed out that while the Fourth Amendment applies directly only to monitoring by government employers, a restrictive interpretation under the California constitution’s privacy clause (or the SCA) could affect communications monitoring by private-sector employers as well.
Today, the Supreme Court (addressing only the Fourth Amendment issues) reversed the 9th Circuit decision and ruled that the city’s examination of Quon’s text messages was reasonable under the Supreme Court’s O’Connor standard:
Petitioners’ warrantless review of Quon’s pager transcript was reasonable under the O’Connor plurality’s approach because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope.
The city had a reasonable interest in not controlling excessive personal use of communications devices, and also in setting an appropriate level of city-funded communications so that officers were not forced to pay for work-related communications. The Court observed that the city’s review was limited to a two-month sample of messages and that the city redacted Quon’s messages sent and received while he was off duty, to limit the intrusion into his personal life.
The Court noted that any reasonable privacy expectations were probably limited by the city’s Computer Policy, which stated (as do the policies of many employers) that users “should have no expectations of privacy or confidentiality” when using city computers. A subsequent memo made it clear that this policy extended as well to communications devices furnished by the city. Quon argued that this policy was modified by his superior’s subsequent verbal assurance that there would be no audit as long as officers paid for excess text usage. The Court declined to make a finding on that argument, assuming for purposes of the decision that Quon had some reasonable expectation of privacy. But the Court ruled that the city’s search of message content was reasonable because it was undertaken for a work-related purpose and used measures that were not excessively intrusive in the circumstances. And because the employer’s search was reasonable, the other parties who sent messages to Quon could not prevail on their argument that the review of message content violated their own Fourth Amendment rights.
The Supreme Court justices often disagree on what is a “reasonable expectation of privacy” and whether the government entity in question has appropriately limited the scope of its intrusion into private life. The O’Connor opinion, for example, was rendered by only a plurality of the justices. But Quon is a unanimous decision on its results, with limited concurring opinions by Justices Stevens and Scalia.
Justice Scalia’s concurring opinion argued that the "reasonable expectations" of employees using employer-issued devices should be addressed generally and not limited to public employees. In response, Justice Kennedy’s opinion for the Court suggests that reasonable expectations of privacy are typically limited in private sector employment just as they are for government employees:
For these same reasons—that the employer had a legitimate reason for the search, and that the search was not excessively intrusive in light of that justification—the Court also concludes that the search would be ‘regarded as reasonable and normal in the private-employer context’
Justice Kennedy wisely cautions that judges should not rush to broad conclusions about reasonable privacy expectations with regard to the use of rapidly changing technologies:
The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer. The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.
The Quon decision suggests a prudential approach to monitoring employee use of the employer’s computer or communications facilities, whether the employment is in the public or private sector:
• Employers should establish the level of privacy expectations with a coherent policy that covers all the technologies deployed.
• Employers are at risk when they delve into the content of messages or computer searches, or ask their service providers to do so, without a clearly articulated, work-related purpose (such as a targeted investigation of suspected wrongdoing or a non-investigative financial or administrative objective).
• Content review should be structured so as to limit privacy intrusions. The Quon decision emphasizes that this does not mean the “least intrusive search practicable” but simply a search reasonably limited to the employer’s legitimate, work-related objectives.
• A reasonably structured review of employee communications can also serve as a defense against privacy claims by non-employees who communicated with the employee.
Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.
Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.
Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media. In several developed countries, a third or more of the population uses Facebook, many on a daily basis.
Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.
Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.
So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.
It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.
It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.
It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.
It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.
