Feeds

Employee privacy versus employer policy

US court rulings cast doubt on privacy policy

Secure remote control for conventional and virtual desktops

A similar result happened in late August 2006 in a federal court in California. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

The pager was purchased and owned by the police department, which paid for usage. The policy was explicit that the pagers were to be used for official government purposes only, but it appears that this policy was loosely enforced. The Police Department paid a flat rate for a certain number of minutes, and paid overage charges for excess use. If an employee exceeded the normal usage, the police might conduct an audit to see if the use was business related, or personal, and charge the employee for the personal use. If the employee agreed to simply pay the overage cost, no audit was conducted. Thus, the question raised was whether the police department had a right to read the contents of the alphanumeric pager.

In Quoin's case, the court noted that [the police supervisor] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating the department's policy of any force or substance. By doing so, [the supervisor] effectively provided employees with a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers. The only qualifier to guaranteeing that the messages remain private was that they pay for any overages.

In effect, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable. In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications.

So, what's an employer to do?

These two cases put the employer in a terrible position. Even the most broadly written policy granting full rights of monitoring and consent to monitoring may not extinguish all privacy rights. But do we want to, or need to extinguish all privacy rights? I think not.

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights.

Something along the lines of "we don’t ordinarily monitoring what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. The fact that we didn't do it in the past means nothing. We might do it in the future, so beware".

Of course, that is far too understandable for a lawyer to do, so we might have to translate it into Latin. Until then, use corporate networks and resources with care. Someone might be watching.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Providing a secure and efficient Helpdesk

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.