Feeds

Employee privacy versus employer policy

US court rulings cast doubt on privacy policy

Secure remote control for conventional and virtual desktops

A similar result happened in late August 2006 in a federal court in California. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

The pager was purchased and owned by the police department, which paid for usage. The policy was explicit that the pagers were to be used for official government purposes only, but it appears that this policy was loosely enforced. The Police Department paid a flat rate for a certain number of minutes, and paid overage charges for excess use. If an employee exceeded the normal usage, the police might conduct an audit to see if the use was business related, or personal, and charge the employee for the personal use. If the employee agreed to simply pay the overage cost, no audit was conducted. Thus, the question raised was whether the police department had a right to read the contents of the alphanumeric pager.

In Quoin's case, the court noted that [the police supervisor] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating the department's policy of any force or substance. By doing so, [the supervisor] effectively provided employees with a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers. The only qualifier to guaranteeing that the messages remain private was that they pay for any overages.

In effect, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable. In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications.

So, what's an employer to do?

These two cases put the employer in a terrible position. Even the most broadly written policy granting full rights of monitoring and consent to monitoring may not extinguish all privacy rights. But do we want to, or need to extinguish all privacy rights? I think not.

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights.

Something along the lines of "we don’t ordinarily monitoring what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. The fact that we didn't do it in the past means nothing. We might do it in the future, so beware".

Of course, that is far too understandable for a lawyer to do, so we might have to translate it into Latin. Until then, use corporate networks and resources with care. Someone might be watching.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Apple's iPhone 6 first-day sales are MEANINGLESS, mutters analyst
Big weekend queues only represent fruity firm's supply
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Bill Gates, drugs and the internet: Top 10 Larry Ellison quotes
'I certainly never expected to become rich ... this is surreal'
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
EMC, HP blockbuster 'merger' shocker comes a cropper
Stand down, FTC... you can put your feet up for a bit
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.