High-tech serveillance of employees can be full of expensive surprises

by Fred Williams

Fred Williams has been of counsel with James, McElroy & Diehl PA since 2004, when he retired after 38 years with several federal agencies, including an assistant U.S. attorney in Charlotte. At JMD, he has represented and counseled persons involved in criminal and civil matters relating to electronic surveillance, computer intrusions and searches, copyright, trade secret and trademark. He is an adjunct professor in the College of Computing and Informatics at UNC Charlotte.

“You have zero privacy anyway. Get over it.” 
— Sun MicroSystems CEO Scott McNealy, during a January 1999 press conference.

Technology is rapidly eroding privacy. Surveillance that was impossible, impractical or difficult a generation ago is cheap and easy today. Even the technically challenged can read another’s emails, hide a microphone or video camera, track another’s car precisely and continuously, and record phone calls. It is so cheap and easy that many do it impulsively, without thinking. But be careful about launching surveillance, impulsively or otherwise. There are risks that will be addressed in this article. But this entry can’t answer all questions or give legal advice. You should consult with your attorney before doing any surveillance that you would not want someone to do to you or to someone with a thin skin.

We live in interesting, risky times. What one does impulsively because it’s so easy may cause horrific problems, including prison, large damages, loss of reputation, employee turnover and hostility toward management. Legislators, judges and juries have a hard time keeping up with technology. Public attitudes toward technological changes that affect privacy often are wildly inconsistent. A small difference may swing them from acceptance to extreme hostility.

Federal and state laws criminalize secret acquisition of communications in certain circumstances and with few exceptions — most importantly, the consent of a party to the communication. This includes spoken words grabbed by a hidden microphone, phone conversations, emails and other electronic communications. The circumstances and exceptions that determine if a violation has occurred are often hypertechnical — both legally and in terms of the technology used.

The legal distinctions are often counter-intuitive — judges have said they are very difficult to understand. Major industry players (Microsoft and Google, for example) as well as civil-liberties advocates have formed a coalition proposing simplification and strengthening of relevant laws. Check it out at digitaldueprocess.org.

Here’s how complicated it can get: If you poured your heart and deepest secrets into a letter, and your worst enemy stole it from a mail truck, would you care whether the truck was stopped at a red light or moving down the street? Should a sensible law draw that line? Most courts have said that it isn’t a wiretap violation if an email is not moving when it is acquired. The 1st Circuit held it can be a violation if it’s grabbed while in RAM for a few nanoseconds but not in storage on a hard drive. The 7th Circuit recently expressed disagreement, then withdrew that observation.

Bug. There was a time that it required sophisticated, expensive devices to bug a conversation. Now the world is full of devices with built-in recording capabilities — smartphones, laptop or netbook computers, iPads and similar devices. It is easy to place one on a table, with it secretly recording, and leave it there. Unless a participant in the conversation knows about the bug and consents to it, this is almost certainly a wiretap violation.

If the only person who knows that it is recording leaves the room, it becomes an illegal wiretap. What may be most surprising is that it is a criminal violation to disclose or use the recording, even to present it in court.

Cell phone. Suppose you pick up someone’s cellphone and obtain information from it — contents of text messages, pictures, records of calls, locations the phone has been taken to and some of the other information the device receives, obtains and stores. Is this a wiretap? Probably not, unless the information is in transit — a technically difficult issue. When you push a button, do you know where the information is coming from — the phone or some distant server?

Is this criminal “hacking”? If there is no authorization, it is probably a violation of the broadest federal hacking statute: 18 U.S.C. § 1030(a)(2). This statute only requires: (a) access to a computer, (b) without or in excess of authorization and (c) obtaining information.

Is a cellphone a computer? Sure. It’s a “device performing logical, arithmetic, or storage functions.” The 8th Circuit recently ruled that a cellphone met that definition. I worked with some of the biggest computers in the state in the mid-1960s and believe that none had the computing power of the average cellphone of today. Arguably a thumb drive also meets the definition, as well as increasing numbers of mundane appliances. Do you have to copy the information or do something with it in order to violate this statute? No. The legislative history and case law says that just looking at the information on the screen is enough for a violation.

Email. Most emails go to something like user@company.com. Company.com is a computer connected to the Internet. Suppose one partner of a small startup helped another partner set up a gmail account some years ago. Eventually there is a falling out, and the one accesses the other’s account because she has not changed her username or password.

Is this a wiretap? Not likely under the interpretation of most courts. The emails were probably accessed while stored on a hard drive. But is it a 1030 violation? If done without or in excess of authorization, yes. If the owner of the account impliedly permitted the partner to access it when relations were good, can you reasonably say that consent continued after a bitter falling out?

But what is in excess of authorization? When an employee uses the office system to check on a sports score or email his kids? The courts are all over the place. Some take a narrow approach, others read the statute to criminalize conduct where the employee is accessing information for his own purpose. The most extreme case was the federal indictment and trial of a woman for accessing a social-media site using a pseudonym when the site’s terms of use required use of the user’s true name. How many people read the terms of use of every website they visit? Is everyone a federal criminal?

Employers often “wiretap” employee emails and “access” their computers. Is this with consent and authorization? Last summer, the U.S. Supreme Court assumed that if a senior manager says something inconsistent with the written policy statements, it created a reasonable expectation of privacy contrary to the formal policy. Similarly, the New Jersey Supreme Court recently held that what I would think was a minor difference within the policy gave the former employee a privacy right in files left on the company laptop when she turned it in after quitting. That same case held the company’s lawyers violated ethical rules by using the files so obtained.

To be safe, employee surveillance should be clearly disclosed in the employee handbook, computer log-on banner, etc. Carefully written policies should say that you have no privacy from management on anything you do on the computers or identify the aspect of the work environment that will be monitored — or whatever compromise you choose. All managers need to adhere to the policies as formally written when asked about surveillance — preferably by simply referring to them.

Where are we going? Who knows? But be careful doing anything a jury can get mad about. The courts may let something that seems perfectly legal at the time result in large damages or maybe even prison.