Archive

Posts Tagged ‘Supreme Court’

I’m With Scalia on Quon

This past week, after reading and re-reading the Supreme Court’s decision in City of Ontario, California v. Quon several times, I’ve come to a conclusion that is surprising for me: I am in agreement with Justice Scalia, not the majority, when it comes to Quon.  In fact, I think Scalia hit it right on the head when he wrote in his concurrence describing the majority opinion:

“…In saying why it is not saying more, the Court says much more than it should.”

The Quon court clearly wrestled with whether or not to address the big question being posed in this case – whether employees have a reasonable expectation of privacy in certain electronic communications i.e. messages sent through a government employer-issued pager.  This intellectual wrestling, and the majority’s thoughtful debate on the role of technology in the workplace are particularly revealing.

For instance, the Court noted that it’s not just technology that’s evolving rapidly – it’s society’s view on what is acceptable behavior vis-à-vis these technologies that is also changing at a rapid pace.  The Court considered the position put forward in the amicus brief submitted by the ACLU, EFF, CDT and others – that in today’s workplace, employers expect and tolerate the personal use of office equipment and technology by employees (and therefore, employees should have a reasonable expectation of privacy in personal messages sent through an employer’s equipment or technology).  In contrast, the Court also contemplated the efficiency of a rule that reserves office equipment and technology for work use only – since mobile phones are now affordable and widely used, shouldn’t employees be required to purchase their own device for personal use at work?   Unfortunately, the analysis stopped here; the Court for instance didn’t distinguish between mobiles phones (for voice and text) which remain affordable vs. smartphones (for email and webmail) which remain fairly expensive.

In the end, the Court chose to sidestep the important question of whether employees have a reasonable expectation of privacy in electronic communications made in the government workplace. It concluded that it needed to “proceed with care” in determining the issue; it also cautioned the judiciary against “elaborating too fully” when evaluating “the Fourth Amendment implications” of technology in the employer-employee context.  And then, most surprisingly, the Court admitted that unlike past decisions (specifically referencing the phone booth in Katz), it could no longer rely on its “own knowledge and experience” to conclude that there was a reasonable expectation in text messages sent via a government-owned pager.  Wow.  While Supreme Court justices were using phone booths in 1967, they aren’t using their pagers (or mobile phones) to send text messages in 2010.  Is technology advancing at a rate that is too fast for the highest court in the land?  Opportunities to decide important issues like this come before the Court only so often.  The disapproval in Justice Scalia’s concurrence is hard to miss:

“Applying the Fourth Amendment to new technologies may sometimes be difficult, but when it is necessary to decide a case, we have no choice.”

Yet by trying so hard to say nothing, the Court actually says something fairly significant.  By dithering over whether to use the Court’s precedent in O’Connor v. Noriega, but then using it anyway to determine that Jeff Quon had a reasonable expectation of privacy in text messages he sent from his work pager, the Court has – as Scalia puts it – “inadvertently” boosted the “operational realities” standard and case-by-case approach of the O’Connor court (the Court ultimately determined that even though there was a reasonable expectation of privacy, the City’s search was reasonable).  The facts here are telling – in one month, Jeff Quon, a member of the SWAT team at the Ontario, California police department sent or received 456 messages, of which only 57 were work-related.  These messages were transmitted via a pager that Jeff Quon received from the City so that he and fellow SWAT team could “mobilize and respond to emergency situations.”  In fact, the case started began when the City – faced with recurring overages for Quon and another employee – requested text message transcripts from the City’s wireless provider to determine whether the City’s current limit for text messages needed to be raised.

Regardless, it’s likely that the O’Connor rule will have more of an influence on privacy – and workplace privacy in particular – after the Quon decision.  Scalia insists that the Court’s ruling in Quon will automatically drive lower courts to the “operational realities” of the O’Connor test.   Perhaps he’s right – but a case-by-case approach in privacy analysis is almost inevitable in the absence of a federal privacy framework and bright line rules.   Context will continue to be a key part of the privacy analysis.  It’s already an important part of the United States’ “sectoral” approach to privacy.  For instance, personal data is even more sensitive when it’s being handled for medical purposes (see HIPAA for more details).  Similarly, there’s been a lot of concern about geo-location technologies recently – even though these technologies have been around for years, it is their emergence on mobile phones, and the ability to combine a user’s profile data with their geo-location data, that has raised privacy concerns.

Scalia also predicts lots of litigation around the question of whether employees have a reasonable expectation of privacy in the workplace (what did the workplace policy say, was there one, etc). That may be right – but it could also just be a natural evolution of the case-by-case approach outlined above – a lack of a bright line rule will always result in lots of litigation about what the standard should be.  There are, however, are at least two counseling gems to be found in Quon that are worth considering in anticipation of such litigation.

  1. Make sure your company’s privacy policy covers all types of electronic communications that occur on work equipment. The City of Ontario had a written policy that covered email, computer and Internet use – but didn’t explicitly cover pager use (although Jeff Quon’s boss did attempt to extend the written policy verbally to pager use in staff meetings).  And remember, the Court did find that Jeff Quon had a reasonable expectation of privacy in the text messages sent via his work pager.
  2. Make sure your company’s work policy matches up to its actual practice. Even though the City issued pagers to Jeff Quon and other SWAT team members with the understanding that they were intended for work use, the City sent a contrary message when it allowed employees to use those same pagers for personal use (so long as the employee picked up the extra charges for exceeding usage).  To send a clear message, and match its written policy to actual practice, the City should have banned personal use of the SWAT pagers altogether.

Of course Scalia was pushing for a bright line rule in this case – one that would have applied the Fourth Amendment to all employers – not just government.  At a time when companies are eager for privacy guidance, are bright line rules for workplace privacy needed?  This is the only part of the Scalia concurrence that I’ve struggled with.  On the one hand, we don’t want to have inflexible standards that ignore the realities of the present-day workplace.  On the other, having a rule that says there is no reasonable expectation of privacy when the workplace privacy policy says otherwise (assuming that policy is communicated properly), could be very helpful for compliance – especially when you consider the companies struggling to navigate the maze of court rulings, FTC rules and guidance, and sectoral laws that comprise US privacy law.  The need becomes even more compelling as once again, we are faced with the real possibility that Congress will not pass a federal privacy law this year – even as the FTC looks to Congress for guidance on how to shape a regulatory framework around privacy and security.

Which comes to my final point of agreement with Scalia.  When it comes to Quon, the Court chose not to address the important question – in short, they punted.  Or as Scalia puts it:

“… The-times-they-are-a-changin’ is a feeble excuse for disregard of duty.”

Advertisements

Tipping Towards an Opt-In

A few years ago, I became an instant fan of Malcolm Gladwell’s groundbreaking book – “The Tipping Point” – based on an epidemiological theory that says that in aggregate, “little things” can make a big difference.  Since then, I’ve observed the phenomenon play out on the policy stage several times – financial reform and healthcare are two immediate examples that come to mind – and I wonder if the theory has any application in what’s currently happening with online privacy today.  I think it does – particularly if you view a tipping point in scientific terms i.e. the point at which an object is displaced from a state of stable equilibrium due to a series of successive events, into a new equilibrium state qualitatively dissimilar from the first.

To say that online privacy was ever in a state of stable equilibrium is a stretch.  We are however, approaching the end of a current era in online advertising and marketing – an era in which companies captured personal and confidential data from users, and then monetized that data to sell ads back to those very same users, often without the user’s authorization or knowledge. That state of equilibrium has been threatened by many events in the last few months – market developments, consumer outcry and regulatory attention all converging to catapult data privacy and security onto the national agenda and into the mainstream press.  Some commentators, such as Jeff Chester, have characterized these events as a perfect storm; I see them a bit differently – not a storm, but a series of occurrences that finally “tipped” the issue, as companies attempted to push the privacy envelope with various features that compromised a user’s privacy (and in some cases the user’s express wishes to keep their data private).  Each of these features involved sharing data with a third party and not surprisingly, each triggered a privacy outcry – because they provided no meaningful way for users to opt-out of the feature before personal data was exposed.

It’s amazing to think that most of these pivotal events only happened during the last three months.  To recap:

February 9, 2010 – Google launches Google Buzz, and overnight, transforms users’ Gmail accounts into social networking pages, exposing personal contacts.  Google later remedies the situation by making the feature opt-in.

April 27, 2010 – 4 Democratic Senators led by Chuck Schumer of New York, send a letter to Facebook CEO Mark Zuckerberg complaining about the privacy impact of Facebook services, including its instant personalization feature (which exposed user profile data without authorization on launch).  Senator Schumer follows up his letter with a formal request urging the FTC to investigate Facebook.  Facebook eventually announces new privacy controls.

May 5, 2010 – EPIC and a coalition of other advocacy organizations file this complaint, urging the FTC to investigate Facebook.  In the complaint, they assert that “Faceboook’s business practices directly impact more American consumers than any other social network service in the United States.”

May 14, 2010 – Google announces, via a post on their policy blog, that their Streetview cars have inadvertently been capturing payload data from open WiFi networks – in violation of US, European and other global data protection laws – for over 3 years.

May 21, 2010 – The Wall Street Journal reports that a group of social networking sites – including Facebook, MySpace and Digg – routinely share user profile data with advertisers, despite public assurances to the contrary.

The result? With each successive product or feature launch, the privacy debate is now tipping towards a privacy regime that could be much stricter than anything we’ve seen before – a requirement that companies get a user’s affirmative opt-in to any use of personal data for advertising and marketing purposes.

Privacy nerds may want to revisit the words of David Vladeck, head of the FTC’s Bureau of Consumer Protection, in a New York Times interview that took place last August i.e. before the privacy mishaps of the last 3 months.  When asked about whether the FTC would mandate an opt-in standard for user disclosures, Mr. Vladek responded:

“The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this.”

The emphasis on transparency becomes even more important with the  impending rollout of the FTC’s privacy framework this summer.  Will  the FTC make an affirmative opt-in mandatory in all instances where personal data is being shared with a third party?  Clearly, an opt-in is one of the best ways to ensure transparency, and to give users meaningful notice about what data is being collected.  The question is whether an opt-in requirement would be so cumbersome it would turn users off of the service altogether.  For instance, would an opt-in be required once – before the feature is first launched, or each successive time it launches?

Also, it’s unclear whether the FTC’s framework will derive strength (or weakness) from a federal privacy law if such a law does indeed pass this session.  Critics on both sides have mostly panned the House legislation i.e. the Boucher-Stearns bill, but there is news of another, more stringent bill being drafted by Senator Schumer who reached his tipping point with Facebook as outlined earlier.

I saved my most important “little thing” for last. Even if you don’t believe that the privacy debate has yet to reach a tipping point, consider this: in June, the Supreme Court will issue its decision in City of Ontario v. Quon. This is the first time that the Supremes have considered the crucial question of what expectation of privacy users have in their electronic communications.  Their decision will most likely impact any regulatory or legislative scheme around privacy currently being proposed by the federal agencies or Congress.  Most importantly, a Supreme Court decision that finds an expectation of privacy in electronic communications will most certainly translate into increased obligations on companies that deal in these types of electronic communications and data.  A tipping point?  Absolutely.  In fact, such a decision would definitely signal something much bigger (to quote another popular book title) – a Game Change for advertising and marketing on the web.

No 4th Amdt Protection for Backups & Delivered Email in 11th Circuit

March 17, 2010 Leave a comment

From Professor Orin Kerr, a terrific blog and analysis of the Eleventh Circuit’s recent decision in Rehberg v. Paulk, which held that there is no expectation of privacy in stored copies of delivered emails that are stored by your ISP. The Court cited Sixth and Second Circuit precedents to find no 4th Amendment protections for delivered email  (as Professor Kerr’s post indicates, however, the issue of when an email has been delivered is still unsettled).

Professor Kerr’s analysis focuses on the Court’s differing treatment of the email copy that was delivered vs. the backup copy of the email that was stored with the plaintiff’s ISP (just because the delivered copy lost protection, the ISP copy should not have).  While I agree, I also think that the Court’s decision might have been very different had they analyzed the issue under the Stored Communications Act, and not the 4th amendment. The SCA proscribes unlawful access to stored electronic communications, which it defines as:

“…any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

any storage of such communication by an electronic communication service for purposes of backup protection of such communication;”

Under this definition, the email copy at issue in Rehberg should fall squarely within the backup exception to the SCA.

The Rehberg decision conflicts with the holding of the Ninth Circuit in Theofel v. Farey-Jones.  Here, the court found that copies of emails stored with an ISP post-transmission were protected from disclosure under the backup exception to the SCA.

Arguably, Rehberg has further complicated the split in the Circuits on privacy protection – statutory or under the 4th Amendment – for email.  It’s unclear when the Supreme Court will have a chance to review this particular issue.  Perhaps we will get some guidance from the Court’s upcoming review of USA Mobility Wireless Inc. v. Quon . Quon is a 9th Circuit case involving a related issue – the expectation of privacy in text messages.  The facts are complicated, since the case involves texts sent by a government employee, but it is one of the few decisions to find privacy protections for electronic communication.  This is definitely a case to watch next term, as a ruling in Quon will likely impact how courts view privacy for other electronic communications, especially email.

Categories: Uncategorized Tags: ,