The battle for workplace privacy is over; privacy lost. Despite repeated language in judicial opinions regarding the need to balance the competing rights of employers and employees, no balancing occurs. The actual test of whether an employee has a reasonable expectation of privacy is who owns the equipment used to transmit the message. If the equipment belongs to the employer, the employer has the right to monitor anything and everything on it. The employer need not even allege a justification for reading the message in question.
Employees have no reasonable expectation of privacy even when employers have promised it. In Smyth v. Pillsbury, 914 F.Supp. 97 (E.D.Pa. 1996), the court held that an employer could read personal e-mails even when it had told employees it would not. In Quon v. City of Ontario, 130 S. Ct. 2619 (2010), the Supreme Court held that a police officer had no expectation of privacy in the text messages he sent over an employer-issued device, even though his commanding officer promised him his messages would not be monitored. The court reasoned that the officer should have ignored what his commanding officer told him and relied upon the boilerplate language in a form he was given with the device.
The bottom line is that employers can monitor every e-mail, text message, Web site visit, or other activity that takes place on a company-owned device. Despite the reassuring language about the need for balance, no employee has ever won a case against his or her employer for computer monitoring.
Current Legal Protection
There are two areas in which there remains some legal protection for workplace privacy. The first is personal conversations that occur at work. The second is video recording.
Under federal wiretapping laws, it is illegal to listen to or record conversations without the consent of the parties. Under the Electronic Communications Privacy Act (ECPA), 18 U.S.C.A. § 2510, employers are given an exemption for calls made “in the ordinary course of business.” Courts interpret this to mean that employers can eavesdrop on all business telephone calls but cannot listen to or record messages it knows are personal. In theory, employers that monitor employee telephone calls are required to hang up when they realize the call is personal. In practice, this means very little because the employee whose call is being monitored has no way to know that the employer is listening, much less if the employer hangs up.
ECPA also applies to audio monitoring of the workplace. Employers can install recording devices in any location that is used primarily for work. But employers may not conduct audio recording of nonworking areas such as cafeterias, break rooms, or locker rooms. In practice, this means little because employers are not required to notify employees that they are being recorded and employees are unlikely to discover the hidden microphone.
Video surveillance is governed by common law, using the “reasonable expectation of privacy standard.” Courts have consistently held that employees have a reasonable expectation only in bathrooms and locker rooms. Some courts have allowed video surveillance even in these areas.
The issue today is whether employees’ off-duty privacy will survive. Employers use multiple technologies to monitor and control off-duty behavior.
Many employers now provide laptop computers to employees. This saves the employee the cost of buying his or her own laptop and gives the employer the benefit of additional hours of work at almost no cost.
Problems arise, however, when laptops must be repaired or upgraded. Employer information technology (IT) technicians frequently look at what is stored on the laptop, even when it is clearly personal. If they find it offensive, they often tell the employer. One might think that employers would not be concerned with the Web sites employees visit in their own homes on evenings and weekends, but they are. Harvard professor Ronald Thiemann lost his position as department head because university techs found sexually explicit pictures on the computer the university provided for his home use. Only tenure kept him from being fired.
Many laptop computers are now equipped with webcams. Because virtually all laptops today are wireless, webcams can be remotely activated. An employer could easily activate the webcams on any or all of the laptops issued to employees. Many of these laptops would be inside employees’ homes; many would be in bedrooms.
It is impossible to determine how often this abuse occurs. Employees have no way of knowing that the webcam in their laptop has been activated. Employers are not required to disclose this information and no surveys have been conducted.
While it seems unlikely that employers would commit such an egregious abuse, it is not unlikely that individual IT employees would sometimes do so. It is an open secret among IT professionals that they read other employees’ e-mail for fun. The opportunity to secretly watch an attractive coworker undressing is a temptation some would find irresistible. An IT tech in Lower Merion, Pennsylvania, was caught activating the webcams on all of the more than 1,000 laptop computers the local high school had issued to students (http://www.cbsnews.com).
There is no statutory protection against this abuse. The FBI conducted an investigation into the Lower Merion incident and concluded that no law had been broken.
It is possible that courts would consider an employer activating webcams it knows are likely to be inside employees’ homes a violation of common law privacy. As of yet, however, this remains an open question.
Employers could easily prevent IT employees from spying on coworkers by occasionally conducting an audit of whether webcams had been remotely activated. However, 25 percent of employers have no policy regarding the circumstances under which IT employees can monitor coworkers. Among the 75 percent who have a written policy, research by National Workrights Institute (NWI) has not found a single employer that has an enforcement procedure.
Employees could avoid this problem by buying their own laptop computers for personal matters and use the employer’s only for work. In practice, however, this is more difficult than it sounds, even for employees who can afford to pay for a second computer. In today’s world, the day is not divided into working time and nonworking time. People go back and forth from work to personal and back again. Changing computers each time would be only an inconvenience for an employee sitting at her desk at home. When employees travel, whether on business or pleasure, carrying two computers is not a practical option. Even people with two laptops will inevitably end up with personal matter on their business laptops.
Every cell phone made in the United States is required by federal law to be equipped with GPS technology. Some employers use this to track employees during their private lives. The cost is only about $5 a month per employee.
GPS tracking is extremely accurate. It reveals not only the address of the house you are in, but whether you are in the living room or the bedroom. If you are in an office building, GPS can reveal that you are visiting a psychiatrist, a substance abuse counselor, or a marriage counselor, or having an abortion.
In addition to disclosing very personal information, GPS tracking provides the employer with a record of everywhere employees spend every minute of their lives.
In theory, employees can avoid being tracked by not carrying the phone or turning it off. Employees can only do so, however, if they are aware they are being tracked. Employers are not legally required to notify employees, however, and it appears that relatively few do. When employees at one company discovered they were being tracked and turned off their phones away from work, the employer threatened to terminate anyone who continued to do so. When the American Civil Liberties Union and NWI threatened to sue, the employer allowed employees to turn off their phones. In another incident, Howard Boyle, president of a fire sprinkler installation company in Woodside, New York, gave all his employees cell phones and secretly tracked them both on and off the job using GPS.
Whether such a lawsuit would have been successful is unknown. There are no statutes restricting the use of GPS by employers. The case would have to be brought under common law privacy. Unlike monitoring of employer-owned devices that are generally used at work, there is no legitimate business need to track employees during their private lives. Even in the few jobs where it is sometimes necessary to communicate with an off-duty employee immediately, a cell phone or pager is all that is needed. This makes the case more difficult for employers. But the only practice to date that has shocked judges enough for it to be considered a violation of common law privacy is video monitoring of bathrooms and locker rooms. GPS surveillance, while an egregious intrusion on privacy, is not as bad as watching someone undress. Only time will tell whether courts will permit it.
Some insight may be gained by examining case law under the Fourth Amendment. While the Constitution does not apply to private employers, both the Fourth Amendment and common law use a “reasonableness” test. Decisions in constitutional and common law cases are generally consistent.
The Supreme Court’s decision in United States v. Jones, 132 S. Ct. 945 (2012), is not encouraging. While the Court ruled unanimously that the government violated Jones’ rights by attaching a GPS device to his car, the majority opinion relied upon the fact that the device was attached to Jones’ personal vehicle. This rationale would produce the opposite result when an employer conducts GPS surveillance using a company-issued cell phone.
Thousands of employers now use biometric technology to control access to locations and/or systems. Technologies include electric fingerprints, retina scans, iris scans, hand geometry, and facial recognition.
In some situations, the use of biometrics is called for. Passwords and magnetic-strip ID cards can be easily lost or stolen. Stealing someone’s fingerprints is extremely difficult and stealing other biometric indicators is almost impossible. Using biometrics to control access to nuclear power plants, banks, and other critical locations benefits both the employer and the public.
But the use of biometrics also creates many risks. While some biometrics, such as fingerprints, reveal only that the person is among those allowed entry, others, such as retina scans, can disclose sensitive medical information. Biometrics can also create the risk of identity theft on an unprecedented scale. It is easy to change a password or issue a new ID card, but we cannot give people new fingerprints. If a hacker gained access to the biometric database of a large employer that uses fingerprints, the identity theft harm is almost beyond imagination. Linking the records of biometric systems can create a record of a person’s location similar to GPS.
The most frightening threat of biometrics is the loss of anonymous political protest. The FBI and other law enforcement agencies have for many years attempted to identify people involved in demonstrations against government policy, even when the protest was legal and nonviolent. Countless photographs of protestors have been taken. To date, however, these photos have been of no use because since there is no way to link the photo of a person with his or her name. If employers use facial recognition biometric systems, law enforcement can use them to identify the people photographed at demonstrations. The right to anonymous political protest could be extinguished.
None of these negative outcomes need occur. Privacy advocates have created a set of best practices that will allow employers to obtain the additional security provided by biometrics where it is needed without undermining privacy or other human rights (http://www.workrights.org). But neither federal nor state legislators have made any attempts to enact legislation.
Social Network Monitoring
At least 77 percent of all employers “Google” employees and/or applicants (http://money.cnn.com (Mar. 2, 2011)). Hiring the wrong person for a job is a very costly mistake. Worse, this decision is always made with inadequate information. Even the best employers make expensive mistakes.
The Internet offers a great deal of additional information about an applicant—and it does so for free. In the case of most candidates, Internet searches produce no significant new information. But occasionally employers find something important. An applicant to become a police officer may be a closet racist who cannot be trusted to treat people of color fairly. These rare cases more than justify the minimal investment required.
This practice is clearly legal. An employee cannot claim to have a reasonable expectation of privacy in information he or she posted on the Internet for the entire world to see. It is slightly troubling, however, for employers to scour the Internet for every available bit of information about a person. It is similar to public behavior. Legally, a person has no reasonable expectation that something he or she does in public will not be seen by others. But many people would be troubled by having someone follow them with a video camera every minute they are outside their home.
Traditionally, people have been able to prevent employers from seeing information they wish to keep private by using password-protected websites such as Facebook. Recently, however, some employers have begun “asking” employees to disclose passwords. In Pietrylo v. Hillstone Restaurant, N.J. No. 06-5754, Sept. 25, 2008, the employer learned that employees had a private website that included criticisms of management. He called an employee who was a member into his office and asked her for the password. She felt uncomfortable about disclosing it. But as an at-will employee she felt she had little choice and revealed the password to the employer. When the employer found that another employee had criticized him on the site, he terminated her.
The New Jersey Supreme Court found that this was a violation of the Stored Communications Act (SCA), 18 U.S.C. §§ 2701–2711, which prohibits access to password-protected websites without consent. The court held that whether the employee voluntarily consented to disclose the password was a jury question. The jury determined that the disclosure was coerced. The court held that coerced consent was not valid under the SCA.
Pietrylo, however, is the only reported case involving employer compelled consent. It is not clear that other courts will reach the same result. The SCA does not define the circumstances under which consent is valid except to say that the consent must be “lawful.” It is silent on whether or not lawful means voluntary. The court did not explain how it reached its definition of consent.
There are many situations in which consent that is a condition of employment is legally valid. For example, the Supreme Court held in Gilmer v. Interstate/Johnson Lane, 500 U.S. 20 (1991), that the employee’s agreement to waive his right to bring a civil action in the event of a future dispute and use the employer’s arbitration system was enforceable, even though the agreement was a condition of employment.
The issue in such cases goes beyond informational privacy. Another aspect of privacy is the ability to control our own private lives. Internet monitoring by employers threatens this right as well. Employers show little reluctance to terminate employees (or reject applicants) because of private speech or behavior. Lynne Gobbell was fired for having a “Kerry for President” bumper sticker on her car. Cameron Barrett was fired because his boss didn’t approve of the sexually explicit short stories he posted on his personal webpage. Tiffany Shepard was fired for posting on her Facebook page a picture of herself on vacation in a bikini. Other employees have been fired for disapproving of the war in Iraq, having a picture of themselves drinking beer on their personal website, and even supporting the “wrong” team in the Superbowl. The most recent survey found that 35 percent of employers had terminated employees or rejected applicants because of information found on the Internet (Careerbuilder.com, Aug. 19, 2009).
There is very little legal protection against this abuse. Comments about religious beliefs are protected by Title VII’s prohibition against religious discrimination. In jurisdictions that prohibit discrimination based on sexual orientation, Internet comments that reveal that someone is gay are protected. But federal law provides no protection for comments about politics or any other subject.
State law provides limited protection. In twenty-nine states, statutes restrict discrimination based on legal off-duty behavior that is not job related (http://www.workrights.org). All but eleven of these, however, are limited to off-duty tobacco use. An additional six cover the off-duty use of any legal product. In these states, it is illegal for an employer to deny employment to a person because that person is drinking beer on his or her Facebook photo, or talking about how much they drank at a party. It might reach posting a vacation picture in a bathing suit. But they clearly do not protect expressing an opinion about politics or other controversial subjects. Only five states (California, Colorado, Montana, New York, and North Dakota) prohibit employment discrimination based on all legal off-duty behavior that is not job related.
It is clear that any reform will come from legislatures. Experience so far has not been encouraging.
Since 1990, three attempts have been made to enact federal privacy legislation. The first was the proposed Privacy for Consumers and Workers Act (PCWA). PCWA would have required employers to fully disclose all monitoring programs to employees and provide the employee and the customer immediate notice when a specific telephone call was being monitored. PCWA was passed by the House Labor Committee but was not brought up for a vote. The Senate version had almost no cosponsors, even though the Senate was heavily Democratic, and was never brought up in Committee.
In 2000, Senator Charles Schumer introduced the Notice of Electronic Monitoring Act (NEMA). NEMA attracted some bipartisan support; the lead sponsor in the House was Representative Bob Barr, a conservative Republican. But it was swept from the agenda by the events of 9/11 and never reintroduced.
Representative Rob Andrews introduced the Employee Changing Room Privacy Act (ECPRA) in 2008. Its modest goal was to ban videotaping in locker rooms and bathrooms, a practice that no one defended and was generally already illegal. But even this bill attracted little support and quickly disappeared.
The newest attempt to adopt federal legislation is the Password Protection Act (PPA), sponsored by Senator Richard Blumenthal and Congressman Elliot Engel. The PPA would prohibit employers from requiring or requesting employees to disclose the passwords to social networking sites.
Whether PPA will be enacted is questionable. It is a very reasonable proposal and the business community has indicated that it is open to such legislation if legitimate management interests are protected. However, the same was true of NEMA and ECPRA, and neither of them attracted significant congressional support.
And even if PPA is enacted, it addresses only Internet use. It offers no protection against GPS, biometrics, or company-issued laptops.
State legislation has been only slightly more successful. A handful of state laws attempt to protect employee privacy. Some, such as Rhode Island’s ban on video monitoring in bathrooms and locker rooms, only cover practices that are generally already a violation of common law privacy. Others require what most employers already do. For example, Connecticut requires that employers give notice that they might conduct monitoring, a requirement that is met by the reservation of rights screen that appears on virtually all employer computers. Statutes that provide new rights are generally very limited. Maine law, for example, prohibits random drug testing unless the position is safety-sensitive and prohibits direct observation. Overall, state legislation has not significantly improved workplace privacy law and there are no indications that it will do so in the future.
The best prospect for increased employee privacy may come, not from the law, but from technology. Traditionally, workplace communication has taken place with equipment owned and controlled by the employer. Today, most people have personal cell phones that provide text messaging, e-mail, and Internet access.
Employees with such cell phones can escape most forms of employer surveillance, even while at work. Cell phones are wireless; they communicate directly with towers and satellites owned by third-party providers, such as Verizon. They do not pass through the employer’s server.
Employers are unlikely to obtain access from the provider. Under the SCA, the provider is authorized to disclose information only with the consent of the sender or recipient. While employees may “consent” in order to avoid repercussions, such consent may not be “lawful” under SCA. The only case on point says that it is not. Under these circumstances, service providers are unlikely to reveal information to employers. Only if the law becomes clearly settled that such consent is lawful are service providers likely to disclose data to employers.
Ironically, this creates a situation in which employers are unable to get data even when they have a legitimate reason. An employer with evidence that an employee is revealing trade secrets ought to be able to see any information regarding communication with competitors. The SCA, however, provides no exception to the consent rule for such situations.
A Better Model
The traditional model of privacy based on ownership has never been fair or logical. Until recently, the ownership model has given employers total control and virtually eliminated employee privacy. We are entering a new era in which communication will take place over wireless networks that the employer does not own. We are moving from a world in which employers can see anything they want, even if they have no legitimate interest, to a world where employers cannot gain access to information even when they have a legitimate interest.
It would be in the best interest of both employers and employees to change the law to a model in which access to information is based on legitimate interest rather than ownership.