In this digital age of smart phones, global positioning systems, cloud computing, and social networking, determining what constitutes private information and what lengths our legal system will go to protect it is increasingly challenging. The reality is that our legal framework lags behind our rapidly changing, technology-driven world. And it is unclear whether and how our legislatures and courts will tackle the “vexing problems”1 caused by the increasingly complex intersection of privacy and technology.
Despite the lack of clear guidance, each day businesses confront difficult questions on what constitutes private information and to what extent the law protects it. This means that we must not only understand the current framework, but also anticipate the next, new privacy issue. The following discussion focuses on three emerging topics in this area—(1) tracking one’s public movements via global positioning systems, (2) restrictions on accessing data posted on social networking websites, and (3) employees’ unauthorized computer activity during work hours. In each instance, the only clear conclusions are that the law struggles to keep up with technology and that until the courts or legislatures are ready and willing to tackle these issues, there is unlikely to be meaningful guidance on how to handle these situations. In other words, the reality will continue to be rapidly evolving technology and a legal system that is not agile enough to quickly adapt.
Bread Crumbs from Space
As recently as January 2012, the Supreme Court admitted that it would rather not wrestle with difficult questions relating to privacy. In United States v. Jones, the Court addressed the scope of the Fourth Amendment’s prohibition against unreasonable searches in relation to GPS surveillance.2 But instead of deciding whether tracking a vehicle’s every move for four weeks violated one’s reasonable expectation of privacy, the majority reverted to 18th Century trespass law. Although this kind of physical intrusion is precisely the kind of conduct the Fourth Amendment sought to protect against at the time it was adopted in 1791, Justice Scalia acknowledged that physical contact is no longer necessary to find a Fourth Amendment violation. Indeed, many cases discussing search and seizure in the last fifty years have relied upon the “reasonable-expectation-of-privacy” test and have expressly recognized that a trespass is unnecessary to find a constitutional violation. But by narrowing the analysis to a question of trespass, Justice Scalia avoided what he deemed to be “thorny problems” of whether or not long-term electronic surveillance without an accompanying physical intrusion is an unconstitutional invasion of privacy. Thus, this opinion rested on the narrowest possible grounds, raising more questions than it provides answers. For today, the Supreme Court appears content to let these questions lie, perhaps hoping that time and technology will provide more durable answers to navigating this thorny thicket.
In the private sector, the few courts that have opined on an employee’s privacy right when it comes to the tracking of employer-owned vehicles have found unanimously that those rights are limited. For example, a federal court in Missouri found that because the vehicle’s movement was public, the plaintiff had not established that there had been an intrusion upon his private affairs.3 This was true even when the plaintiff was unaware that the GPS device had been placed on the company vehicle he had been driving. In Texas, another federal court reached the same conclusion on similar facts.4 Neither opinion, however, discusses whether the technology that now allows for long-term, continuous surveillance (which previously would have been nearly impossible or prohibitively expensive) impacts our conception of an individual’s expectation of privacy.
This question, however, was explicitly posed by Justices Alito and Sotomayer in their separate concurring opinions in Jones. For example, Justice Alito commented that the reasonable expectation of privacy test “rests on the assumption that this hypothetical reasonable person has a well-developed and stable set of privacy expectations. But technology can change those expectations.” Similarly, Justice Sotomayer posited that it may be necessary to revisit the fundamental premise that information disclosed to third parties is not subject to a reasonable expectation of privacy. Although the Court recognizes the flexibility and therefore the uncertainty inherent in our current legal framework, the majority is not yet ready to put parameters on it, at least in the context of activities that occur in the public domain. Accordingly, current case law discussing surveillance of employees—which also rests upon the reasonable expectation standard—could be subject to change.5
Following the Jones decision, it is clear that the Supreme Court’s retreat to the time tested theory of trespass may well have been the safer, if not most satisfying, course. Nonetheless, it is increasingly clear that, at some point, the courts will have to look more closely at the impact of changing technology on our expectations of what is and is not private. For the time being, while courts continue to delay a determination of whether a new framework is appropriate, practitioners will have to continue to try to evaluate emerging issues using more historic analytic frameworks—in other words, figure out which square hole can best accommodate the newly rounded peg.
The Facebook Effect
Like other rapidly developing technologies, social media has also quickly come to occupy a central place in many of our lives. For example, as of April 2012, more than 900 million active users had logged onto Facebook to establish 125 billion friendships and to upload, daily, 300 million photos.6 The result: a massive amount of data regarding private relationships, communications, photos, and interests stored in a single social-networking warehouse. According to a recent study by the Pew Internet & American Life Project, many users (in fact, at least half) desire to keep this data private and, therefore, restrict access to their online profiles.7 But does this restriction mean that it can be kept from prying eyes as a matter of law?
At least one court has answered that question affirmatively with respect to employees’ social networking activities.8 In Pietrylo vs. Hillstone Restaurant Group, a jury found that an employer violated the Stored Communications Act (“SCA”)9 when its managers accessed a private chat group on the social networking site, MySpace.com. The SCA, in pertinent part, governs access to stored communications and creates statutory privacy rights for users of internet service providers. In Pietrylo, one member of the group provided her password to management, who then used the information to log-in to the site on several occasions. At trial, that employee testified she had been uncomfortable providing her password, but did so because she believed she otherwise “would have gotten in trouble.” A manager also testified that he knew the employee was “very uneasy” in turning over her password. While the jury did not believe the employer’s conduct was an invasion of privacy, it found that the conduct violated the SCA’s prohibition against knowing, intentional, or purposeful access to stored communications without authorization. This broad reading of the SCA certainly should make employers think twice before attempting to monitor their employees MySpace and Facebook activity.
But what about the private, social-networking activities of potential employees? In the last several months, the media spotlight has focused on a relatively new practice among corporations and government agencies whereby candidates are asked to divulge the username and password to their social networking sites as part of the interview process.10 The public outcry in response has prompted US Senators Chuck Schumer and Richard Blumenthal to request an investigation into the practice.11 Whether or not the SCA (or another federal statute like the Computer Fraud and Abuse Act) will be read broadly enough to encompass this new practice is still unknown. For example, if a potential employee voluntarily discloses her Facebook password to a potential employer upon request, is that access “without authorization”? It goes without saying that most employers do not want to be the test case.
In the interim, some states have already begun taking steps to prohibit employers from asking employees for their social networking passwords or conditioning employment on the disclosure of this information. For example, in April 2012, Maryland became the first state to pass a bill to protect user name and password privacy. Similar legislation is pending in at least Illinois, Michigan, Massachusetts, New York, and California. Companies soon will need to analyze the breadth of these statutes and how they may (or may not) impact one’s current social networking policies.
Words with Friends: A Federal Crime?
Playing “Words with Friends” may have gotten Alec Baldwin removed from an American Airlines flight at LAX, but should an employee be federally prosecuted using an office computer in a way that violates company policy, which could include, for example, spelling out “quizzical” in the middle of business hours? In one of the most anticipated opinions of 2012, the Ninth Circuit en banc answered this question “NO.”
In United States v. Nosal,12 the government indicted David Nosal, a former employee of a search firm, for, among other things, violation of the Computer Fraud and Abuse Act (“CFAA”)13, which, in pertinent part, criminalizes unauthorized use or exceeding authorized use of a protected computer. After leaving the firm, Nosal convinced his former colleagues to download confidential information from the firm’s database and provide it to him so that he could start a competing business. The CFAA counts against Nosal were grounded in a theory that he aided and abetted his former colleagues to “exceed [their] authorized access” with intent to defraud. In other words, using a company computer in a way prohibited by company policy, but not hacking into a system to which they had no rights at all.
The Ninth Circuit now has aligned itself with the half a dozen district courts that have construed CFAA narrowly. While it confirmed that the statute covers the “unauthorized procurement or alteration of information, not its misuse or misappropriation,”19 it left the door open with respect to the statute’s application where an employee exceeds his or her level of authority and accesses data contained in restricted areas.
* * *
These issues only scratch the surface in terms of the questions raised by the intersection of law and technology. Internet retail and banking, email, cloud computing, and smart phone location services are a few other examples. On February 23, 2012, the White House issued a proposal to establish a Consumer Privacy Bill of Rights. President Obama writes, “One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value.” While the President believes this one thing should be clear, from a legal perspective, it certainly isn’t. Companies, employers, employees, and those who might be the subject of personal or law enforcement scrutiny will have to consider expectations of privacy and then wait to see whether the courts accept these expectations as reasonable.