“Privacy as we knew it in the past is no longer feasible... How we conventionally think of privacy is dead.” Margo Seltzer, Professor of Computer Science, Harvard University
“You have zero privacy anyway. Get over it.” Scott McNealy, co-founder, Sun Microsystems
So we all love our devices. Cell phones. Tablets. Laptops. Our electronic gadgets have changed the way we work and live.
But it comes at a price. We have sacrificed security for convenience and there can be consequences: Pocket dialing. Hitting “reply all” by mistake. Discussing private matters on a cell phone in a public place. Or using a laptop at Starbucks to work on documents you don’t want or expect anyone and everyone to see. Admit it, we’ve all done some or all of these things. Most often the results are inconsequential, but sometimes they can be humorous, sometimes embarrassing and sometimes outright catastrophic. But in today’s age, none of these situations are unusual, nor are we likely to stop using our devices on the off chance that by mistake or otherwise, confidential and “private” information may be at risk.
But is there any legal protection when our information is placed at risk through routine use? How can we establish that we expected the information to be private in the face of our own mistake? Where does our privacy sit in today’s environment and what can we realistically expect to remain private?
Certainly the federal Wiretap Act (18 U.S.C. Section 2511) prohibits the intentional interception and disclosure of “wire, oral or electronic communications.” The Act also provides a private cause of action for anyone who believes their communication was unlawfully intercepted. Perhaps that gives “pocket dialers” and all of us some protection, or at least an ability to sue if private information is intercepted.
But, as a recent 6th Circuit Court of Appeals decisions suggests, that doesn’t give us carte blanche not to protect ourselves. If we expect our information to be private, we better act like it: we need to be prepared to exhibit and demonstrate our “expectation of privacy” with respect to information we want to protect and that expectation must be reasonable. See Bertha and James Huff v. Carol Spaw, No. 14-5123.
Where common security measures aren’t used, establishing that expectation may prove daunting. Huff involved the disclosure of information through an inadvertent pocket dial. Because the plaintiff had involuntarily pocket dialed before, and because he failed to use well known measures to prevent his phone from making such calls (for example locking the phone, setting up a password or using one of many apps available to prevent pocket dials), the conversations he intended to be private were not (at least under the Wiretap Act). The Court likened the plaintiff to a homeowner who fails to close his drapes and then claims he expects what he does in his home to be private. (Interestingly, the Court distinguished the claim of the person who talked to the pocket dialer whose conversation was also intercepted – she didn’t know the call had been made and had a reasonable expectation that the conversation was private.)
The Court’s view of this ought to send some chilling reminders to those who engage in conversations, discussions and work in public spaces: what you think is private may not be if you don’t take steps to protect it:
“…a person who knowingly operates a devise that is capable of inadvertently exposing his conversation to third party listeners and fails to take simple precaution to prevent such exposure does not have reasonable expectation of privacy with respect to statements that are exposed to an outsider…”
So what does this mean? It’s another reminder to us all to use routine security precautions, especially when we consider the matters involved confidential and want to keep them private. Under the Court’s reasoning, it’s not hard to envision that the failure to use and employ passwords would evidence a lack of an expectation of privacy. The use of cell phones in public where expected private conversations can be overheard may also demonstrate a lack of a privacy expectation.
This has serious implications for the business and financial communities. It also impacts the legal community, in which the concept of privileged and private discussions between lawyers and clients form the bedrock of the profession: Does the call by a lawyer to a client on a cell phone in a public place negate the expectation of privacy such that the conversation may not be privileged? What about the use of a computer with sensitive information displayed on its screen in a public place?
As more security measures become used and well known, the zone of privacy expectations may continue to shrink. For example, would Two-Factor Authentication (2FA) fall within the “simple and well-known” privacy protection category contemplated by the Court at some point? Would the failure to use unique passwords? How about the failure to promptly download software or app updates? And what happens when the Internet of Things creates a world where every device with an off-on switch is connected to the web?
“What’s scary is that we’ve gotten to a point where many of the things we do and the tools we use are such a big part of our lives that we HAVE to use them today. Are you really going to delete your Facebook account, stop using Google, no longer buy products online, or ditch your iPhone? No, you’re not because everyone else that you know on this planet is using those same things as well.” (Jacob Morgan, Forbes, 8/19/2014: http://www.forbes.com/sites/jacobmorgan/2014/08/19/privacy-is-completely-and-utterly-dead-and-we-killed-it/)
The upshot of all this: unless you are willing to turn back the clock and trade convenience for absolute security, you better engage in protective safeguards and act like your information is private. Close the drapes. Lock the door. It may be your only salvation.