Text messages on company-owned equipment considered private? Not so fast.

17 Mar Text messages on company-owned equipment considered private? Not so fast.

Companies Should Review Computer Usage Policies After Quon Case

The Ninth Circuit, in Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), re­cently found that a public employee had a reasonable expectation of privacy in text mes­sages sent and received on his employer-owned pager. However, the widespread news commentary stating that this case means that all text messages are considered private is overstating the court’s actual holding and its real-world implications for private businesses.
The court’s holding is really much narrower. Much of the court’s analysis centered on the Fourth Amendment, which effectively means that the holding primarily applies to public employers, not private businesses. However, a de facto “infor­mal” computer use policy was key in the court’s decision and provides some guidance for private businesses as well.
In this case, Arch Wireless provided text messaging services through pagers to the City of Ontario for use by its employees, one of whom was Jeff Quon. The City had no official policy specifically related to the use of the pagers, but it did have a general “Computer Usage, Internet and Email Policy,” which stated that “[t]he use of City-owned … equipment … is lim­ited to City of Ontario related business.” The policy also stated that the City “reserves the right to monitor and log all network activity … without notice. Users should have no expectation of privacy when using these resources.”
Each pager was allotted 25,000 characters, and any amount over that was charged to the individual employee. When Quon went over the allotted amount, Lt. Duke, the supervi­sor in charge of the pager program, told Quon that as long as he reimbursed the City for the overages he would not have to audit the records to determine how many messages were not work-related. After Quon went over the allotted amount several more times, Duke complained to his superior about being a “bill collector,” which caused the superior to order the transcript of the pagers to determine if the messages were truly work-related. The City reviewed the transcripts from Arch Wireless and de­termined that a number of Quon’s messages were personal and often sexually explicit in nature.
On appeal was the district court’s finding that Arch Wireless was not in violation of the Stored Communications Act (SCA), and that the City and other co-defendants did not violate Quon’s Fourth Amendment right to be free from unreasonable search and seizure.
The Stored Communications Act
To decide whether or not Arch Wireless violated the SCA by turning over the transcripts to the City, the court needed to de­termine whether Arch Wireless is a “remote computing service” (RCS) or an “electronic communication service” (ECS). Under the SCA, an RCS can release private information to the sub­scriber of the service, while an ECS cannot. The SCA defines an ECS as a “service which provides users… the ability to send or receive… electronic communications.” An RCS is defined as “the provision to the public of computer storage or processing services by means of an electronic communications system.”
Given that the service Arch Wireless was providing was the actual electronic communications themselves, not storage or The Ninth Circuit, in Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), re­cently found that a public employee had a reasonable expectation of privacy in text mes­sages sent and received on his employer-owned pager. However, the widespread news commentary stating that this case means that all text messages are considered private is overstating the court’s actual holding and its real-world implications for private businesses.
Fourth Amendment and the Computer Use Policy
The court’s Fourth Amendment analysis focused on the reasonable expectation of privacy in electronic communica­tions, and applies to unreasonable search and seizures by the government. For the purposes of private businesses, the Fourth Amendment does not apply, although the court’s reasoning does shed light on how it may rule in the future.
The court answered the threshold question regarding whether or not users of text messaging services have a reason­able expectation of privacy in those messages stored on the service provider’s network in the affirmative. The court clari­fies, however, in that it makes a distinction between the ad­dress or header function of the message (the TO: and FROM: line), and the content of the message. Under the Fourth Amendment, there is not a reasonable expectation of privacy in the header of a message, but there is a reasonable expecta­tion of privacy in the message content.
Next the court turned to the City’s policy, and found that Lt. Duke’s oral assurance that as long as Quon paid for the overages his messages would not be audited became the City’s “informal” policy regarding the text message usage, and that this informal policy effectively created Quon’s reasonable expectation of privacy in those messages. Key in that analysis was the fact that Lt. Duke was the one in charge of administer­ing the pagers and therefore his statements carried a great deal of weight.
Recommendations for Businesses
Even when considering the narrower scope of the Ninth Circuit’s ruling in Quon as it applies to private businesses that would not be subject to Fourth Amendment claims, there are still instructive lessons to be learned regarding computer usage policies. Following are several recommendations:
(1) Be mindful of what employees say that could modify the written policy and create a de facto “informal” policy. It may be prudent to add a disclaimer to a formal written policy that the policy may not be amended or modified other than by writ­ten approval of a senior officer of the company.
(2) A company’s written computer or electronic policy should accurately reflect actual practice, because in the event of a dispute, it’s the company’s actual practice that will likely win the day.
(3) A company’s written policy should encompass any third-party providers of service, and/or the messages should be routed through the company’s own network to ensure the messages are covered under the written policy.