The 9th Circuit of Appeals reversed a district court ruling, Quon v. Arch Wireless, in which a wireless text messaging service turned over message transcripts to their customer, the Ontario Police Department, during an investigation on an officer’s excessive use of the department provided pager. The fact pattern has some twists and turns, but buried within the opinion are issues that are worth exploring for every corporation contemplating out-sourcing their communications via SaaS or other external provider.
To summarize the case, Officer Quon overran the 25,000 character allocation on his departmental pager. After paying for the monthly overages 3-4 times, a supervisor requested the prior month’s transcript to determine how much of the overage was personal usage, a violation of computer usage policy. Because of an unofficial policy of not auditing the text message contents if the officer paid the overage fees, the court found that Officer Quon and the others caught up in his personal, overtly sexual text messages had a reasonable expectation of privacy, despite having signed a typical “Computer Usage, Internet and Email Policy” to the contrary.
The arguments around defining Arch Wireless as a Remote Computing Service (RCS) or an Electronic Communication Service (ECS) are fascinating in their potential scope and byzantine twists. All of these issues are centered on Fourth Amendment rights and the Stored Communications Act (SCA) of 1986, part of the Electronic Communication Privacy Act. The basic conflict is between an employer’s right to monitor or investigate employee communications and their employee’s reasonable expectations of privacy. Arch Wireless was found to have acted as an ECS provider, which limits the Ontario Police Department’s ability to investigate with showing due cause.
Realizing that this published opinion by the 9th Circuit does not immediately or even inevitably apply to the rest of the federal courts, it could be interpreted as one of the first rulings for a more European style of personal ownership of communications sent via an employer’s system, at least when that system is not owned and run by the employer. This ‘could’ limit a company’s ability to monitor for inappropriate or even illegal communications usage.
A deeper read of the finding provides a reality check. The Ontario Police Department had numerous opportunities to expand their policy to explicitly call out the pager usage as well as their audit policy. The right policy, education and acknowledgement program would have prevented employees from forming the wrong ‘reasonable expectation of privacy’ while using departmental pagers. Does this make you want to check on your corporate Blackberry policy? It should.
Using a SaaS email or archiving provider such as Estorian’s LookingGlass should not preclude you from monitoring and investigating your corporate email, but it should warrant a detailed policy review. A pager, IM or other transient communication provider falls under the higher ECS definition, which means that only a named sender/recipient should be able to request a copy of the communication. Whereas a SaaS email archiving provider seems to meet the RCS definition or even a lower standard that allows the contact entity (billing contact) to request copies of the communications.
This decision raises interesting questions about who really owns the communications as technology and market forces blur the old lines of enterprise systems, documents, phone calls, shared services and more. We should all hope that Arch Wireless appeals the ruling to the Supreme Court or that another similar case soon finds its way to the top of the judicial ladder.