Monitoring and Privacy: Is Your Head Still In the Sand?

We give out personal information every day. Between our birth and death records, we dispense an avalanche of information to the government, businesses and other organizations in return for employment or services. For example, we provide detailed information to schools, banks, state departments of motor vehicles, health providers and insurers, and in return we receive an education, bank accounts, a driver's license and health care. We also establish relationships and accounts with vendors and service providers in exchange for discounts and promotions. Businesses thrive on having such customer information.

In turn, we are observed and monitored every day. Only the high cost of persistent, systematic surveillance systems prohibits their widespread use in public places today. And without the aid of machines, the observers quickly forget what they saw and rarely collect and correlate data for later use. In the future, security checks like the one at Super Bowl XXXV--in which hidden cameras scanned the faces of arriving spectators and compared their portraits with photos of alleged criminals--may be commonplace.

When the setting changes from the public to the private-sector workplace, however, monitoring takes on a different significance. Enterprises can and often should monitor their employees in the ordinary course of business.

Workplace Monitoring vs. Privacy Rights

Enterprises are not in business to monitor their employees. Doing so takes time and money. Organizations must, however, protect their investments, assure employees of a safe and hospitable working environment, and assess the quality of services to customers, and monitoring can help achieve those goals. The American Management Association's survey on monitoring and surveillance earlier this year found 30.8 percent of respondents' companies monitored Internet connections, and 54.1 percent monitored stored e-mail messages. If there were other ways to guard an enterprise from theft, employee misconduct and unauthorized use of company property, and provide quality assurance, the enterprise would find them.

Employers, however, should not expect employees to check their privacy rights at the door of the workplace. Employees' expectations of privacy stem from an individual's general "right to be left alone." Today, most states recognize the right to privacy by statute or common law and prohibit, among other things, the public disclosure or revelation of private facts, under tort law (the 1977 Restatement Second of Torts 652A). The common law is based on court decisions that apply the facts of the case at hand with those of previous cases. Some states, including California and Tennessee, go further and provide a right to privacy in their state constitutions. In many cases, the U.S. Constitution or federal law also may apply to curb the misuse or abuse of personal information and check an intrusive monitoring system. However, there is no guarantee that the courts would side with an employee in a privacy dispute.

Yet even without a constitutional or federal guarantee of privacy in the workplace, courts will seek a balance between employees' privacy rights and the employer's right to conduct and manage the business. In some cases, courts have found that an employer's actions--for example, installing video cameras in bathroom stalls and changing rooms--were outrageous and unlawful invasions of privacy under federal or state laws. In other cases, courts have found the employer's action justified, outweighing the privacy interests of the employee. For the most part, this has been the case for electronic monitoring.

Businesses have always monitored employees to ensure acceptable levels of performance. At one time, shorthand was measured by the minute, and mechanical keystrokes were counted using cyclometers. Today, work can be tracked electronically, computer-generated statistics can be used for performance appraisals, and telephone calls can be monitored for quality assurance. There are also compelling reasons to monitor e-mail. A fast, easy and inexpensive way to communicate in the workplace, e-mail also is a durable and persistent business record that can lead to potential liability if not used in a responsible manner. For example, e-mail messages provided evidence both for and against Microsoft in the government's antitrust lawsuit against the company. And last year, messages posted to an Internet bulletin board were sufficient evidence to allow a sexual harassment suit to proceed against Continental Airlines. To date, electronic monitoring in the workplace has been limited by the time and labor necessary to work with inadequate tools and by the legal and social implications on employees' rights to privacy. But, as the Bob Dylan song goes, 'the times they are a-changin'."

Congress enacted the Electronic Communications Privacy Act (ECPA) in 1986 to bring electronic communications within the purview of the FWS (federal wiretapping statute). The FWS now prohibits any person from intentionally intercepting wire, oral or electronic communication or disclosing the contents to any other person. Electronic communication is defined as "any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system."

If, however, an enterprise provides wire or electronic communication services in its ordinary course of business, it is exempt from the FWS.

The business exception to the FWS generally lets employers monitor computers and networks the company owns. Enterprises providing a wire or electronic communication service to the public, however, can monitor and observe network traffic only for "mechanical or service quality-control checks." Once an electronic communication reaches a storage facility, Title II of ECPA, the Stored Wire and Electronic Communications and Transactional Records Act, prohibits intentional, unauthorized access to stored communications.

ECPA defines electronic storage as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission" and any storage for backup purposes. Entities that provide wire or electronic communications service are exempt, except for public providers, like America Online. This has created a broad exception for employers that provide electronic communication in-house. This may also include anyone authorized by a provider, such as a service provider, to monitor stored messages. Critics, however, caution employers from relying on the exception, since Congress's intent in passing ECPA was to strengthen individual privacy rights.

If Congress intends to strengthen individual privacy rights in the workplace, that intent has not manifested itself into law. In 2000, legislation proposed in both houses of Congress failed to require employers to inform employees if they monitor computer, Internet or telephone use. Although the proposed Notice of Electronic Monitoring Act died in committee, it has resurfaced in the Senate as the Spyware Control and Privacy Protection Act. This bill sets out to mandate disclosure of information collection through computer software and other means.

Although many state wiretap laws follow the federal law, employers should not engage in electronic monitoring without checking applicable state and common laws on electronic monitoring in the workplace. Several compilations of laws on monitoring are available. LRN, a legal research and analysis firm, offers papers on "Monitoring and Recording of Employee Telephone Calls, Voicemail" and "E-mail: A Federal Law and Fifty State Survey." In addition to the applicable laws, employees expect certain privacy rights, and employers should respect them.

Technology today enables employees to work long hours both in and out of the office. Often, those hours require employees to devote a fair amount of time to personal or family life while on the job. Employees may have to take calls from schools or hospitals during the day to field family emergencies; they may have to coordinate child care with a spouse; and they may need to contact stores, banks and so on. Most workers will make the occasional personal phone call from work or use the office copy machine for a random photocopy. And many people will use an e-mail system for personal as well as work-related mail.

Yet there may be abuse--in content, purpose and the sheer amount of time spent on such mail. Some people may also surf the Internet to attend auctions and sales or download games and other programs and run them on office computers. Others may harass workers with e-mail, view pornography or even mail corporate secrets to competitors. If you don't monitor the workplace, you may have little concern for the welfare of your employees until one files a harassment suit. And you may have little worry that employees are divulging corporate information until your competitor files a patent with your intellectual property.

If these concerns alone don't keep you up at night, keep in mind how much network bandwidth and Internet access dollars you are losing to such activities. In the past, when companies recognized that equipment was used or abused for purposes other than business, they placed controls on the devices. For instance, many of us now use a code to access long-distance services and photocopy equipment. For the network, the costs are even more daunting. Businesses upgrade wiring, switches, routers and leased lines. For example, 256-Kbps leased lines are upgraded to T1, T3, OC-3 and even OC-12 to handle increased loads. If these loads do not equate to business needs, there's unnecessary overhead that needs to be recognized and reduced. If employees know the network is monitored, the reduction in nonbusiness-related "surfing" can free up bandwidth, increase performance and reduce costs.

Monitoring the corporate network makes good business sense, but doing it responsibly--by employing up-to-date tools and adhering to an established company policy -- makes better sense. Otherwise, you may find yourself the subject of a lawsuit. For example, a Massachusetts court found that reviewing employees' mail using a supervisor's password violated state law against "unreasonable, substantial or serious" interference with privacy (Restuccia vs. Burk Technology). Employees were permitted to use the e-mail system to send personal communications, and the employer never informed them that messages would be monitored using a supervisor's password.

The federal government has started to address the hard questions of how data is collected, accessed, and transferred or shared. But most U.S. legislative efforts have fallen short of the comprehensive privacy schemes found in Canada and the European Union in favor of allowing enterprises to police their own privacy practices. In response, enterprises have beefed up their privacy policies and appointed privacy officials to ensure that customers are given notice of what information the business collects, how it uses the information and how it discloses that information. But is this enough?

Although legislation is in motion to ensure the public's privacy rights in the information age, little has been done to update the FWS or provide employers with a clear guide to balancing electronic monitoring and privacy. Furthermore, advances in technology continue unabated. Digital convergence and the wedding of voice and data on networks enable both employers and the federal government to monitor network activity, going beyond the scope of the FWS. Today's networks carry voice and data packets that include origin, destination and content on the same channel, and all may be monitored and reported on one device. This has implications for the watcher and the watched.

For example, as enterprises adopt VoIP (voice over IP) on the corporate network, voice traffic will be as easy to monitor as Internet traffic, such as e-mail, FTP, HTTP and telnet. Voicemail will be stored in the same medium as e-mail and susceptible to the same tools now used to scan e-mail messages; the potential to infringe on employees' privacy will be greater than ever. Unfettered and unannounced monitoring that scans both voice and data traffic on the network may cross the lines of respectability and infringe on employees' rights to privacy.

Enterprises need tools that can reduce the risks and costs of doing Internet business. These tools should inform companies when confidential information, such trade secrets and intellectual property, are communicated on the Internet. In addition, these tools should provide the enterprise with information on how its network resources are being used and easily identify abuse. At the same time, the tools should ensure a safe, hospitable environment for employees to engage in productive, creative work and afford them respectability and comfort in the workplace.