Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

On February 10, 2010, defendants in the copyright infringement case subpoenaed the social networking sites for wall postings and private messages from plaintiff Crispin’s accounts.  Crispin filed a motion to quash the subpoenas, asserting that the Stored Communications Act (“SCA”) prohibited the disclosure.  The SCA generally prohibits an entity that provides an “electronic communication service” (“ECS”) or a “remote computing service” (“RCS”) to the public from disclosing the contents of certain communications that are carried, maintained or stored on that service. 

After a lengthy analysis, the court determined that Facebook and MySpace were each either an ECS or RCS and thus potentially covered by the SCA.  The court then referred to a provision in the federal Wiretap Act stating that “[i]t shall not be unlawful under [the SCA] for any person . . . to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” (emphasis added)  Based on this provision, the court quashed the subpoena insofar as it sought messages that Crispin sent through the websites’ private messaging services.  The court found that those communications are “inherently private” such that the stored messages are not “readily accessible to the general public.”

The plaintiff’s Facebook wall posts and MySpace comments, however, presented a thornier question.  Because Crispin’s privacy settings could have determined whether his wall posts were public, the court declined to resolve the issue, instead directing that the parties “develop a fuller evidentiary record regarding plaintiff’s privacy settings and the extent of access allowed to his Facebook wall and MySpace comments.”

In reviewing the Ninth Circuit’s decision in Quon, the Supreme Court will consider three issues: (i) Whether a police officer has a reasonable expectation of privacy in text messages transmitted on his department-issued pager, where the police department has an official “no privacy” policy, but a non-policymaking lieutenant announced an informal policy of allowing some personal use of the pagers; (ii) whether the Ninth Circuit contravened the Supreme Court’s Fourth Amendment precedents and created a circuit conflict by analyzing whether the police department could have used less intrusive methods of reviewing text messages transmitted by a police officer on his department-issued pager; and (iii) whether individuals who send text messages to a police officer’s department-issued pager have a reasonable expectation that their messages will be free from review by the recipient’s government employer.

For more information, please see our previous blog post on the Quon case.

The Ninth Circuit found that the supervisor's review of the messages violated the officer's privacy because the officer had a reasonable expectation of privacy in the communications.  The ruling was based primarily on the police department’s failure to consistently enforce its computer usage and monitoring policy that authorized the department to monitor and review employees' communications.  The court acknowledged that, had the monitoring policy been appropriately enforced, the officer would have had no expectation of privacy in the communications. 
 
Importantly, because the officer was a state employee, his privacy claim – and the Ninth Circuit’s ruling that the officer's privacy had been violated – were rooted in Fourth Amendment jurisprudence.  Although the Fourth Amendment does not apply to employee privacy claims against private employers (which instead are  subject to federal wiretap statutes and state law), in practice the "reasonable expectation of privacy" test courts apply to state common law privacy claims is virtually identical to the Fourth Amendment test.  Accordingly, the implication of Quon for private employers was a renewed focus on ensuring robust and consistent enforcement of employee monitoring policies. 
 
Even if the U.S. Supreme Court overturns Quon, such a ruling would not necessarily offer relief to private employers facing state law employee privacy claims.  Some recent state court decisions suggest that non-government employees in some states may have a reasonable expectation that communications concerning employees’ medical or financial issues, income taxes, communications with an attorney, or other personal matters will remain private and not subject to monitoring by employers.  At least one state court has suggested that there is a reasonable expectation of privacy in such communications even where (i) the communications are conducted using company-owned systems and (ii) relevant company policies state that employees have no expectation of privacy in their workplace communications.

Botnets are networks of "zombie" computers that, unbeknownst to their owners, are remotely controlled by hackers with unfettered access to personal information stored on, or transmitted by, the machines.  The use of botnets, and attendant malware, permits criminals to gain access to individuals' private communications with financial institutions as well as other sensitive data.  The criminal operation that resulted in Wednesday's sentencing was uncovered by the Federal Bureau of Investigation two years ago as part of its Operation Bot Roast investigative initiative.  According to the FBI, botnets pose a growing threat to national security, the national information infrastructure and the economy.  In June 2007, federal law enforcement agents announced they had logged the millionth IP address belonging to a botnet.