Blogger: Bill Pray
A recent court decision in the United States Court of Appeals for the Ninth Circuit has some interesting implications for organizations using or planning on using a third party for collaboration services.
First, a quick introduction: My name is Bill Pray. I recently joined the Collaboration and Content Strategies team as an analyst. I come from the product management ranks of LexisNexis and Novell.
Given that this blog is about a court decision, I want to caveat my comments by saying that I am not an attorney. Organizations should consult with their own legal counsel about this court decision and the possible impacts.
The decision in Quon vs. Arch Wireless, published in June, addresses the privacy rights of employees when the employer utilizes a third party collaboration service. Specifically, the court held that the employees’ text messages were protected from being accessed without their consent by their employer, even though the paging service was contracted and paid for by their employer. The Fourth Amendment protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”
Even though this particular case is about text messaging, it is likely that it sets a precedent that can be applied to e-mail and other forms of hosted collaboration.
While the political impacts of this decision are significant for privacy advocates, I want to focus on three key points that surface in this court decision that are important for hosted collaboration services. An organization that uses or plans on using a third party SaaS solution for collaboration should consider:
1. You need to determine if your service provider is a “remote computing service” (RCS) or an “electronic communications service” (ECS) as defined by the Stored Communications Act of 1986.
If your service provider stores information for your organization as a defined part of the service for your future use and access, then they are likely to be defined as a RCS, and the Fourth Amendment privacy protections may not apply - based on the reasoning in this court decision.
However, if your service provider is an ECS - meaning that they act as channel for the electronic communication for the users, but do not provide services to the subscriber to store the data for future use and access - the users may have Fourth Amendment privacy protection.
Knowing if your provider is a RCS or an ECS is important to insuring that you picked a provider that will match with your communication content governance strategy. It all comes down to answering the question: Do you want to own and be legally responsible for the data? If the answer is no, then choose an ECS for your provider.
2. The court decision states "The recently minted standard of electronic communication via e-mails, text messages, and other means opens a new frontier in Fourth Amendment jurisprudence that has been little explored."
I completely agree that hosted collaboration is largely unexplored legal territory. We will continue to see cases flowing through the judicial system regarding hosted collaboration and privacy. This is part of the normal process of technological development and legal evolution.
The emergence of the cases should not be deterrent to organizations, but rather a part of the process. It is why organizations should invest in legal counsel to protect their interests when making technology decisions.
3. Perhaps the least surprising key point of this case is that policy and “operational reality” must match or the policy is moot. Even though the employer in this case had a written and communicated policy - communications by the employees using services or equipment paid for by the employer were subject to review and access by the department - the “operational reality” did not conform to the policy.
Frequently, organizations pay the penalty when their policies are not the realities of operation. When implementing hosted collaboration, organizations must verify that policies are also practices.
Setting the politics of individual privacy aside, the impact of this court decision depends upon the organization’s desired governance of the communications handled by their third party SaaS.
If the organization wants to divest itself of the legal responsibility for the content of the communications - and there are several advantages to doing this - then seek out an ECS and make sure your policies and “operation realities” clearly indicate that the organization is not responsible for the content. This potentially will make the ECS the primary responsible party and free the organization from some of the legal responsibilities associated with the “privacy” of the communications content.
If the organization wants to maintain control and “at will” access to the content of the communications, then use a RCS and establish policies and “operational realities” that grant the organization access to the content.
I anticipate more court decisions over the next several years will continue to define the legal responsibilities of the users, subscribers, and providers of hosted collaboration. Needless to say, it will be well worth monitoring.
Bill: The Quon case may give employers incentive to broadcast multiple, repetitive privacy disclaimers. What do you think? --Ben http://hack-igations.blogspot.com/2008/06/employee-imtexte-mailvoicecomputerinter.html
Posted by: Benjamin Wright | July 07, 2008 at 05:27 PM
What a nice Challenge !!!!!!!!Busby Seo Challeng
Posted by: Busby Seo Challenge | August 25, 2008 at 11:00 PM
The rapid advancement's in technology and law present many new arguments and gray areas within the American Judicial system. Recently one case is unfolding in Dallas Texas, after the FBI raided four datacenters, taking down approximately 400+ companies.
The raids came after an investigation by Special Agent Allyn Lynd of the Dallas FBI, into an alleged conspiracy of two companies Core IP Networks and Crydon Technologies, LLC who allegedly defrauded AT&T/Verizon out of $6.0 million in phone service.
The president Matthew Simpson wrote in a post to his customers “"'Currently nearly 50 businesses are completely without access to their email and data. Citizen access to Emergency 911 services are being affected, as Core IP's primary client base consists of telephone companies.' If you run a datacenter, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason."”
One of the third party companies that purchased bandwidth and were not associated with the parties allegedly associated with the fraud, filed a civil lawsuit against the Agent and USA. The companies involved assert that the government violated the company's fourth amendment rights to unreasonable searches and seizures. Since they did not provide access to the machines to the companies who where the focus of the raid.
Full details are available at http://www.securityfocus.tv/dallascolo/
Posted by: SecurityFocus Legal Review | April 12, 2009 at 06:38 PM