Home > Uncategorized > Expectation of Privacy in Text Messaging?

Expectation of Privacy in Text Messaging?

Should an employee be able to read text messages that its employees have sent from devices and accounts that belong to the employer? The US Supreme court has decided to hear an appeal of a federal appeals ruling that the Ontario, California police department went beyond its rights when it obtained and read personal text messages that the officers sent.

This case is not the first of its kind. In the early 1990’s three employees of Epson in El Segundo, California were fired because of messages they sent to each other in which they boasted of having ignored or disobeyed their managers’ orders. The messages were shown to the managers, who then fired the employees for insubordination. The employees sued on the basis that they had not been informed that their messages were being read and won an out-of-court settlement. This case set an important precedent—that users of computing systems need to be informed if they are going to be monitored. Their expectation of privacy needs to be defeated.

Another case did not occur within the U.S. legal system, but rather within the U.S. Navy. About the same time that the Epson case occurred, an enlisted man broke into numerous Navy computing systems and was subsequently court-martialed on the charges that he did so. Many of the compromised systems were VMS systems that displayed a logon banner that started with “Welcome to my world of VMS.” The defense claimed that the defendant had been welcomed to the computing systems; the military tribunal agreed and ruled in favor of the accused.

Cases such as the Epson and U.S. Navy ones helped accelerate a now widely accepted and implemented principle—to display warning banners when users connect to systems. These banners need to advise users that:

1. Their actions during interaction with the system that they have accessed will be monitored,

2. Continuing with the login process constitutes consent to be monitored, and

3. Unauthorized actions, including gaining access without permission, may result in punishment, including legal prosecution.

Warning banners are designed to defeat the expectation of privacy on the part of users of computing systems and networks as well as to obtain their informed consent. Doing so helps protect organizations against invasion of privacy and other civil lawsuits, and at the same time negates malicious users’ defense that they did not know that what they were doing was wrong.

So how about the California Police case? The officers involved claim that they were “informally” told that their personal use of the smart phones was allowed and that the text messages that they sent would not be monitored. The city of Ontario has denied their assertion, saying instead that its policy does not allow the personal use of such equipment and that this policy is documented in writing and available to the officers.

The City of Ontario could have spared itself a lot of trouble and grief if someone there had realized that the smart phones used by the police are capable of displaying a warning banner whenever the phones are powered on. Displaying such a banner would not only have defeated the expectation of privacy on the part of the police officers, but would also have discouraged the police officers from sending personal text messages. What a pity, but hindsight is 20/20.

The Supreme Court’s ruling is bound to profoundly affect future rulings on cases of this nature. And the fact that a case of this nature has gone all the way to the Supreme Court shows that slowly but surely, issues with which we information security professionals deal are making their way to the forefront of the legal system as well as other important places.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.