PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

City of Ontario v. Quon

The Supreme Court will soon hear arguments in City of Ontario v. Quon, an important Fourth Amendment case involving the privacy of electronic communications in the workplace.

The case is on appeal from the 9th Circuit.  The opinion there — Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008) — involved a police department of the City of Ontario, California  which provided pages to its employees.  The department “had no official policy directed to text-messaging by use of the pagers.” It only had a general policy that computer use was not to be for “personal benefit,” that it reserved the right to monitor all network activity, and that “[u]sers should have no expectation of privacy or confidentiality when using these resources.”

When officers exceeded text message limits, they were billed personally for overages.  Jeff Quon did so many times, and always paid, but the city finally obtained transcripts of Quon’s text messages.

Quon and others sued the City of Ontario and Arch Wireless (which handled the text messaging service) under the Stored Communications Act (SCA) and the Fourth Amendment. The court concluded that Arch Wireless violated the SCA when it disclosed the messages to the city as well as violated the Fourth Amendment.

Only the Fourth Amendment issues are before the Supreme Court, which granted cert. on these issues but denied cert. on the appeal of Arch Wireless on the SCA issues.

Here are some thoughts about the case:

The Fourth Amendment in the Workplace. The Fourth Amendment applies differently in the context of a government workplace. In O’Connor v. Ortega, 480 U.S. 709 (1987), the Supreme Court concluded that government employees had Fourth Amendment rights and a reasonable expectation of privacy in the workplace.  However, the Fourth Amendment would apply a little differently than normal.  First, the Court noted that employees’ reasonable expectation of privacy in the workplace is diminished to some degree and must be understood contextually.  Second, the Court held that the “special needs” doctrine applies, and the government employer doesn’t need a warrant or probable cause to conduct a searches so long as the searches involve a workplace-related purpose and are “reasonable.”

Orin Kerr notes that Ortega was a plurality opinion, and the Court could revisit the issue of how the Fourth Amendment applies in the government employment context.  I doubt the Court will do this.  A very extensive body of jurisprudence in lower courts has been built upon Ortega, and it is fairly with how the Court has dealt with the Fourth Amendment in the schools and other special contexts.  So I see the Court following the Ortega approach.

Employer Computer Monitoring Policies: Words vs. Practice. Under Ortega, did Quon have a reasonable expectation of privacy in his text messages?  I believe the answer is yes.  Although the police department had a general policy where it stated that it would monitor computer use, it had an informal policy for text messages (what the 9th Circuit opinion referred to as the “operational reality”).  That policy was that the department wouldn’t look into the officers’ text messages, and if they went over a certain character limit, they’d pay for the use.  The policy implied that officers could use the text messaging for their personal use — that’s why they would have to pay out of their own pocket for going over the character limit.  Why make them pay anything out of pocket if the use was exclusively for their jobs?

This informal policy should trump the general computer policy.  It is far too easy to just roll out boilerplate warnings about monitoring of computer use — these shouldn’t govern over the realities of practice.  The Court should look at the employees’ actual understandings and the actual practices of the department.  Most employers have boilerplate warnings of monitoring, but this boilerplate is meaningless if it doesn’t accord with actual practices and if everybody understands it will be disregarded or not followed in certain contexts.

Responding to Concerns About Looking at “Operational Reality.” What about the potential danger that if “operational reality” trumps written policies, it could lead to a chaos of litigation?  Won’t this open the floodgates to employees challenging employer searches and monitoring?  Employers might try to create clear written policies, but they could be upended whenever an employer makes an exception or a supervisor misinforms an employee or the employer becomes lax and tolerates violations.  Isn’t it just easier to stick to the plain language of a written policy, no matter whether it is followed in practice or not?  I see the Court really getting hung up on this issue.   With the “operational reality” approach, what an employer says in its official policy no longer controls — what an employer does matters more.  And it is so easy for employers to say and do things that might not be consistent with their policies.

Is there a good response to the objection above?  I believe there is.  Without an “operational reality” rule, employers could easily promulgate broad policies of monitoring, and then totally eliminate the Fourth Amendment rights of employees.  Counsel to various government workplaces will urge this general boilerplate monitoring policy to stave off any potential litigation.  Smart lawyers will do this to protect against lawsuits.  This is akin to attempts to use clickwrap contracts or put all sorts of warnings and disclaimers of liability on products.  Nobody really reads them, or believes they matter in practice.  And courts often hold they’re not binding.

What an employer actually does and says in practice is a more accurate indication of the necessity for intruding upon employee privacy.   Ultimately, the goal of Ortega was to recognize there’s a balance between (1) the needs of the employer to monitor employees and sometimes search employee work spaces and (2) an employee’s privacy.  The workplace isn’t a no privacy zone and a no constitutional rights zone.  But as the Court noted in Ortega, there must be a balance, for employers have to be able to maintain efficiency, order, and supervision of their employees.  The “operational reality” is a far better indicator of how important certain incursions on rights and privacy really are to employers.  It is one thing for some distant lawyer to write up a Big-Brother-esque monitoring statement, but the best indication of the value of monitoring to the employer is the extent to which the employer devotes time and resources to the monitoring as part of a routine practice.

Moreover, in a world of clickwrap contracts and excessive warnings, we all know that these have little to do with reality.  And reality should matter for determining reasonable expectations of privacy.  If an employer says, contrary to policy, that it won’t monitor one’s electronic communications, then that should weigh heavily on an employee’s expectation of privacy.

Guidelines. To prevent any minor statement or divergence in practice from undermining an employer’s written general policy, the Court can use the following guidelines:

(1) If the official policy clearly covers the practice at issue, and is specific in referencing it, then there should be a strong presumption it should govern.  This presumption can be overridden only when there is a consistent policy to the contrary demonstrated by clear and convincing evidence based on the employer’s statements and practices.

(2) If the official policy is general in nature, and doesn’t specifically reference the practice at issue, then there should be a weak presumption it should govern.  This presumption can be overridden when there is a preponderance of evidence demonstrating a different policy with regard to the practice at issue.

Applying the Guidelines to Quon. In Quon, we’re in situation (2) above.  The official policy was general in nature and didn’t specifically reference the text messaging service.   Absent anything else, there should be a weak presumption that the general policy governs the text messaging service, but this is overriden by the evidence that personal use of the text messaging service was permitted.  Indeed, the police department had a specific and well-understood practice of handling text messaging use — if employees went over the limit, they paid for the excess themselves.  The focus of the employer was on whether the limit was exceeded or not.  Quon always paid, and followed this policy, and he was reasonable in expecting this policy would continue to be followed unless the police department told him otherwise.  Since the department suddenly did something it had never done before, inconsistent with this informal policy, this should have been communicated to Quon in advance.

Was Obtaining the Contents of the Text Messages “Reasonable”? Short answer: No.  This was totally unnecessary to achieve the department’s goal — to prevent excessive personal use of the text messaging service.   The department could have told Quon and the other officers to avoid exceeding the character limit in the future.  It could have warned them that if they repeatedly exceeded the limit, they’d lose privileges or be sanctioned.  And if it wanted to obtain the contents of the text messages, it should have issued a new policy by telling Quon and others: “Okay, our old policy isn’t working, so we’re changing things.  If you go over the limit repeatedly, we’ll obtain the contents of your messages.”

The Supreme Court should affirm Quon.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01