If You Want Your AUP to Stick, Stick to Your AUP
June 19th, 2008 § 3 Comments
Many have already written about Quon v. Arch Wireless Operating Company (opinion), the 9th Circuit decision finding a reasonable expectation of privacy in text messages. The results may be more fact-specific than some suggest, but it’s also a cautionary tale about acceptable-use policies (AUPs).
The city of Ontario, California has a typical AUP: it says that Internet access can be recorded and monitored, that such information isn’t confidential, that the systems shouldn’t be used for personal communication, and so forth. The city issued police officers two-way alphanumeric pagers, owned & operated by Arch Wireless. When an officer would go over his 25,000 character limit for the month, he’d pay for the overage. The lieutenant in charge of the pagers made it clear that an officer’s messages wouldn’t be audited as long as he paid for the extra messages. When that lieutenant got tired of being a “bill collector” for pager overages, the department audited message logs to find out how many messages were work-related (so that the message limit could be increased if there were a legitimate need). In that audit, the department found many personal—and sexually-explicit—messages.
Note the fact scenario here. It’s a police department, so the Fourth Amendment applies to the employer—which wouldn’t be the case for a private company. Arch Wireless was a third-party provider, so the case wasn’t about an internal e-mail system. And, critically, the court found that the department’s “operational reality” overrode its AUP. Because the department had a months-long practice of letting officers go over their message limits without auditing as long as they paid for the overages, the court held that the officers could reasonably expect that their text messages would be private even if the AUP said otherwise.
The lesson for employers is that operational practice can trump written policy. One solution is to draft AUPs that reflect reality, allowing “limited personal use” as long as that use doesn’t interfere with job functions and system performance. If that kind of wiggle room is unacceptable, then a company with an absolutist AUP needs to be sure that its policy is enforced absolutely.
Jim: The Quon case may give employers incentive to use multiple, repetitive privacy disclaimers. What do you think? –Ben http://hack-igations.blogspot.com/2008/06/employee-imtexte-mailvoicecomputerinter.html
I’m not sure that multiple disclaimers would help. The problem in Quon wasn’t just what the supervisor said but also his actions over eight months. Would multiple disclaimers counterbalance actual practice any more than one AUP would? Probably not. It was never an issue in this case whether the officers had read the AUP, just whether “operational reality” created a reasonable expectation of privacy despite the AUP.
Here’s a trickier question: if more privacy disclaimers wouldn’t have helped, what should Ontario have done? Was the root problem that a police lieutenant was in charge of the pagers and probably wasn’t familiar with the AUP and the legal consequences of telling employees that their personal text messages could stay private? Or was it the more general problem that line managers can tell employees something different than what’s in the AUP?
I think Ontario should have had a policy specifically covering text pagers, and a procedure for handling overages. That would have eliminated the need for the lieutenant to make up his own procedure. The procedure could have even incorporated additional privacy disclaimers—for example, by including the privacy disclaimer in the overage payment request. Formalizing the overage process would have avoided informal promises and made sure that officers knew that text messages could still be audited. Additional disclaimers would have been useful in that context.
This case simply affirmed what I have been taught for years:
Your policy is what you do, not what you have written down.