Cyberlaw: How your employer can track you and how it can’t

September 26, 2011

Cyberlaw employer trackingThis is the fifth part in a series on the current state of federal cyberlaw and privacy protections.

Click here for the post on the court ruling requiring a warrant for cell-phone location data.

Click here for the post on the SCA’s protections against civil discovery orders.

Click here for the post on the SCA and the Fourth Amendment.

Click here for the post on protections against the government tracking cell phone locations in real-time.

So far in this series on cyberlaw, we’ve discussed when the government can compel the release of an individual’s personal information from an electronic source, both under civil and criminal circumstances.

What about employers?

That is, when can employers access your personal information?

This question probably hits much closer to home than warrants or subpoenas for most people.

While there has been very little court guidance on this question, the little that there is suffices.

The first inquiry here is whether the place the information can be found is work-related or non-work-related.

Obviously, as discussed in an earlier post, it’s very difficult for an employer to acquire an individual’s information from a non-work-related source.

That isn’t the case for information from a work-related source, though.

Under these circumstances, unless the employer is a governmental body, Fourth Amendment protections against unreasonable search and seizure don’t apply.

Instead, the Stored Communications Act (SCA) is an individual’s only protection.

First, we have to determine whether the SCA even applies.

Specifically, if the service isn’t publically available (i.e. an employer’s private mail server), the SCA doesn’t apply.

While that discounts most work email from SCA protection, that doesn’t exclude a very significant one: cellular service providers.

That protection isn’t automatic, though.

That protection hinges on whether the service provider is either providing an “electronic communication service” (ECS) or “remote computing service” (RCS).

To sum up the difference, ECS is a communication in transit, and RCS is information/communication in storage (the difference is a little more definite than that, but you can read this post for more).

When an ECS, a provider can only release a communication to “an addressee or intended recipient of such communication.”

What does this mean?

While a communication is in transit, the employer can’t read the contents.

Example: When you send a text message from a work cell phone, your employer cannot look at the contents of the text message while it is in transit (which is approximately from the time it is sent until the message is received by the recipient’s phone).

Yeah, that doesn’t translate into much privacy protection.

The RCS consideration isn’t any better: a provider can release the contents of a communication with the consent of a “subscriber.”

Meaning, an employer can read the content of an employee’s communication where the delivery of the communication is already completed and the message is kept for storage purposes.

How?

Because the vast majority of the time, the employer is the “subscriber” on company cellular plans.

Although wireless providers are barred by wiretapping laws from actually recording phone calls, they do keep track of to whom calls are made and how long those calls lasted.

More importantly, they can disclose this information to the employer.

In fact, virtually any and all information on your phone’s activity can be acquired by your employer, including historic location data and, presumably, real-time location tracking data.

This means you shouldn’t use a company cell phone for personal reasons, although such should already be common sense.

This also means, considering the ready discoverability of location data, that you should probably turn your phone off when you don’t want your employer to know where you’re going.

Can we expect any additional future privacy protections in this area?

As long as the employer is paying the bills for the phone, probably not.

So what’s the point of knowing all of this?

Because knowing who can track us and how we can be tracked allows us control over our own actions to limit our liability.