Lieutenant Steve Duke, a commander with the Ontario, Calif., Police Department, never intended to be a bill collector.
But two years into the police department's contract with a firm that provided text messaging services, Duke found himself regularly requesting that some officers pay the per-character overage fee for the wireless service, according to a recent ruling in a lawsuit against the police department. The Ontario Police Department had settled on a 25,000 character monthly limit with provider Arch Wireless, yet some officers were exceeding the limit by up to 15,000 characters. The department's solution: If you pay for the overages, they would not audit your communications to determine what portion was for legitimate business use.
Yet, Duke had become fed up with asking for officers to pay for their overages. Along with the chief of police, the lieutenant decided to audit one of the workers that had exceeded the limit to find out whether excessive personal use of the wireless devices was responsible, according to the lawsuit ruling. In doing so, the police department violated the officer's privacy rights as well as the rights of at least three people with whom he had communicated, the U.S. Court of Appeals for the Ninth Circuit ruled last month.
1. Set expectations of privacy
The first lesson for CIOs is that an informal privacy is as binding as a written one.
"He told Sergeant Quon it was not his intent to audit employee's [sic] text messages to see if the overage is dues to work related transmissions," a police investigator wrote in a memo describing the investigation in Quon's usage of the text-message device. "He advised Sergeant Quon he could reimburse the city for the overage so he would not have to audit the transmission and see how many messages were non-work related."
While many companies have privacy policies that explicitly allow the monitoring of employees, the heart of the case hinges on the police department's lack of a policy regarding the text-messaging service, says Sinan Aral, a professor of information, operations and management sciences at New York University's Stern School of Business and an affiliated professor at the Massachusetts Institute of Technology's Sloan School of Management.
"The ruling reaffirms that employers can override an employees expectation of privacy by an explicit policy stating so, as long as it is explicit, written and unambiguous," Aral says.
2. Bring the services in-house, if possible
Having a third-party communications provider was another problem for the department.
The Ontario Police Department had contracted with the Arch Wireless Operating Company to provide text-messaging devices to all the city's officers in 2001. In doing so, the organization inadvertently split their role: While the police department was the customer, it was not the user.
While instant-messaging services and text messaging through mobile devices are not easily brought in-house, there are services that could replace such communications applications for companies that need the required control over their employees. On the instant-messaging front, for example, the open-source Jabber server allows organizations the ability to serve up their own instant messaging service. Research-in-Motion's BlackBerry enterprise platform also has a central server that manages messaging.
"The ruling does not address content on corporate servers," he says. "Because most e-mail is stored on company mail and Exchange servers, for example, the case does not apply to the company auditing those communications."
The ruling also found that text-messaging services are "electronic communications services," as defined in the Stored Communications Act, and not a "remote computing service." While a remote computing service can give a user's information to the subscriber without a court order, a remote communications service is forbidden to surrender such data by law.
3. Avoid charging your employees fees
While asking officers to pay for their excessive text messaging may have been an expedient solution, paying for the service reinforced the notion that the users had some ownership of the communications and a right to privacy, says Marshall Van Alstyne, a professor of management at Boston University and a research scholar at MIT's Sloan of School of Management.
"Because the officer was paying for the overages, he had a right to not be reviewed," says Van Alstyne.
The court likened text messages to e-mail that flows through a third-party provider. While it is not reasonable to expect privacy in the addressing of such communications, it is reasonable to expect the contents of the messages to remain private.
Sergeant Quon and other users "did not expect that Arch Wireless would monitor their text messages, much less turn over the messages to third parties without (their) consent," the appeal court judges stated in their ruling.
4. Stop, think and evaluate before auditing
The Ontario Police Department had a legitimate right to determine if the text-messaging service was being used for personal reasons, but the way they decided to investigate the issue was wrong.
If the top-level management at the police department had discussed the issue, they would have seen there were other ways to determine personal use of the text pagers, says NYU's Aral. The officers could have warned people that their messages would be audited during a future month, or they could have had the text-message transcripts sent to the user, who would then be responsible for redacting any non-work-related messages.
Moreover, the organization should have first created an explicit policy and considered the impact of that policy, Aral says.
"Firms should evaluate whether reviewing messages held by a third-party provider merits an explicit policy stating that they can evaluate those messages," he says. "One reason to not state the right to evaluate those messages may be because they want to have the best workplace, hiring incentives or they are pro-privacy."
On the other hand, increasing productivity, matching up officers with needed knowledge, and liability management are all reasons to have some sort of monitoring in place, Aral says.
5. Automate the monitoring
If a company does decide to audit their workers on a regular basis, automating the monitoring can provide some privacy protections while, at the same time, giving the company the benefits of oversight, says Boston University's Van Alstyne.
Moreover, such systems can work without any management oversight at all. By creating benchmarks based on the data and showing the users where they fall in the spectrum of use, the police department could have indicated to Quon and others that their use had become extraordinary.
"They have other means of doing (auditing) that doesn't infringe on worker's privacy," Van Alstyne says.