This is a continuation of two earlier posts, one that spoke about an employer’s duty to maintain a harassment-free workplace as justification for routine e-mail surveillance and another that highlighted the different position that a post-secondary educational institution is in, at least vis-a-vis institutionally-administered e-mail accounts.
The United States v. Heckenkamp decision of this April is another illustration of how employers and post-secondary educational institutions are different. In it, the United States Ninth Circuit of Appeals held that a state university violated a student’s expectation of privacy by conducting a remote search of his own computer (connected to the university’s network from his dorm room) in an attempt to prevent an attack on its network. Despite this finding, the Court nonetheless held the evidence obtained was admissible in the student’s criminal trial under the American “special needs” doctrine.
I won’t comment directly on the case, but encourage you to read this good editorial by the Stanford Law School Center for Internet and Society’s Jennifer Granick. Ms. Granick focusses her critique on the Court’s application of the “special needs” exception (appropriately, as it determined the outcome of Mr. Heckenkamp’s case). She chooses not to address the subtle implication in the case that the university could have diminished Mr. Heckenkamp’s expectation of privacy, by promulgating a more strongly-worded network access policy:
In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s computer
policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic principle
shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, university
policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. Therefore,
we must reject the government’s contention that Heckenkamp
had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screensaver
password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.
This raises some interesting questions given that a post-secondary institution has a relationship with its student users that’s much like a relationship between a commercial internet service provider and its customers. Would a commercial ISP have felt compelled to search Mr. Heckenkamp’s computer to protect its network? Would privacy legislation permit the a commercial ISP to impose a condition of service that allowed it to conduct such a search? Are guarantees of academic freedom a reason for post-secondary institutions to be even more cautious than a commercial ISP in promulgating search-friendly network access policies?
These are all important questions. Of course, employers are in a different position than commercial ISPs and post-secondary institutions because they can establish policy to restrict employees from connecting their own computers to their networks. To the extent employers choose to depart from this ideal (by allowing employees to remotely access their networks from their own computers, for example), they open up a world of risks, one of which is well-illustrated by Heckenkamp.
Thanks goes to my colleague Paul Broad of our privacy group for his great input on this post.